zukota.com Some little technical blog

Sierra Wireless EM7345: Who’s spying on us?

3 min read zukota EM7345

Quite a long time ago, I found an interesting AT command for Sierra Wireless EM7345. The command is “AT+XCIQ”. There’s the following text string in EM7345 firmware file (it is present in any version so far): +XCIQ CIQ: Carrier IQ enable/disable.

Let’s try to get “help” about this command:

AT+XCIQ=?
+XCIQ: (0-1)
 
OK

So, we can suppose that 0 disables this Carrier IQ feature, and 1 enables it.

Let’s read the current setting of this feature:

AT+XCIQ?
+XCIQ: 1
 
OK

Looks like it’s on by default. Let’s try to switch it off?

If you’re running firmware earlier than 1522.02, don’t enter the following command!

If we try to enter:

AT+XCIQ=0

i.e try to disable Carrier IQ, EM7345 will have a fatal crash and reboot into boot flashing mode and it will be stuck there for good. Symptoms will be exactly as I described in my previous post, and you would need to unbrick it using the method I described in the same post: https://zukota.com/how-to-revive-your-bricked-sierra-wireless-em7345/

So, Carrier IQ is always on and if you try to turn it off using the above AT command, that will kill the device!

With firmware version 1522.02, AT+XCIQ=0 returns OK and there’s no fatal crash like in previous firmware versions. Also AT+XCIQ now accepts 3 possible values with 1522.02 firmware:

AT+XCIQ=?
+XCIQ: (0-2)

OK

So, 0 must be disable, 1 enable, and what is 2? Any value gets OK response and there’s no any error. Can Carrier IQ be really disabled or enabled using the above values? Who knows… If you don’t know what Carrier IQ is, fear and read:

Carrier IQ and Your Phone: Everything You Need to Know

Carrier IQ Tracking Scandal Spirals Out of Control

There’s not much in the news now, all seems quiet, but they definitely are looking for more stealthie ways to do their dirty business. At first, it used to be just an app in your Android phone, though using some stealth techniques, but still an ordinary app. You could block, patch, firewall, sniff, analyze it to any of your like.

But now, it is not in your phone, now it is sitting at the very firmware of your LTE device, it can analyze your internet traffic, extract your passwords and private data, do man in the middle attacks, report back home and whatever they want. Looking at the firmware dump file and the strings, one can say that there’s a complete TCP/IP stack implemeted and it is functioning on its own, independently from your OS and firewall.

And it’s perfectly undetectable, if, for example, they put someting like this in your Ethernet card or router, it can be detected on the next router where the traffic is going thru. But in our case, where are you gonna sniff packets generated by EM7345? That can be done only on a cellular carrier’s network equipment, and no one has access to that… except cellular carriers themselves.

If we take a look in a HEX editor at the EM7345 firmware file, version 1522 (and all previous versions as well) we can find the following:

We can see that firmware was compiled with “metrics_client_ciq.lib”, “metrics_engine.lib”, “metrics_client_em.lib” libraries. And I wonder what “metrics” are being sent to Carrier IQ from my Lenovo laptop? If you do just a trivial text search for “Carrier IQ” or “ciq” in the EM7345 firmware file, you will find a plenty of strings that speak of itself: we can definitely say that Carrier IQ functionalty is active and working in all EM7345 devices.

So who’s spying on us when we go online using an ultra-fast LTE network? Whose decision was it to embed this dreaded Carrier IQ into EM7345 firmware? The truth is out there. Use your brain and take care.