Port 2479: SecurSight SSL Event Logging — An Obscure Assignment with a Famous Moment

What Port 2479 Is

Port 2479 is officially registered with IANA under the service name ssm-els — SecurSight Event Logging Server (SSL). It was submitted by Security Dynamics Technologies, the company behind the SecurSight enterprise security suite, which integrated RSA cryptography and public-key infrastructure for secure remote access, single sign-on, and audit logging.

The port handles SSL-encrypted event log transmission from SecurSight agents to a central logging server. Both TCP and UDP are registered. In practice, this product line was absorbed into RSA Security's portfolio, and port 2479 became one of those quiet corner registrations that nobody uses and nobody thinks about.

Until HTC.

The Carrier IQ Episode

In late 2011, a security researcher named Trevor Eckhart published findings showing that Carrier IQ software — a carrier telemetry framework embedded in millions of smartphones — was logging far more than carriers claimed: keystrokes, SMS content, location data, URLs. The story exploded. Congressional inquiries followed. The FTC got involved.

HTC was among the affected manufacturers. Their implementation used a service called IQRD — a Carrier IQ porting layer built into several HTC Android phones including the EVO 4G, EVO 3D, EVO View 4G, and Vivid.

The vulnerability was this: IQRD listened on TCP port 2479. It was supposed to be localhost-only. It wasn't restricted. Any application holding the standard android.permission.INTERNET permission could connect to it and:

• Send SMS messages as the device owner¹
• Retrieve the Network Access Identifier (NAI) and its password
• Trigger arbitrary popup dialogs
• Play tones

This became CVE-2012-2217.² The flaw wasn't subtle — it was a service that forgot to check who was calling.

HTC issued over-the-air patches for most affected devices (the HTC Hero was left unpatched). The affected firmware versions were replaced, and the port went quiet again.

What Range This Port Belongs To

Port 2479 sits in the registered port range (1024–49151). These ports are:

• Not reserved for operating system use (unlike well-known ports 0–1023)
• Registered with IANA by organizations for specific applications
• Not enforced — any application can use any registered port; registration is documentation, not a lock

The registered range contains tens of thousands of ports. Most are assigned to products that no longer exist, services that never shipped, or software nobody runs anymore. Port 2479 belongs to that category — officially claimed, practically dormant.

What to Do If You See Port 2479 Open

If you find port 2479 listening on a system you manage, it's almost certainly not SecurSight. More likely candidates:

• A misconfigured application that happened to pick this port
• Legacy software using it informally
• On very old Android devices: IQRD (no longer relevant)

To identify what's using it:

Linux / macOS:

# Show what process owns port 2479
sudo ss -tlnp | grep 2479
# or
sudo lsof -i :2479

Windows:

netstat -ano | findstr :2479
# Then look up the PID:
tasklist | findstr <PID>

macOS (Activity Monitor alternative):

sudo lsof -nP -iTCP:2479 -sTCP:LISTEN

If something is listening there and you don't know what it is, that's worth investigating before dismissing.