iPhone bug allows stolen phones to receive iMessages even after remote wipe
ArsTechnica looked into the matter earlier this week after a reader reported experiencing the issue.
According to the report, a stolen iPhone 4S continued to receive the reader's wife's iMessages after the couple had deactivated the device with the carrier and remote wiped it. The contraband handset had even been resold and activated under a new number.
Apple released iMessage as part of iOS 5 in October. The service, which allows for free messaging between iOS users, has been much discussed because it poses a threat to wireless carriers' SMS revenues.
The issue does not appear to be an isolated incident, as multiple support threads (1, 2) on Apple's website have cropped up regarding the problem. Some users suggested that wiping an iPhone when the original SIM card is still in the device won't result in a clean reset, thereby allowing the iMessage feature to reactivate when the phone is restored.
Apple has yet to respond to a request for comment, but report author Jacqui Cheng did speak with iOS security expert Jonathan Zdziarski about the bug.
"I can only speculate, but I can see this being plausible," he said. "iMessage registers with the subscriber's phone number from the SIM, so let's say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple's servers with the UDID of the phone."
One user experiencing the issue claimed to have resolved it by canceling his old Apple ID completely, but the solution would be unacceptable to most customers, as it entails abandoning any iTunes and App Store purchases tied to the account.
Twitter user Kim Hunter told the publication that a representative from Apple's security unit had denied that it was a security problem, offering the relatively unhelpful solution of turning iMessage off on the offending device.
Apple has experienced minor issues with several of its new product rollouts this fall. iCloud, for instance, has been subject to intermittent outages. The company is also working on a software fix for battery life in iOS 5 after an initial fix failed to completely resolve the issue.
Most recently, the international iTunes Match launch got off to a false start on Wednesday ahead of its official release on Thursday.
24 Comments
Welp, fix in 5.1, then.
I think the two biggest concerns with Find my stolen iPad and iPhone are: 1. When you initiate a message to the device you get an e-mail explaining what you did, but the device in question also receives the same e-mail. That's just dumb. Apple should figure out a solution to that. 2. All the person has to do is remove your iCloud account from the device with s few taps and you're out of luck.
I'd like to have a remote self district option, just a small chunk of C4 surely doesn't weigh much
I that a bug or a benefit? I'd be like, yeah, you stole my iPhone, but I will HAUNT YOU FOREVER. Now give it back.
All the person has to do is remove your iCloud account from the device with s few taps and you're out of luck.
You can enable Restrictions within Parental Controls to "lock" changes to accounts or location services. Someone would have to know your 4 digit Restrictions password to disable Find my iPhone. That should buy you enough time to locate/wipe the device.
I will be interested in Apple's answer as to why devices that are remote wiped still receive iMessages meant for the original owner, however.