Login
Report
Terrifying tales have surfaced recently of unsuspecting iPhone users that have had their private conversations swiped by thieves or intercepted by accident, and through our own independent test we've confirmed the issue and at least one way it could arise — but, to be clear, that doesn't mean you should hit the panic button.
Stories about a potential iMessages bug swirled after users started to report on the issue in forums — one user in a MacRumors thread said that after having their iPhone stolen, their iMessages were still being intercepted by the thief despite a remote wipe. In December, Ars Technica reported that one of their readers had befallen a similar fate. And recently, Gizmodo intercepted a bunch of private communications from an Apple store employee after taking an iPhone 4 in for repairs.
Apple representative Natalie Harrison tells us that the problem in the Gizmodo case is not a bug with iMessage, but rather a rare situation in which a retail employee broke protocol and used their personal SIM to help a customer that didn't have a working SIM. But what about those who have their iPhones or SIMs stolen? The issue may not be a catastrophic "bug," but it's certainly a reproducible exploit. So here's what you need to know.
With the iPhones of our own Ross Miller, Patrick Austin, and Chris Welch as test subjects, we've successfully reproduced the iMessage issue. This can be done with any SIM-equipped iPhone at any time, but the process is imperfect and time-consuming.
For this test, we used three carrier-locked iPhones — henceforth described simply as the Victim (the original iPhone), the Spy (the conversation-scraping iPhone), and the Bystander (a garrulous third party).
First, make sure iMessage is set up on all phones. From the Settings → iMessage window, you should see the phone number listed and grayed out. As an note, iMessage is a substitute for SMS; when iMessage is enabled, the iPhone sends iMessages instead of SMS, and vice-versa.
Now, take out the Victim's SIM card and put it in the Spy's iPhone. On the Victim's phone you'll get a "No SIM installed" pop-up and and the Settings → Phone menu will be inaccessible, but sure enough, the phone number will still be listed under iMessage.
The Spy's phone, however — now containing the Victim's SIM card — will attempt to verify said card. This will take several minutes, but the process can be expedited by turning the phone off and on. The same phone number will then be connected to both iPhones, despite having different Apple IDs. You can put the Victim's SIM card back in his or her phone or simply toss it away.
From the Bystander's iPhone (with iMessage on — it doesn't happen otherwise), send a message to the Victim's phone number. Both the Victim and the Spy will get it, despite only one of them having a SIM card. If either iPhone responds, both will see it come up as a "sent" message. The SIM-less iPhone can intercept (and even join in) all of someone else's iMessage conversations without any signs of intrusion. It'll look as if your phone is possessed.
If the Victim turns off iMessage, it would only serve to cut them out of the loop. The Bystander's phone would still detect iMessage to be working (via the Spy's phone), and would send iMessages to the Spy's phone that the Victim won't be able to see.
As the Victim
When we remote wiped the Victim's iPhone, iMessages was disabled, but only when the SIM was removed. If the SIM is still in the phone, as may be the case in a scenario where the phone is stolen, iMessages can still be reactivated, but only if that SIM is still valid. Therefore, if you're the Victim, your best bet is to perform a remote wipe and then immediately deactivate the old SIM card — after our own test, we've confirmed that this method will invalidate the old SIM, clear the phone, and prevent it from being reactivated with your phone number.
As the Spy
This whole issue stems from the phone number staying tied to the phone's iMessage service even after ejection. The iPhone itself clearly knows the SIM is missing, as exhibited by the disabled Phone settings. If, however, you have the SIM-less iPhone and you're tired of invading someone else's privacy, popping in another SIM card or even just turning iMessage off and on should sever ties completely.
We've recreated all this in a controlled environment, but that doesn't exactly mean it might come up in a real world setting — the biggest danger here is that someone might swipe your SIM card, slap it in a spare iPhone, put it back in your iPhone after verification, and then monitor all of your conversations without you ever knowing. And since this all takes place on the physical level, your messages can be swiped even if your phone is passcode locked. And what if your phone is stolen? In that case, you can always default to normal panic mode, which is the same on all platforms.
Of course, if someone ever does get their hands on your iPhone, there's a whole host of other nefarious things that they could do than swipe your SIM card — so the issue might not deserve some of the hysteria we've seen across the web, but it's also clearly a risk that Apple needs to address. Until then, it's just one more reason to think twice the next time you consider leaving your iPhone unattended at the bar.
Ross Miller contributed his words, time, and sense of privacy to this report. Special thanks to Patrick Austin, Chris Welch, David Pierce, and Michael Shane, as well.
Comments
My poor iPhone was flashy-thinged so many times for this report it doesn’t remember its own birthday :(
Ross Miller - February 3, 2012
T.C. Sottek - February 3, 2012
It’s the damndest thing. No matter how many minutes pass… I’ve only ever seem to see that GIF play once.
Ross Miller - February 3, 2012
Oh cool! a Men in Black gif!
Pobregizmo - February 3, 2012
Oh cool! a Men in Black gif!
…..
Oh cool! a Men in Black gif!
…..
Oh cool! a Men in Black gif!
…..
Oh cool! a Men in Black gif!
…..
djuniversal - February 5, 2012
iMessage. The new way for Apple to end relationships.
photograph - February 3, 2012
I’m glad Google is taking my security and privacy seriously.
I’m sorry I can’t say the same for anyone else out there…
I guess that’s one of the differences between Apple and Google (read designers and engineers). The former goes, “wow, this would works so beautifully!”, while the latter would go “wow, this would be so easy to break!”.
Ariel Horwitz - February 3, 2012
Yah, because the company that uses your browsing habits and the contents of your email to sell distribute targeted advertising is far more likely to respect your privacy than the company that sells you physical products… Right.
jonmilani - February 3, 2012
At least with Google I see ads for things I might actually want.
isantop - February 3, 2012
Apple just tells me what I want.
jonbruck - February 3, 2012
But I do enjoy it so!
meesebyte - February 3, 2012
Suggest you refrain from envoying too much being told what to do by organisations running after your money That’s all what I am saying.
MrLos - February 4, 2012
Not all of us are scientologists.
tywannabe - February 5, 2012
Why is it so hard to wrap your head around the concept that Google makes money off of personalized advertising and might actually value your privacy and at the same time? Do you even know how Google’s ads work? Did you know that advertisers don’t get access to your identifying information, or are you just spewing out the kind of BS you can find in this video? http://www.youtube.com/watch?v=oNofb-OlZyQ
Whatever the likelihood you believe there is that Google is not respecting my privacy, the fact is that I find Google the most trustworthy corporation out there at the moment.
Yeah, that’s right. I said it. I’m one of those that actually believe that Google is NOT EVIL. In fact, I don’t believe MS or Apple are evil. I believe corporations are big grown ups that understand the value of customer trust and actually give a s**t. But you’re welcome to join all the conspiracy theorists about big brother and evil corporations and we’re just pigs in a free barn waiting to be butchered and sold, and have as much fun as you want.
I was pointing out that as far as privacy concerns, I personally believe Google is doing best in practice. And here this story is just one more confirmation, that’s all.
Ariel Horwitz - February 3, 2012
Great. No edit button. I take back calling you out on spewing BS. However, I’ve seen enough of your argument that I wouldn’t be surprised if the conversation went on that you would start spewing out misinformed BS.
Ariel Horwitz - February 3, 2012
I think you need to relax.
You don’t know me and, evidently, you have no idea about the crux of my argument. More importantly, Google and Apple aren’t your friends so don’t pretend to be offended by a difference of opinion about how said companies operate.
Google monetizes private data; it is, by virtue of its existence, pushing the boundaries of privacy. This is both a technical and a philosophical argument. It doesn’t mean that Google is abusive or reckless with the data; however, collecting and monetizing that data is inherently invasive.
I have no doubt Google respects privacy insofar as the law requires them to do so (which is why I use Google products). They may even go above and beyond what the law requires in the interest of maintaining consumer trust (although I don’t believe this is the case).
But to make the assertion that a company that deals with private data (Google) is absolutely more respectful of privacy than a company that does not (Apple) is nonsensical and illogical. Google has to be less respectful of privacy because it is using private data and pushing the boundaries of privacy.
Re-read your original comment and recognize your bias toward Google:
This is a sloppy and trollish oversimplification on your part. Before you accuse me of “spewing out misinformed BS” perhaps you should be mindful of your own words.
More importantly, you seem not to understand the ethical definitions of privacy. I recommend you review those definitions and maybe then you will understand my point. In either case, please relax. You don’t need to be vitriolic simply because I have a different opinion about Google and privacy.
jonmilani - February 3, 2012
You’re absolutely welcome to have whatever opinion you wish.
There are people who tend to believe that they understand what the intentions of a corporation is (whatever that is…) and make consequential statements regarding them.
I, on the other hand, do not believe it is so simple to understand such a thing – it is far too complex for commenters on tech sites to assume, and therefore, I specifically said that “I guess” when stating what I believe these intentions are regarding Google. No, not bias, simply my guess based on my observation. I do not guarantee I am correct. Yes, my guesses can be sloppy. I’m glad you have an opinion on my opinion. I am not offended.
I have a problem with how you assume that collecting and monetizing private data is inherently invasive.
First of all, how is monetizing something you already collected any more invasive? If there is an answer to this, please apply it to Google’s case.
Second, assuming monitization is out of the equation, I do not believe that collecting personal data is inherently invasive. Suppose you enter my home, which has a surveillence camera installed, and you are filmed. Am I invading your privacy? What if I let you know in advance and had you sign an agreement that you understand that I am filming the interior of my home?
Google is not “collecting” data. It is simply receiving the data its users are entering. It has you agree to terms of service. If they are breaking terms of service, please direct me to a source and it will most definitely affect my observations of Google. You have to trust Google in the first place to use their services. That much is obvious.
However, what you are talking about is not “inherently invasive”. Nobody is invading anything. Okay? What you are talking about is building trust between Google and an end user. Or between Apple and an end user. I don’t know if this article demonstrates that Apple broke any terms of service it laid out prior to selling an iPhone, however I don’t care, because breaking terms of service is not what we’re discussing.
I feel that Google maintains excellent trust with end users. Apple generally does too, however this article demonstrates how this trust has been somewhat disturbed with a small amount of Apple’s end users. My observations (however misled they may be), based on this story and many many many more regarding both Apple and Google, have led me to trust Google more than Apple. Each can feel however they wish regarding their trust with any particular person or corporation. I try explaining this with a sloppy guess that you don’t like, but whatever.
Also, please don’t tell me that Apple does not deal with private data. Did you read the article you’re commenting on? Apple’s products are used to transmit and receive private data via their servers. Hence, I can be very sensical and logical in telling you that Google respects my privacy more than Apple does. That’s just how much I trust them.
You, for some reason, cannot realize this.
My excited reply may reflect the fact that I’ve seen many people that miss all (or most of) the above mentioned points. In your case, by trying to calculate odds on a corporation’s privacy concerns based on how the corporation in question makes most of its money (selling hardware or ads).
Again, you may not trust Google, and you may trust Apple. That’s up to you. But don’t tell me I’m being nonsensical and illogical because Apple slips up with regards to privacy (very seriously I might add) and pointing out that it adds to a list of my observations that I trust other companies more with my privacy.
Ariel Horwitz - February 3, 2012
And this is why we can’t continue our discussion. We simply don’t agree about the nature of privacy.
jonmilani - February 3, 2012
Well thank you for linking to a gigantic article discussing every major opinion of privacy, without actually stating which one you agree with. Perhaps if you defined your point more clearly, we could have a discussion that consists of more than vague references and obtuse opinions.
Mike10010100 - February 4, 2012
P.S.
Perhaps I’m not familiar enough with the law in the USA or where I live, but Google goes FAR FAR beyond what the law requires them to regarding privacy. I don’t think the law prohibits much other than not breaking terms of use and actual deliberate premeditated intrusion of one’s personal privacy (such as one’s home and communications).
If Google wanted to, they could add a bullet point to their privacy policy and terms of service (which nobody reads) saying that they will sell personal, identifying data to advertisers, and if the user agreed to it, they’re still fine by the law. I’m sure that would allow them to increase some profit margins – if advertisers could get their hands on personal dossiers… But we both know why Google doesn’t do that. Oh, wait, you don’t believe this.
Google goes out of their way to anonymize virtually all of the data that leaves Google servers to someone who is not the end user, not because the law requires them to, but because Google respects end users privacy because they want users to trust them.
Have you seen the kind of security they have in their data centers? http://www.youtube.com/watch?v=1SCZzgfdTBo
I’m pretty sure almost none of that is required by law, and I’m sure they could simply getting insurance and not give a damn what happens with user information if someone manages to break in.
Just two examples off the top of my head. But whatever.
Ariel Horwitz - February 3, 2012
“Google monetizes private data; it is, by virtue of its existence, pushing the boundaries of privacy.”
First of all, nice set-up. You start by saying that monetizing private data pushes the boundaries of privacy. Good, and I can see how one would come to that conclusion, but the issue lies in you placing the blame on Google. You enter that data into the system under your own account, knowing that this information is going to a database that isn’t in your own home. You know for a fact that Google is generating ads so that you can continue to use this free service. Google takes every pain possible to make sure your data is secure and anonymized. In the end, however, you have to realize that if you’re freaking out about Google’s monetization of private data, you probably shouldn’t be signed up for cable TV, internet access through a major ISP, buying anything from Apple, or even posting on The Verge. Each of these institutions monetizes off of “private” data. Cable providers know user behavior (you think that cable box doesn’t send statistics back?) and ISPs can track your usage, history, and IP addresses. My point is that in asserting that Google is somehow MORE against privacy, you are showing your ignorance of exactly how many ways you can actually be tracked and are being sold to at this very minute.
“This is both a technical and a philosophical argument. It doesn’t mean that Google is abusive or reckless with the data; however, collecting and monetizing that data is inherently invasive.”
And it’s also necessary in maintaining long-term ability to host the website you’re using. It’s why websites kindly ask you to disable Ad-Block so they can make money off of eyeballs on their banner ads. Is it a philosophical argument? Yep! And a darn good one at that. But you’re focusing on such a narrow band when you can talk about the entire system of privacy (or lack thereof) in the modern age.
" They may even go above and beyond what the law requires in the interest of maintaining consumer trust (although I don’t believe this is the case)."
And here’s where we begin to see the bias creep in. No explanation on that part, just “I don’t believe”. Why, exactly?
“Google has to be less respectful of privacy because it is using private data and pushing the boundaries of privacy.”
(I skipped a sentence. I’ll get back to that in a moment)
In summary, tautological statement is tautological.
“But to make the assertion that a company that deals with private data (Google) is absolutely more respectful of privacy than a company that does not (Apple) is nonsensical and illogical.”
And….what exactly is your proof on how Apple does not deal with private data? Now that they’re hosting iCloud, they have just as much dealings with private data as Google. They provide iAds, with metrics to track user response, just like Google.
And shall we go over all of the privacy issues Apple has had in the past?
http://www.wired.com/gadgetlab/2011/04/apple-iphone-tracking/
http://www.foxnews.com/scitech/2011/08/17/skoreans-sue-apple-over-iphone-user-information/
http://www.pcmag.com/article2/0,2817,2388025,00.asp
http://venturebeat.com/2011/08/23/ios-5-udid-privacy/ (Up until iOS 5)
http://www.huffingtonpost.com/2011/10/12/apple-icloud-security-concenrs_n_1007708.html
It is my assertion, and one that you seemed to start to make before you tried to make Apple look better than Google, that when users start moving towards the cloud, they inherently give up a bit of their privacy for the convenience.
http://www.huffingtonpost.com/2011/10/12/apple-icloud-security-concenrs_n_1007708.html
Mike10010100 - February 4, 2012
And this is the problem, Mike. If you re-read my comments you’ll quickly realize that I’m not blaming Google for anything. In fact, I’m not even being critical of Google for monetizing private data. I’m glad Google has the business model that it does because it’s more economical for me, the conscious end user.
Your perception is fascinating to me. I have never stated my opinion of either company; I have not condemned, nor endorsed, either company’s business model, except insofar as to point out that one company is less respectful of privacy than the other.
My argument is simply that the company that collects and monetizes private data is necessarily less respectful of privacy than the company that does not collect and monetize private data. I’m not sure how this is in any way a controversial statement. I suspect that if LinkedIn and Motorola were put in place of Google and Apple, there would be no debate at all.
In any event, in the interest of putting this discussion to bed, this will be my final reply.
jonmilani - February 4, 2012
“I have never stated my opinion of either company;”
Sure you have, Jeff. Many times before.
“My argument is simply that the company that collects and monetizes private data is necessarily less respectful of privacy than the company that does not collect and monetize private data.”
And my assertion is that Apple collects and monetizes just as much data as Google, as do ISPs, TV cable providers, and many, many websites. Companies now have more ways than ever to learn about their customers, and they are at a fantastic rate.
You still have not stated whether or not you think that the user inherently agrees to losing some privacy by moving to the cloud.
Mike10010100 - February 4, 2012
You’re not Google’s customer. You are the product that Google sells to their customers.
Some people are OK with that. Others would much rather pay a little money rather than receiving a free service, and not have their info sold to advertisers.
That’s all.
n13 - February 4, 2012
At least they don’t use my browsing habits and the contents of my emails to distribute targeted advertising to other people.
theaolway - February 3, 2012
Put otherwise, Apple/design focuses on making the typical use scenarios as pleasant as pleasant as possible, while Google/engineering focuses on making the worst-case scenarios as less unpleasant as possible.
To each his own priorities.
atimoshenko - February 4, 2012
Why does iMessage have anything to do with the SIM card to begin with?
emomac - February 3, 2012
because they use the phone number as the user name
trpt8ball - February 3, 2012
It registers your phone number in an Apple database as an “iMessage-capable number”.
When you put in someone’s number to send an SMS, your iPhone quickly cross references this database to see if the number is present. If it is, it switches to iMessage. If not, it sends SMS.
ryhei - February 3, 2012
Won’t simply changing your iTunes / iMessage account password solve the problem? I mean, the phone makes me log in with my password in order to turn iMessage on, so if that was changed on another phone or computer, won’t that simply disable the stolen phone from being linked to my account and seeing MY iMessages? Otherwise, what’s the point of forcing users to log in with their password when they turn iMessage on?
JRX16 - February 3, 2012
Nope.
This function actually has nothing to do with your iTunes account.
Rhonin - February 6, 2012
Actually it does. I register with my iTunes account, so obviously thats the identifying info. Good idea, JRX, lets see if it’s how this works
jayeshsharma - February 7, 2012
Furthermore, nice reporting guys.
ryhei - February 3, 2012
and still the question remains: how long until a) Apple acknowledges the issue and b) fixes it?
somnia - February 3, 2012
That’s what you get for using a SIM based authentication system….
gpmoo7 - February 3, 2012
Blackberry Messenger killer, eh Apple?
Elranzer - February 3, 2012
BlackBerry Messenger “killer” indeed.
MgnfcntMohok - February 3, 2012
“BlackBerry” Messenger killer indeed.
patbits - February 3, 2012
BlackBerry Messenger killer indeed"."
Tubamajuba - February 3, 2012
Blackberry Messenger is EXACTLY as freaking bad.
Case in point: our hospital gives us Blackberries for work, and my friend breaks his and has to get a new one. Since he loses all of his data (didn’t back anything up), I let him use my SD card to get a copy of our (common co-workers) address book.
His Blackberry TOOK OVER my BBM account. I lost all of my BBM links with my friends on my BBM, and he gained all of my links AND my username!
What I learned was that even though you share BBIDs for BBM, BBM keeps all of its user account and link data not in the cloud, but on the SD card.
In fact, it’s a very nifty parallel to what we have here.
elementary - February 3, 2012
I don’t see this as a non issue, thats a damn easy way for someone to steal information.
I wonder if there is any way something like this could happen to what I consider the scariest piece of iPhone tech, that square that reads credit/debit cards.
Kingsix - February 3, 2012
Exactly. Yes, getting physical access to the phone means almost all security bets are off, but this is possibly one of the easiest covert surveillance exploits to perform. Definitely not a non-issue.
Mike10010100 - February 3, 2012
Which is why it’s virtually a non-issue. However…
Let’s also remember that this only works when the phone being exploited is texting to other iPhones. So a person who is both taking someone else’s SIM and then intentionally replacing the SIM, so as not to alert the mark, must be doing so with the intent to specifically intercept iPhone-to-iPhone conversations. Let’s try to imagine the scenarios where all of these pieces line up just so. It’s not that there isn’t any situation that could ever plausibly contain this action, but that they’re quite specific.
MayorBloomberg - February 3, 2012
I can think of so many scenarios where someone could exploit this… What if, simply, your girlfriend/wife, friend, mom, cousin, etc. wanted to spy or prank you? What if you left it in a shop to get it repaired and an employee did this? You’d have no idea.
JuanPerez - February 3, 2012
Agree.
If I remember correctly, this issue was brought up with a couple of the first incidences; a lady who had her iphone stolen, and a man who sold his on eBay.
Rhonin - February 6, 2012
So, your conclusion is that something is wrong but it doesn’t matter? Hmmm?
TheLoyalist - February 3, 2012
It does matter, but unlike a true “bug,” it’s not likely to affect a substantial number of users. Considering that someone would need physical access to the person’s phone, and because it’s a time-consuming process, it’s not a widely available exploit.
T.C. Sottek - February 3, 2012
It’s also very easily prevented by putting a PIN on your SIM card. Since the PIN is required before the iPhone can do anything with the SIM card — including reading the phone number — then if somebody “borrows” your SIM card and puts it into their iPhone,, it can’t be used anyway.
Putting a PIN code on your SIM card is a good idea even regardless of the iMessage issues… If your iPhone were ever stolen, having somebody else intercept your iMessages may be the least of your worries compared to having them rack up a huge international long distance bill on your account.
jhollington - February 3, 2012
This should really be part of the article:
Settings → Phone → SIM PIN → (turn on SIM PIN)
Problem solved.
n13 - February 4, 2012
Do a bit of digging outside this article.
A pin wont stop it
Changing your iTunes password wont stop it
Remote wiping your phone wont stop it….
Rhonin - February 6, 2012
I can see this problem getting exploited a lot in the high school age, when people like to dick around with each other. Someone is is at a get together with friends, and leaves his phone somewhere and goes to the bathroom. Other people around steal their iMessage id, and start texting people, and the person whose phone/number they are using has no idea. This could cause amazing amounts of problems with high school age kids, just saying.
Another thing that is wrong with this is the fact that if you are someone who uses an iPhone and a dumbphone (no, not featurephone, straight up dumb phone) when you go camping or just plain go do something stupid that you don’t want your expensive device around for, you will not receive messages from anyone with an iPhone. I did a terrible job of explaining this part, but for example, if you take your SIM out of your iPhone and put it in a super old nokia bar phone, all messages sent to you will go as an iMessage instead of as a real SMS message that could make it to your Nokia. Depending on how long you are away, this could be a real issue if someone is trying to text you to get ahold of you, knowing that you will have spotty coverage.
Like, seriously? why not just have it only have the phone number when the actual SIM is in your device? Is this really so hard to do?
curtisas - February 3, 2012
Actually, if your iPhone is not reachable via iMessage, the sending phone should eventually fall back to sending the messages as an SMS, although that may sometimes take a few minutes.
This isn’t only an issue if you put your SIM card into another iPhone — it also occurs in scenarios where you’re simply out of data coverage but otherwise have cellular coverage, or if you’re roaming internationally.
jhollington - February 3, 2012
The best way to prevent this from every really becoming a problem is to put a passcode lock (PIN) on your SIM card (see https://plus.google.com/u/0/113401878552316091712/posts/LL8qEp5nU4K).
If your SIM card is passcode locked, then even if somebody were to temporarily “borrow” your SIM card to put it into their own iPhone, it wouldn’t work, as they would need to enter the PIN to actually access the SIM card — iMessage wouldn’t register the new phone number without the PIN being entered, since the iPhone can’t even read the SIM card when it’s locked. Similarly, the PIN is required to unlock the SIM card whenever the iPhone is restarted, which would prevent the iPhone from re-registering with the iMessage servers after it’s been remote-wiped.
jhollington - February 3, 2012
Yes. The short, simple answer is PIN SIM security. It’s almost as easy as dim sum chicken.
soulinether - February 3, 2012 via mobile
The simplest solution would be if Apple fixed the bug ;)
Dave Ray - February 5, 2012
THe problem I see is with PrePay SIMs, I was just in the UK for a few weeks so got a PrePaid SIM for my iPhone, while I was there I was using iMessage etc, so that number will be tied to my account. PrePay numbers are often re-used after quite a short period of time of inactivity, so in as little as 3 months, that number could be given out to someone else, and they will start getting my iMessages?
We really need a place where we can just remove registered numbers from our accounts.
mashles - February 3, 2012
That’s true only if people are still sending iMessages to your old, now-reassigned phone number.
Otherwise, if you’ve registered a new phone number, on a new prepaid SIM card, then people should be using that one instead, as would iMessage, of course.
In that regard, it’s just like SMS. Of course, if you’re planning on using a prepaid SIM card and then letting the service lapse so the number gets reassigned, that’s not really what you’re supposed to do with an iPhone anyway, and there’s nothing Apple can really do to prevent that, since somebody else legitimately has that number.
If you’re worried about that being an issue, your best bet is to use your Apple ID and e-mail address for iMessage instead, and make sure everybody else is using that as well.
jhollington - February 3, 2012
Ah OK, was thinking that it broadcast the iMessage to all registered numbers and emails. No worries then.
mashles - February 3, 2012
Would this affect people with CDMA iPhones?
Given the whole no sim card thing.
Tech.Eac - February 3, 2012
The lack of a SIM card makes it almost impossible to pull the “spy trick” with a CDMA iPhone, since there’s no way to get your phone number to show up on somebody else’s device.
On the flip side, however, this makes the stolen iPhone issue potentially more serious since there’s no way to lock the SIM (since there isn’t one — at least not for the primary number).
jhollington - February 3, 2012
So, let’s say I hypothetically bought an iPhone 4S today, then sold it next October because I can’t stop myself from buying an iPhone 5. Before I walk on down to the friendly Ukrainians at the local PS3-repair-and-secondhand-iPhone-store that crisp October evening, I will need to have:
1. Removed my old SIM
2. Wiped my iPhone 4S while there was no SIM in the slot
As long as I do them in that order, the old phone won’t re-imprint the old SIM data into iMessage, right?
mortenjorck - February 3, 2012
This is exactly what I’m wondering, everyone has been experimenting with replicating the exploit, but I want clear confirmation that you can undo it by wiping the iphone sans sim.
iandanger - February 3, 2012
This is stupid. Who doesn’t immediately change all their passwords as soon as a phone is lost or stolen?? I don’t care if you do a remote wipe, it’s dumb not to still change all your passwords, period. Once the account info was changed, features like iMessage wouldn’t work anymore. I’d immediately change my iTunes account password, done.
JRX16 - February 3, 2012
Chuckle
Sorry Jr, that has no affect on it.
Rhonin - February 6, 2012
What about CDMA phones.
eagrimm - February 3, 2012
Thank goodness Apple devices have no viruses.
ImTherious - February 3, 2012
So if iMessage is affected by this issue, then technically, all other messaging services that use the phone number as identification (WhatsApp, Kik, etc) will be prone to this hack/workaround. Right?
vivekkrish - February 3, 2012
I can confirm that Kik does not use phone number for identification. That’s stricly username only.
WhiteNiteLite - February 3, 2012
iSpionage
fundamentallybroken - February 3, 2012
My Lesson Learned: Sprint and Verizon iPhones are safe (since they don’t use SIM cards)
qrius - February 3, 2012
You’re also safe if you don’t let people remove your SIM cards. Honestly if you let somebody else handle your phone they could jailbreak it and install a tracker on it, or do whatever. So this isn’t really a bit additional security concern. It’s not like you’re casually handing our your SIM card all the time.
n13 - February 4, 2012
Oh..
Settings → Phone →SIM PIN → Set SIM PIN
Problem solved.
n13 - February 4, 2012
And this is the reason why enterprise IT always hands out Blackberries.
patheticallyapathetic - February 3, 2012
Of course, apart from the fact BBM does exactly the same thing, as someone has already mentioned in these comments (intact, kind of worse).
Blackberry’s get handed out because of the email integration, which is less and less relevant every day as the other platforms surpass it’s features and compatibility.
MadusMaximus - February 4, 2012
Really? Wow, that’s strange. Maybe Apple copied BBM a bit too closely ;)
n13 - February 4, 2012
where is the part of the SIM PIN-CODE? no one can swipe it !
Haydar - February 4, 2012
It’s something normal. I do not find it to be a bug. It’s how it is. Once the account is reregister on the iPhone it stay there until you sign off of course.
FrankyApple - February 4, 2012
Typical Apple, you’re doing it wrong senario, that its “not a bug with iMessage, but rather a rare situation in which a retail employee broke protocol”. What happened to responsibility??
master cool - February 4, 2012
Meh. Obviously a bug in iMessage. If you’re using the SIM card / phone number as ID, you better make sure you remove that info when the SIM is removed.
n13 - February 4, 2012
Seems like a simple bug – they should disable iMessage as soon as the SIM is removed. The fact they’re caching the SIM information is either a design flaw or an oversight, but the next OS upgrade will fix that, I am sure.
The it would work just like text messages and phone calls – only the phone with the correct SIM installed receives those.
n13 - February 4, 2012
Is there actually no edit button? “Then it would work…”
n13 - February 4, 2012
2 things:
1. If you no longer have your phone and didn’t turn off iMessage (say if you move to an Android handset), anyone with an iOS device will continue sending iMessages (and they will be shown as delivered) and you won’t receive the SMS – they just go into a black hole.
2. There is an easy fix for this – let people login to their iCloud account and view devices attached, and disable iMessage at the server side.
Switching SIM’s is still an issue, but a SIM PIN can stop this.
Shane.
shanelord - February 4, 2012
Experienced something similar when swapping networks (O2 to 3). New 4s had a temporary number for a few days until the O2 number was ported over. Took a while to figure out what was going on and resolve it. Question is: what happened to the temp 3 number? Will it get recycled and passed on to someone else? If so do they get to ‘spy’ on my iMessages??
11220 - February 5, 2012
I wish this “bug” let me swap my SIM to my iPad so that my iMessages sent to my phone number would be able to sync across my devices. I know I can get it working with my email address though that is not too helpful if you have friends who are still sending messages to your phone number.
adambadam - February 6, 2012
iMessage, FaceTime, GChat, Hangouts… Whatever, neither Apple or Google will ever cover the same quality and quantity as Live Messenger/Skype/Facebook, let’s face it, Facebook will eventually turn to be a social media division in MSFT. Seems at Redmon, whatever people say, they’re doing things right.
davidsalazarparis - February 6, 2012
You must log in with your Verge account to post a comment.
If you do not yet have a Verge account, please sign up for one!