Login

Accidental espionage: how iMessage conversations end up in the wrong handsets

iMessage Stealing

Terrifying tales have surfaced recently of unsuspecting iPhone users that have had their private conversations swiped by thieves or intercepted by accident, and through our own independent test we've confirmed the issue and at least one way it could arise — but, to be clear, that doesn't mean you should hit the panic button.

Stories about a potential iMessages bug swirled after users started to report on the issue in forums — one user in a MacRumors thread said that after having their iPhone stolen, their iMessages were still being intercepted by the thief despite a remote wipe. In December, Ars Technica reported that one of their readers had befallen a similar fate. And recently, Gizmodo intercepted a bunch of private communications from an Apple store employee after taking an iPhone 4 in for repairs.

Apple representative Natalie Harrison tells us that the problem in the Gizmodo case is not a bug with iMessage, but rather a rare situation in which a retail employee broke protocol and used their personal SIM to help a customer that didn't have a working SIM. But what about those who have their iPhones or SIMs stolen? The issue may not be a catastrophic "bug," but it's certainly a reproducible exploit. So here's what you need to know.

The SIM-swapping field test

With the iPhones of our own Ross Miller, Patrick Austin, and Chris Welch as test subjects, we've successfully reproduced the iMessage issue. This can be done with any SIM-equipped iPhone at any time, but the process is imperfect and time-consuming.

For this test, we used three carrier-locked iPhones — henceforth described simply as the Victim (the original iPhone), the Spy (the conversation-scraping iPhone), and the Bystander (a garrulous third party).

First, make sure iMessage is set up on all phones. From the Settings → iMessage window, you should see the phone number listed and grayed out. As an note, iMessage is a substitute for SMS; when iMessage is enabled, the iPhone sends iMessages instead of SMS, and vice-versa.

Now, take out the Victim's SIM card and put it in the Spy's iPhone. On the Victim's phone you'll get a "No SIM installed" pop-up and and the Settings → Phone menu will be inaccessible, but sure enough, the phone number will still be listed under iMessage.

Imessage-grayed-number-rm-verge

The Spy's phone, however — now containing the Victim's SIM card — will attempt to verify said card. This will take several minutes, but the process can be expedited by turning the phone off and on. The same phone number will then be connected to both iPhones, despite having different Apple IDs. You can put the Victim's SIM card back in his or her phone or simply toss it away.

What happens next

From the Bystander's iPhone (with iMessage on — it doesn't happen otherwise), send a message to the Victim's phone number. Both the Victim and the Spy will get it, despite only one of them having a SIM card. If either iPhone responds, both will see it come up as a "sent" message. The SIM-less iPhone can intercept (and even join in) all of someone else's iMessage conversations without any signs of intrusion. It'll look as if your phone is possessed.

If the Victim turns off iMessage, it would only serve to cut them out of the loop. The Bystander's phone would still detect iMessage to be working (via the Spy's phone), and would send iMessages to the Spy's phone that the Victim won't be able to see.

How to disable

As the Victim

Imessage-sms-switch-opt5-rm-verge

When we remote wiped the Victim's iPhone, iMessages was disabled, but only when the SIM was removed. If the SIM is still in the phone, as may be the case in a scenario where the phone is stolen, iMessages can still be reactivated, but only if that SIM is still valid. Therefore, if you're the Victim, your best bet is to perform a remote wipe and then immediately deactivate the old SIM card after our own test, we've confirmed that this method will invalidate the old SIM, clear the phone, and prevent it from being reactivated with your phone number.

As the Spy

This whole issue stems from the phone number staying tied to the phone's iMessage service even after ejection. The iPhone itself clearly knows the SIM is missing, as exhibited by the disabled Phone settings. If, however, you have the SIM-less iPhone and you're tired of invading someone else's privacy, popping in another SIM card or even just turning iMessage off and on should sever ties completely.

Why this (probably) doesn't matter

We've recreated all this in a controlled environment, but that doesn't exactly mean it might come up in a real world setting — the biggest danger here is that someone might swipe your SIM card, slap it in a spare iPhone, put it back in your iPhone after verification, and then monitor all of your conversations without you ever knowing. And since this all takes place on the physical level, your messages can be swiped even if your phone is passcode locked. And what if your phone is stolen? In that case, you can always default to normal panic mode, which is the same on all platforms.

Of course, if someone ever does get their hands on your iPhone, there's a whole host of other nefarious things that they could do than swipe your SIM card — so the issue might not deserve some of the hysteria we've seen across the web, but it's also clearly a risk that Apple needs to address. Until then, it's just one more reason to think twice the next time you consider leaving your iPhone unattended at the bar.

Ross Miller contributed his words, time, and sense of privacy to this report. Special thanks to Patrick Austin, Chris Welch, David Pierce, and Michael Shane, as well.

The Verge
X
Log In Sign Up

forgot?
Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.
Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.