Stolen iPhones May Still Receive iMessages Sent To The Original Owner

BY Rounak Jain

Published 15 Dec 2011

iMessage icon

According to various user accounts, stolen iPhones still seem to be receiving iMessages being sent to the original owner, despite taking measures like remote wiping or changing Apple ID passwords.

The latest such account comes from an Ars Technica reader David Hovis:

According to Hovis, his wife deactivated her iPhone with her carrier, remote wiped it, and immediately changed her Apple ID password—”we picked up a new iPhone the next day, figuring that our insurance would end up paying for it” 

The stolen phone was later sold to a new owner, who could not only receive messages meant for Hovis’ wife, but also pose as her and send messages to others. He learnt that similar problems had plagued other iPhone users on MacRumors forums as well as Apple discussion boards.

A similar problem haunted iPhone users when push notifications were introduced with iOS 3. Notifications were sent to the wrong phones, presumably because they were jailbroken.

Apple remained silent on the issue, but iOS security expert Jonathan Zdziarski had this to say with regard to the issue:

“I can only speculate, but I can see this being plausible. iMessage registers with the subscriber’s phone number from the SIM, so let’s say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple’s servers with the UDID of the phone.” 

There can be two possible solutions. One is to completely abandon the Apple ID tied with the stolen device, but that would mean you lose all your purchases. Another is to hope that iMessage is reactivated with a new phone number/Apple ID.

Both these solutions are nowhere close to being practical, and it remains to be seen whether this is a server side bug, or a bug on the resident software on iPhones.

Have any of you folks experienced similar issues?

[via Ars Technica]