Apple: Misdirected iMessages due to bad configuration, not a software bug

Posted:
in iCloud edited January 2014


Reports of iOS 5 iMessages being sent to the wrong recipient are the result of a misconfigured phone, not an issue with the operating system or Apple's cloud services, the company indicated.



A report by Jim Dalrymple of The Loop notes that a situation where messages from an Apple Store employee were being directed to another user's iPhone were the result of the employee failing to follow directions while troubleshooting the customer's device.



The employee installed his personal SIM card in the customer's phone, linking the device to his Apple ID account in a way that resulted in his subsequent iMessages, including photos, being relayed to the customer's device.



the report cited Apple representative Natalie Harrison as saying, "this was an extremely rare situation that occurred when a retail employee did not follow the correct service procedure and used their personal SIM to help a customer who did not have a working SIM. This resulted in a temporary situation that has since been resolved by the employee."



Apple noted that to prevent such a situation, users should "toggle iMessage on and off" in the Settings app of any iOS 5 device configured to their Apple ID before it is given away or sold.



iMessageGate



The situation was profiled by Gizmodo as being a "the Apple bug that let us spy on a total stranger's iPhone." The website, notorious for creating and promoting controversies related to Apple with catchy names pattered after the Watergate scandal, actually knew who the stranger was and why it was occurring.



Presumably, it also knew how to stop spying on the Apple employee by turning off access to his account messages. Instead, the site chose to monitor and publish unflattering photos and and personal text conversations of the employee, actions which could expose the author to legal liability related to "publication of private facts" and "misappropriation of name or likeness," a form of privacy invasion.



Gizmodo and its Gawker Media parent previously escaped criminal charges for its role in paying for stolen property and refusing to return it in the case of Apple's iPhone 4 prototype after the San Mateo County district attorney's office decided not to file charges against the group and risk instigating an expensive trial over the rights of members of the media.



District Attorney Steven Wagstaffe did however note that "it was obvious [Gizmodo staff] were angry with the company about not being invited to some press conference or some big Apple event. We expected to see a certain amount of professionalism. This is like 15-year-old children talking," he said.



Wagstaffe added, "there was so much animosity, and they were very critical of Apple. They talked about having Apple right where they wanted them and they were really going to show them."





[ View article on AppleInsider ]

«1

Comments

  • poochpooch Posts: 768member
    what say you, gizmodo chen?
  • ski1ski1 Posts: 251member
    It is a bug. The same results happen if you were to sell your phone, or if it's lost or stolen. Below are the details:



    http://arstechnica.com/apple/news/20...rong-place.ars



    and on this Apple forum thread...



    https://discussions.apple.com/message/16858629#16858629
  • wigginwiggin Posts: 2,035member
    Quote:
    Originally Posted by ski1 View Post


    It is a bug. The same results happen if you were to sell your phone, or if it's lost or stolen. Below are the details:



    http://arstechnica.com/apple/news/20...rong-place.ars



    and on this Apple forum thread...



    https://discussions.apple.com/message/16858629#16858629



    Sounds like a bug to me, based on that story.



    MobleMe had a way to remove clients from the list of synced devices. I guess that was another feature Apple dropped when they replaced MM with iCloud.
  • Very worrying that swapping sim cards can do this - automatically.



    As a European well accustomed to sim cards, it has historically been a standard behaviour - since the days when mobiles first went 'mass market' - to occassionally swap sims with a friend - when their phone had run out of battery, etc, to let them phone home,etc, on their credit/bill.



    You might say that this had changed with the world of the smart phone. However, this 'linking' being an autobehaviour also clearly looks wrong to me for the world of today.



    We are heading in the direction of a complete separation of mobile service into just becoming about the local 'connectivity' for your device, and all comunications - messaging (e.g. emails - email provider, tweets - platform provier twitter, iMessage - platform provider apple etc) being completely separate from the mobile operator.



    True number separation will take this the next step. Where your number from your 'number host' (who might not offer mobile serivce at all) can have calls pointed at your current mobile service provider, providing the connectivirt in the local country you are in at the time. Enabiling you to use local service providers in all countries you use, saving roaming costs, etc.

    And also, regardles of whether at home or abroad, to have multiple numbers (from different providers) delivered to one device (like multiple email accounts from different providers on one device).



    The problem is NOT iMessage accounts knowing the mobile numbers they are associated with, the problem is anything that does this automatically.



    Afterall, this could suggest that a sim card that is simply alledging a certain phone number (frauduently) to an iPhone, would trigger that iphone registering the number with the iMessage account that user has created, and rerouting messages from any other iMessage iphone user to that imessage account over the iMessage platform rather than SMS. Indeed if the user who's number has been alledged (falsely) byt the phoneysim card, is not an iMessage user, they would not be registered in the database, so no collision woudl occur.

    Message theft - don't even need the victims sim card.




    Also raises questions of how long they keep numbers in database. In some markets mobile numbers are 'reallocated' to new users quite quicktly.
  • tallest skiltallest skil Posts: 39,470member
    Quote:
    Originally Posted by AppleInsider View Post


    District Attorney Steven Wagstaffe did however note that "it was obvious [Gizmodo staff] were angry with the company about not being invited to some press conference or some big Apple event. We expected to see a certain amount of professionalism. This is like 15-year-old children talking," he said.



    *Slow clap*



    Send them all to jail.



    First they go to CES and shut off companies' TVs as they're giving demos, then they try to use a stolen iPhone as leverage to get exclusives, and now they're all whiny about not being invited to Apple events anymore "for some reason".



    They're acting like they're FIVE years old.
  • freerangefreerange Posts: 1,355member
    And the big question still is why didn't they prosecute these asshole "15 year old"? Seems they are still engaged in the same kind of criminal behavior and haven't learned anything.
  • correctionscorrections Posts: 1,080member
    Quote:
    Originally Posted by Wiggin View Post


    Sounds like a bug to me, based on that story.



    MobleMe had a way to remove clients from the list of synced devices. I guess that was another feature Apple dropped when they replaced MM with iCloud.



    iCloud isn't a list of synced devices.



    Might be nice for Apple to provide some awesome set of client management tools for iCloud at some point, but its sort of like setting up your Mac to check email, selling the thing, and then being irate that "somebody else is checking your email!!!"



    There are clear and obvious, documented ways to protect yourself from such situations.
  • correctionscorrections Posts: 1,080member
    Quote:
    Originally Posted by Bishop of Southwark View Post


    Very worrying that swapping sim cards can do this - automatically.



    As a European well accustomed to sim cards, ...



    Also raises questions of how long they keep numbers in database. In some markets mobile numbers are 'reallocated' to new users quite quicktly.





    Mobile phones aren't IP devices. They're on a custom network that (in GSM land) identifies devices based on their unique device ID stored on the SIM card. If you want to be able to send SMS, you do that through the carrier and it takes care of all that.



    For Apple to offer iMessage as a more powerful alternative that can bridge the Internet and work with IP connected iPads and Macs, it has to tie device identity to something, and SIM cards supply the unique ID.



    Complaining that things didn't work like they did in the 80s when you were swapping SIM cards with your friends is rather silly. If you don't want to mix up your devices and IDs, it's pretty simple:



    - don't turn on iMessage and then change your SIM card!

    - if you do decide to swap around SIM cards, disable iMessage first

    - if you sell your phone, turn off iMessage first



    Not exactly rocket science
  • ski1ski1 Posts: 251member
    Quote:
    Originally Posted by Corrections View Post


    Complaining that things didn't work like they did in the 80s when you were swapping SIM cards with your friends is rather silly. If you don't want to mix up your devices and IDs, it's pretty simple:



    - don't turn on iMessage and then change your SIM card!

    - if you do decide to swap around SIM cards, disable iMessage first

    - if you sell your phone, turn off iMessage first



    Not exactly rocket science



    None of those suggestions work if you lose your iPhone or have it stolen.
  • wigginwiggin Posts: 2,035member
    Quote:
    Originally Posted by Corrections View Post


    iCloud isn't a list of synced devices.



    But it damn well knows what devices are syncing to it! And as a user who owns the account, there damn well better be a way for me to secure my data from other people accessing it, even it that access was inadvertently given (or stolen).



    Quote:
    Originally Posted by Corrections View Post


    Might be nice for Apple to provide some awesome set of client management tools for iCloud at some point, but its sort of like setting up your Mac to check email, selling the thing, and then being irate that "somebody else is checking your email!!!"



    Not a very accurate analogy. You have to take deliberate steps to create the email account in the mail program on that computer...launch the email client and specifically configure it by entering your email server, login, and password information. This is a case of all that being done automatically without your knowledge.



    An iPhone assuming that just because I inserted my SIM card into it that I want it to sync to my iCloud account, without so much as a confirmation dialog box, is either a bug or incredibly piss-poor design. And to fail to provide a way to unassociate the device later is also poor design. MobileMe and iTunes have the ability to remove either an individual device or reset the entire access control list, respectively.



    Quote:
    Originally Posted by Corrections View Post


    There are clear and obvious, documented ways to protect yourself from such situations.



    And yet not so "clear and obvious" that Apple's own employee screwed it up.



    Quote:
    Originally Posted by Corrections View Post


    If you don't want to mix up your devices and IDs, it's pretty simple:



    - don't turn on iMessage and then change your SIM card!

    - if you do decide to swap around SIM cards, disable iMessage first

    - if you sell your phone, turn off iMessage first



    Not exactly rocket science



    Weak. Sure, now that you've heard about this bug and what causes it, it's easy to avoid. But can you honestly expect that most people would have anticipated this issue until now? And even if you do irrationally have the expectation, do you think everyone would remember it every time? What about the case of a stolen phone? None of your "advice" would apply there. In that case, only a method to remove the device from access to your iCloud account would work. And Apple hasn't provide that.



    Design failure or bug, take your pick. EIther way Apple needs to fix it.
  • ski1ski1 Posts: 251member
    I find it absurd that Apple engineers have known about this design flaw/bug for at least two months and they are still blowing off this security issue. Pretty sad.
  • nagrommenagromme Posts: 2,834member
    "Reports of iOS 5 iMessages being sent to the wrong recipient”



    This story, and Apple’s comment, seems to be about ONE report; an occurence after Genius service. We’ve seen other reports, plural—about iMessage and stolen phones—which are much more interesting and concerning situations.
  • ski1ski1 Posts: 251member
    Also, if anyone has physical access to your phone (even your locked phone) for 30 seconds, they can pop out your sim card, install it into their phone and turn on iMessage, then put your sim card back into your phone. iMessages directed to you will now go both to your phone and their phone and you will never know. Pretty bad design flaw/bug. Apple needs to address this security/privacy issue, instead of blowing it off.
  • foljsfoljs Posts: 213member
    Quote:
    Originally Posted by ski1 View Post


    None of those suggestions work if you lose your iPhone or have it stolen.



    Besides being idiotic to begin with.



    Those steps could perfectly well be (and SHOULD BE) automated.



    It's not like it's any difficult for the device to check if the SIM was changed.



    We'll see a fix for this in some upcoming update, Apple is just saving face with this BS response.
  • macfb6macfb6 Posts: 16member
    It's not a bug, it's a huge crap in our pants.
  • charlitunacharlituna Posts: 7,056member
    Quote:
    Originally Posted by AppleInsider View Post




    District Attorney Steven Wagstaffe did however note that "it was obvious [Gizmodo staff] were angry with the company about not being invited to some press conference or some big Apple event. We expected to see a certain amount of professionalism. This is like 15-year-old children talking," he said.



    I believe the incident that started all of it was Gawker offering money to folks that could give them details about Apple's rumored tablet including a look at it before it was announced. Apple likely responded not only with legal threats but also with refusing to allow them to attend the actual iPad announcement. Just as they cut off Gawker for all events after the iPhone stunt.
  • charlitunacharlituna Posts: 7,056member
    Quote:
    Originally Posted by ski1 View Post


    None of those suggestions work if you lose your iPhone or have it stolen.



    http://supportprofile.apple.com
  • ski1ski1 Posts: 251member
    Quote:
    Originally Posted by charlituna View Post


    http://supportprofile.apple.com



    How do you know this is linked to the way iMessage communicates ? There is no Apple support document that verifies this is the case.
  • jnjnjnjnjnjn Posts: 588member
    Quote:
    Originally Posted by ski1 View Post


    None of those suggestions work if you lose your iPhone or have it stolen.



    Non of the suggestions are needed in that case. All your data is exposed in that case, unless of course you use the obvious way to protected your information by setting a password.

    You can do a remote wipe to remove all your data.



    J.
  • jnjnjnjnjnjn Posts: 588member
    Quote:
    Originally Posted by Corrections View Post


    Mobile phones aren't IP devices. They're on a custom network that (in GSM land) identifies devices based on their unique device ID stored on the SIM card. If you want to be able to send SMS, you do that through the carrier and it takes care of all that.



    For Apple to offer iMessage as a more powerful alternative that can bridge the Internet and work with IP connected iPads and Macs, it has to tie device identity to something, and SIM cards supply the unique ID.



    Complaining that things didn't work like they did in the 80s when you were swapping SIM cards with your friends is rather silly. If you don't want to mix up your devices and IDs, it's pretty simple:



    - don't turn on iMessage and then change your SIM card!

    - if you do decide to swap around SIM cards, disable iMessage first

    - if you sell your phone, turn off iMessage first



    Not exactly rocket science



    It's probably enough to disable SMS within iMessage. iMessage uses an email address as a unique id in that case. iPod touches and iPads without a sim card can communicate via iMessage after all.



    J.
Sign In or Register to comment.