Lawsuit targets Apple iMessage, FaceTime flaw related to phone number recycling
A class action complaint filed Monday takes aim at Apple and T-Mobile for a long-running iMessage and FaceTime flaw that tied Apple services to a specific cellular number, leaving users open to inadvertent and continuous access to private data when a number was recycled.
Filed with the U.S. District Court for the Southern District of New York, the proposed class action reaches back to an iMessage bug first discovered in 2011.
At the time, reports claimed stolen iPhones were receiving iMessages sent to a device's original owner. The activity continued in spite of proper safety protocols including changing an account holder's number, resetting an associated Apple ID and remotely wiping a stolen handset using iCloud security tools. Those early accounts were the first to document a more serious problem.
According to today's complaint, the underlying issue was tied to Apple's handling of device identifiers, a protocol that ensured iMessages were being routed to the correct user.
"Specifically, when an iPhone user ceased using a SIM card and the phone number associated with that SIM card was subsequently recycled by a wireless network carrier such as T-Mobile, the previous owner of the SIM card associated with that phone number would still be able to receive iMessages and FaceTime calls on his or her iPhone that were intended to be received by the new owner of that phone number," the filing reads.
While not explained in detail, the lawsuit alleges Apple ID maintained a "legacy connection" with the phone number associated with a device's original SIM card. The theory was first lobbed by security expert Jonathan Zdziarski in a statement to ArsTechnica in 2011.
"I can only speculate, but I can see this being plausible," Zdziarski said at the time. "iMessage registers with the subscriber's phone number from the SIM, so let's say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple's servers with the UDID of the phone."
The apparent flaw caused iMessages and FaceTime calls intended for one iPhone owner to be routed to a second user. More specifically, an iPhone user who switched numbers or carrier commitments would begin to receive messages and calls bound for another iMessage or FaceTime user. As SIMs are typically discarded when switching carriers or assigned numbers, phone number recycling appears to be at the root of the problem.
Plaintiffs in the current case, Tigran Ohanian and Regge Lopez, were allegedly impacted by the bug.
As described in the filing, Ohanian purchased an iPhone 6s while on vacation in New York. He activated the device on T-Mobile's network and used it for about one year. T-Mobile later recycled Ohanian's number for use by Lopez, who was assigned the number when he switched carriers. Ohanian, who had since removed the T-Mobile SIM from his iPhone 6s, began to receive "extensive amounts" of unwanted communications addressed to Lopez. These messages included private photos and other correspondence.
Apple failed to remedy the problem when contacted, and the company failed to address the larger "pervasive data security breach" publicly. T-Mobile is on the hook for engaging in "deceptive" SIM card practices, the suit alleges.
It is unclear how widespread the issue was at its peak, though it can be surmised that unwanted data access was limited to iPhones assigned a recycled number that was previously used with a first iPhone. Both iPhone users would need to provision the same number with their respective Apple ID accounts to trigger the flaw.
Apple's iOS 12, issued in 2018, ultimately squashed the bug by requiring two-factor authentication for certain iCloud services. It is unclear if Apple made attempts to rectify the issue in intervening software updates.
Plaintiffs seek class status, damages and court fees for alleged deceptive practices, false advertisement, fraudulent misrepresentation and unjust enrichment.
Filed with the U.S. District Court for the Southern District of New York, the proposed class action reaches back to an iMessage bug first discovered in 2011.
At the time, reports claimed stolen iPhones were receiving iMessages sent to a device's original owner. The activity continued in spite of proper safety protocols including changing an account holder's number, resetting an associated Apple ID and remotely wiping a stolen handset using iCloud security tools. Those early accounts were the first to document a more serious problem.
According to today's complaint, the underlying issue was tied to Apple's handling of device identifiers, a protocol that ensured iMessages were being routed to the correct user.
"Specifically, when an iPhone user ceased using a SIM card and the phone number associated with that SIM card was subsequently recycled by a wireless network carrier such as T-Mobile, the previous owner of the SIM card associated with that phone number would still be able to receive iMessages and FaceTime calls on his or her iPhone that were intended to be received by the new owner of that phone number," the filing reads.
While not explained in detail, the lawsuit alleges Apple ID maintained a "legacy connection" with the phone number associated with a device's original SIM card. The theory was first lobbed by security expert Jonathan Zdziarski in a statement to ArsTechnica in 2011.
"I can only speculate, but I can see this being plausible," Zdziarski said at the time. "iMessage registers with the subscriber's phone number from the SIM, so let's say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple's servers with the UDID of the phone."
The apparent flaw caused iMessages and FaceTime calls intended for one iPhone owner to be routed to a second user. More specifically, an iPhone user who switched numbers or carrier commitments would begin to receive messages and calls bound for another iMessage or FaceTime user. As SIMs are typically discarded when switching carriers or assigned numbers, phone number recycling appears to be at the root of the problem.
Plaintiffs in the current case, Tigran Ohanian and Regge Lopez, were allegedly impacted by the bug.
As described in the filing, Ohanian purchased an iPhone 6s while on vacation in New York. He activated the device on T-Mobile's network and used it for about one year. T-Mobile later recycled Ohanian's number for use by Lopez, who was assigned the number when he switched carriers. Ohanian, who had since removed the T-Mobile SIM from his iPhone 6s, began to receive "extensive amounts" of unwanted communications addressed to Lopez. These messages included private photos and other correspondence.
Apple failed to remedy the problem when contacted, and the company failed to address the larger "pervasive data security breach" publicly. T-Mobile is on the hook for engaging in "deceptive" SIM card practices, the suit alleges.
It is unclear how widespread the issue was at its peak, though it can be surmised that unwanted data access was limited to iPhones assigned a recycled number that was previously used with a first iPhone. Both iPhone users would need to provision the same number with their respective Apple ID accounts to trigger the flaw.
Apple's iOS 12, issued in 2018, ultimately squashed the bug by requiring two-factor authentication for certain iCloud services. It is unclear if Apple made attempts to rectify the issue in intervening software updates.
Plaintiffs seek class status, damages and court fees for alleged deceptive practices, false advertisement, fraudulent misrepresentation and unjust enrichment.
iMessage and FaceTime Bug Lawsuit by Mikey Campbell on Scribd
Comments
User 1 has an iPhone with their mobile number associated with their Apple ID.
Do we know that resetting the Apple ID didn't include the user removing their previous number from iCloud? If so, I missed that part.
I've had the same phone since June 2007, so this has never been an issue for me. Not sure I'd even know where to look in iC to remove the old number. When signing in with the new one, isn't the old number "there" somewhere? Not at all familiar with the process.
It does seem odd that it took this long for someone to file suit. I hope more detail surfaces on the suit and the flaw.
The devil will be in the details. It will come down to evidence provided by both parties about this particular support-desk exchange. Personally, I find it hard to believe that Apple (or any company) would simply ignore complaints like this. If they did, it's not unreasonable that Apple would pay a price for such.
I would argue that it's the other party who was the most harmed by this--the person who is sending information that is being delivered to the wrong person--and they are unaware that it's happening. Again, it's hard to believe that this was a) widespread, b) known to Apple, and c) ignored by Apple. If a, b, and c are true, our favorite fruit company will be compensating the class-action attorneys handsomely (and the people actually impacted will get a tiny payment as well).
So, what I was talking about... It has never happened so that the SIM card removed with active line would remain associated across all my Apple devices when it is removed from one of the phones. Besides, there is so called TRUSTED line which I'm restricting to my "main" line from home country. iPhone ALWAYS asks me what do I want to do with the new SIM card/phone number/line and if I want to change my trusted phone number. Once card removed the chance that you'll be able to get iMessages later on equals ZERO. I can install that SIM card again, but iMessage and FaceTime will have to get through authorisation process again, if you don't know it essentially sends from that "new" line a text message (classic SMS) to Apple service number which is not visible to user and that way the line becomes associated with your Apple ID. Only later on you'll see in your bill that you have sent an international text message... :-) Some operators are not supporting directly iMessage/FaceTime activation so in this case the text will be sent to some international phone number for activation purposes.
Basically I can't imagine what this story can dig out from apple from today's point of view. Like this Apple authentication works as minimum 4 years. Before I remember similar scandal was popping in the news but at that point Apple said that they are keeping association of the phone number with Apple ID for 30 days after which it would require re-authorisation. But that was already a story from ages ago...
A SIM card is a single use item. It can be activated to a user account, but cannot be recycled for a different user.
The phone number is the problem.
The phone number was attached to an AppleID.
The phone number was reassigned to a different person.
The phone number was not removed from the AppleID so some messages are going to the wrong person.
The same problem can happen with SMS if you keep sending to an old texting thread…
Because Apple hasn't made much of an effort to highlight the issue if you change to a new phone number. iCloud will ask if you want to associate the new number, but I have never seen it prompt with "what about the old number?"