or Connect
AppleInsider › Forums › Mobile › iPhone › iPhone bug allows stolen phones to receive iMessages even after remote wipe
New Posts  All Forums:Forum Nav:

iPhone bug allows stolen phones to receive iMessages even after remote wipe

post #1 of 25
Thread Starter 
Scattered reports have emerged that stolen iPhones continue to receive iMessages intended for their original owners even after changing numbers, resetting Apple ID passwords and remote wiping the handsets.

ArsTechnica looked into the matter earlier this week after a reader reported experiencing the issue.

According to the report, a stolen iPhone 4S continued to receive the reader's wife's iMessages after the couple had deactivated the device with the carrier and remote wiped it. The contraband handset had even been resold and activated under a new number.

Apple released iMessage as part of iOS 5 in October. The service, which allows for free messaging between iOS users, has been much discussed because it poses a threat to wireless carriers' SMS revenues.

The issue does not appear to be an isolated incident, as multiple support threads (1, 2) on Apple's website have cropped up regarding the problem. Some users suggested that wiping an iPhone when the original SIM card is still in the device won't result in a clean reset, thereby allowing the iMessage feature to reactivate when the phone is restored.

Apple has yet to respond to a request for comment, but report author Jacqui Cheng did speak with iOS security expert Jonathan Zdziarski about the bug.

"I can only speculate, but I can see this being plausible," he said. "iMessage registers with the subscriber's phone number from the SIM, so let's say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple's servers with the UDID of the phone."



One user experiencing the issue claimed to have resolved it by canceling his old Apple ID completely, but the solution would be unacceptable to most customers, as it entails abandoning any iTunes and App Store purchases tied to the account.

Twitter user Kim Hunter told the publication that a representative from Apple's security unit had denied that it was a security problem, offering the relatively unhelpful solution of turning iMessage off on the offending device.

Apple has experienced minor issues with several of its new product rollouts this fall. iCloud, for instance, has been subject to intermittent outages. The company is also working on a software fix for battery life in iOS 5 after an initial fix failed to completely resolve the issue.

Most recently, the international iTunes Match launch got off to a false start on Wednesday ahead of its official release on Thursday.
post #2 of 25
Welp, fix in 5.1, then.
post #3 of 25
I think the two biggest concerns with Find my stolen iPad and iPhone are: 1. When you initiate a message to the device you get an e-mail explaining what you did, but the device in question also receives the same e-mail. That's just dumb. Apple should figure out a solution to that. 2. All the person has to do is remove your iCloud account from the device with s few taps and you're out of luck.
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
post #4 of 25
I'd like to have a remote self district option, just a small chunk of C4 surely doesn't weigh much
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
post #5 of 25
I that a bug or a benefit? I'd be like, yeah, you stole my iPhone, but I will HAUNT YOU FOREVER. Now give it back.
post #6 of 25
Quote:
Originally Posted by Ireland View Post

All the person has to do is remove your iCloud account from the device with s few taps and you're out of luck.

You can enable Restrictions within Parental Controls to "lock" changes to accounts or location services. Someone would have to know your 4 digit Restrictions password to disable Find my iPhone. That should buy you enough time to locate/wipe the device.

I will be interested in Apple's answer as to why devices that are remote wiped still receive iMessages meant for the original owner, however.
post #7 of 25
So you could use a Mac with the right script to bombard your stolen iPhone with a continuous stream of iMessages, 24/7 which would make it kind of useless to a thief.

I like it.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #8 of 25
Quote:
Originally Posted by Anon-spec View Post

You can enable Restrictions within Parental Controls to "lock" changes to accounts or location services.

Passcode lock would do the same thing. And you can set that via iCloud's find my iPhone

Quote:
I will be interested in Apple's answer as to why devices that are remote wiped still receive iMessages meant for the original owner, however.

don't hold your breath. Apple rarely speaks about the cause of such bugs due to the risk of giving fuel to hackers

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #9 of 25
This issue has been out for more than 24 hours and is just now making headlines at AI. This is a bigger issue than any of the other supposed "scandals" Apple has dealt with their devices yet it seems to be getting as much attention as a major security flaw in Android which is to say, no attention.


Quote:
Originally Posted by Ireland View Post

I think the two biggest concerns with Find my stolen iPad and iPhone are: 1. When you initiate a message to the device you get an e-mail explaining what you did, but the device in question also receives the same e-mail. That's just dumb. Apple should figure out a solution to that. 2. All the person has to do is remove your iCloud account from the device with s few taps and you're out of luck.

They need a have a passcode/PIN lock for altering anything that could affect your device's ability to use Find My Device. I logged this oversight with issue when this service first appeared. This still hasn't changed.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #10 of 25
Android doesn't have this problem because who would steal Android phones? The resale value isn't worth it.
post #11 of 25
Quote:
Originally Posted by grblade View Post

I that a bug or a benefit? I'd be like, yeah, you stole my iPhone, but I will HAUNT YOU FOREVER. Now give it back.

That's exactly what I was thinking. You steal my iPhone, and no matter what you do, I can still cuss at you. Sounds like a selling feature to me
post #12 of 25
Am i right in thinking that 'Find My iPhone' requires a data connection of some kind, either wifi or data? When i travel internationally, as I often do, data is firmly off to avoid high roaming charges. If jut 3G is on, does that allow the phone to be located i wonder?

Any ideas?
post #13 of 25
Quote:
Originally Posted by rosstheboss View Post

Am i right in thinking that 'Find My iPhone' requires a data connection of some kind, either wifi or data? When i travel internationally, as I often do, data is firmly off to avoid high roaming charges. If jut 3G is on, does that allow the phone to be located i wonder?

Any ideas?

If someone steals your iPhone, as soon as they put a SIM in it or connect to WiFi then it shows up, anywhere on Earth with Internet and is available for find my phone and iMessages.

If you wanted to you could bombard the phone with thousands of photos and chew up a thief's data plan.

I'd troll the darkest corners of the net for the worst pictures I could find attach them to imessages and make a thief rue the day they stole my iphone.

I really hope they don't get rid of this.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #14 of 25
Quote:
Originally Posted by digitalclips View Post

I'd like to have a remote self district option, just a small chunk of C4 surely doesn't weigh much

The radio and electronics in a cell phone can trigger explosives -- in the UK it is illegal to use your cell phone at a petrol pump for fear of explosion.
---------
iMessage can be set up to use just your phone number or number+email address(es) -- I wonder if using just the number would solve the problem? IIRC, it is only your UDID and email which are linked to your iCloud account, not the phone number?
post #15 of 25
If your phone's stolen, send a remote wipe request then call your carrier and stop service immediately. Problem solved. If you're expecting a stolen iphone to be returned, keep on dreaming.
post #16 of 25
Quote:
Originally Posted by hill60 View Post

So you could use a Mac with the right script to bombard your stolen iPhone with a continuous stream of iMessages, 24/7 which would make it kind of useless to a thief.

I like it.

That is a superb idea. Send constant pictures of your ass 24/7 but make sure you are on wifi and not using cellular data and boom the thieving little b*stard gets a walloping big bill for data.
post #17 of 25
Quote:
Originally Posted by sip View Post

The radio and electronics in a cell phone can trigger explosives -- in the UK it is illegal to use your cell phone at a petrol pump for fear of explosion.
---------
iMessage can be set up to use just your phone number or number+email address(es) -- I wonder if using just the number would solve the problem? IIRC, it is only your UDID and email which are linked to your iCloud account, not the phone number?

Thats not to do with the radio of the phone. Petrol fume explosions can (apparently) be caused by minute sparks from your cell phone igniting petrol fumes. Which is complete bullshit. Theres more chance of you igniting the fumes by wearing a shell suit. LMAO

As for setting off explosives? Yes, the electrical field given off from a mobile phone can interfere with electronic devices, in this case the detonator. It would of course make no difference to the C4 which is a fairly stable compound. Your Li battery on fire would not detonate it
post #18 of 25
"Scattered reports"

Nice one, the thieves certain did scatter!
"But OMFG I recall I emailed messaged my bank details!"


Liability now certainly comes into it.
post #19 of 25
Quote:
Originally Posted by SolipsismX View Post

This issue has been out for more than 24 hours and is just now making headlines at AI. This is a bigger issue than any of the other supposed "scandals" Apple has dealt with their devices yet it seems to be getting as much attention as a major security flaw in Android which is to say, no attention.

Nonsense. If this were a major security flaw in Android, it would have been reposted on this site in seconds after hitting the intertubes.
post #20 of 25
Quote:
Originally Posted by caliminius View Post

Nonsense. If this were a major security flaw in Android, it would have been reposted on this site in seconds after hitting the intertubes.

Android's open OS is such a large security flaw that we don't need to waste our time posting about it. Microsoft is handling our lite work as they give away phones to malware ridden Android users...
post #21 of 25
I had a similar problem with SMS on my Sprint Palm Treo 650 when my dad and i switched phones. For several days after the swap he was getting SMS messages from people who were txt'ing me. I was a little embarrassed by some of the messages to say the least. I don't know if this was a problem with the Sprint network or the Treo itself.
post #22 of 25
Quote:
Originally Posted by hill60 View Post

If someone steals your iPhone, as soon as they put a SIM in it or connect to WiFi then it shows up, anywhere on Earth with Internet and is available for find my phone and iMessages.

If you wanted to you could bombard the phone with thousands of photos and chew up a thief's data plan.

I'd troll the darkest corners of the net for the worst pictures I could find attach them to imessages and make a thief rue the day they stole my iphone.

I really hope they don't get rid of this.

Easily blocked via Settings. As I've passed my trusty 3gs down to others for wifi use, it was quite interesting to hear two devices chiming when iMessages arrived. It will be fixed, obviously, as it's a bit of a privacy concern (easily unblocked via Settings).
post #23 of 25
Quote:
Originally Posted by irnchriz View Post

Thats not to do with the radio of the phone. Petrol fume explosions can (apparently) be caused by minute sparks from your cell phone igniting petrol fumes. Which is complete bullshit. Theres more chance of you igniting the fumes by wearing a shell suit. LMAO

As for setting off explosives? Yes, the electrical field given off from a mobile phone can interfere with electronic devices, in this case the detonator. It would of course make no difference to the C4 which is a fairly stable compound. Your Li battery on fire would not detonate it

That's completely correct. In fact, the idea that your cell phone can ignite gas fumes is a myth. When you take a call at the pump, you're more inclined to get back into your vehicle, which increases your static electric charge, especially in the winter when theair is dry and you're wearing a fleece. When you return to the pump to remove it, a spark from your hand may discharge and ignite the fumes. This is easily resolved by touching your car to discharge any static build up before removing the pump.



NOW. what I really want to know is.... How do they know the messages are still going to the phone?? They must be getting a response, right? Wouldn't you inform the rebuyer they bought a hot phone and tell them how to return it? And if they refused, couldn't you inform the police or the carrier of the new phone number on the phone and have them track it down? Receiving stolen property is a crime too.
post #24 of 25
My iPhone was stolen in July and only now are my friends who have the new software receiving iMessages from someone who isn't me. I have an old school LG flip phone that clearly does not have the new Apple iOS software. The messages that I send to people who have it are going to them but when they reply it is going to the person with my phone. The reply from the person is coming up as my name to my friends and the person is having legitimate conversations with them. I am not sure how to exactly stop this, so if anyone knows how to help I would greatly appreciate it!!!
post #25 of 25
We have experienced this twice after repairing customer iPhones in our repair shop. The first time it happened we only installed our business sim card into the customers phone just to make sure the service worked. We de-installed our sim and re-installed his deactivated sim. After the repair, he went to ATT to get a new activated sim card and installed it. Later that day, he was getting our business text and we were getting his also. He restored his iPhone thru iTunes to clear up the issue. We now have a "do not install our sim card in customer phones" rule. We suspected imessage to be the problem.
iPhone Parts .............Bringing em back to life, 1 device at a time.
Reply
iPhone Parts .............Bringing em back to life, 1 device at a time.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • iPhone bug allows stolen phones to receive iMessages even after remote wipe
AppleInsider › Forums › Mobile › iPhone › iPhone bug allows stolen phones to receive iMessages even after remote wipe