December 21, 2011 10:53pm
What may turn out to be a bit of a SecurityGate for Apple unless quickly patched is a bug that has been revealed over stolen iPhones running iOS 5 and iMessage.
See, what happens is this: your phone is stolen, with its SIM card intact. You scramble to remotely wipe the device (you DO have that feature enabled, right?) and, once completed you’re home free, right? I mean, you’ve called your carrier to disable the SIM card and reactivate it on a new phone, and, presumably, you’re hunky dory (besides having your phone stolen).
But what seems to be happening is that users who have had their iPhones stolen are watching in horror as the thief sends and receives iMessages, even if that phone is no longer registered with the number. There appears to be nothing that can be done at this point except registering a new Apple ID at the expense of your apps, music and movies.
What’s worse is that the issue does not appear to be working the same in all cases. Users with stolen iPhones claim that texts and phone calls sent to the old SIM card do not work (obviously, because the number has been reactivated on a new SIM) but the stolen phone is receiving iMessages on both the old and new number, even though the old one is nowhere to be found on the phone.
Why is this happening? There is a possibility that Apple is storing a device’s UDID (unique identification number) on their servers and, when the stolen iPhone is remotely wiped it briefly registers with Apple’s servers through SMS (even though the SIM is deactivated and shouldn’t have access to the network, but that’s not entirely true since it will attempt registration and then be rejected), so it may take a second wipe until the issue goes away. The thief probably does not know this, and will continue using the phone after that first wipe, receiving iMessages from the old and presumably newly-activated SIM card.
Regardless of the why, it is happening, and it is quite concerning. Jesse Hollington of iLounge suggests getting around this issue entirely by putting a SIM Pin on your SIM card, meaning that a 4-digit number will be needed before the SIM negotiates with the network, preventing the deactivated SIM from briefly re-registering in the first place after a remote wipe.
Has this happened to you, or someone you know? Tell us your story in the comments!
Source: Ars Technica