Reports say stolen iPhones are still receiving iMessages being sent to the original owner, despite measures such as remote wiping, or changing old Apple ID passwords. Rounak at iPhone Hacks tells us all about it.
According to Hovis, his wife deactivated her iPhone with her carrier, remote wiped it, and immediately changed her Apple ID password—”we picked up a new iPhone the next day, figuring that our insurance would end up paying for it”
The stolen device was sold to a new owner. Turns out the new owner not only could receive messages meant for Hovis’ wife, but could also send messages to others posing as her. He then learned on the Apple discussion boards and MacRumors forums of others having similar problems.
Apple hasn’t posted anything on the issue, but iOS security expert Jonathan Zdziarski had this to say about the issue:
“I can only speculate, but I can see this being plausible. iMessage registers with the subscriber’s phone number from the SIM, so let’s say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple’s servers with the UDID of the phone.”
There can be two possible solutions. One is to drop the Apple ID tied with the stolen device, but you would lose all your purchases. Another is to hope that iMessage is reactivated with a new phone number/Apple ID. Neither of which is truly feasible.
It hasn’t been established whether this is a server side bug, or a bug in the software on the devices.