An interesting report from Ars Technica this week:

Some unlucky iPhone owners are beginning to discover that, despite their best efforts to remove all information from their stolen phones, thieves and unsuspecting buyers are still able to send and receive iMessages as the original owner — even after the device is registered under a new account. Almost nothing seems to work — remote wiping, changing Apple ID passwords, or even moving the old phone number to a new phone — and users are becoming more than frustrated that thieves are so easily able to pose as them.

This actually makes some sense — not that it isn’t a security issue that Apple should address. This has actually been a problem with FaceTime since iOS 4.0, BTW, but obviously is less of a concern there since you can generally see who you’re talking to :)

iMessage actually works the same way as FaceTime in terms of phone number registration. If you think back to iOS 4.0 when FaceTime made its debut, there were no Apple IDs or e-mail addresses involved; FaceTime was a simple on/off switch that “just worked.” Apple ID and e-mail address support came later in iOS 4.1 when FaceTime was added to the iPod touch, which of course didn’t have a phone number. Despite that, it still took until iOS 5 before the iPhone could use anything other than a phone number for receiving FaceTime calls.

Under the hood, what actually happens with both iMessage and FaceTime on the iPhone is a hidden SMS message exchange to register the device with Apple’s servers. Perhaps ironically, this is done to improve security — non repudiation of the owner’s actual phone number, rather than simply allowing them to enter their own; this is also why non-iOS implementations still don’t support phone numbers.

Phone number registration occurs when you first enable FaceTime or iMessage with a different SIM card. So basically, the first time you setup your iPhone, or whenever you swap out your SIM card after that. Simply toggling FaceTime or iMessage off and back on does not perform the registration again (presumably to save on SMS traffic). It also seems the iPhone doesn’t necessarily detect the removal of the SIM card and de-register the device, which is part of the security issue (of course, one could argue that without a valid SIM card, that’s difficult, if not impossible to do since you can’t use SMS or mobile data — you’d be relying on a Wi-Fi connection to do so).

It’s also worth noting that when your carrier deactivates a SIM card, it doesn’t erase its phone number; the SIM card itself still has the original phone number in its internal memory, so the iPhone doesn’t know that anything has changed — as far as iOS is concerned, the device simply can’t connect to the network, in much the same manner as if you were out of cellular coverage.

Further, the entire iMessage and FaceTime system is based on the same Push Notifications released in iOS 3.0. Some may recall the debacle with how jailbroken iOS devices two years ago were all receiving the same push notifications because they had all been jailbroken with the same push notification provisioning certificates. A similar issue would apply to FaceTime and iMessage registration, with Apple’s servers probably holding the UDID of the iPhone even after a remote wipe.

The Problem

If Apple is in fact keeping and using the UDID of an iPhone even after the original phone number has been registered on a different device, or the original device has been registered with a different phone number and SIM card, then this is a definite problem and potentially glaring security hold that needs to be fixed on Apple’s end.

However, I have five different iPhones here running iOS 5.0.1 and I tested this last night by playing musical SIM cards and wasn’t able to reproduce that particular problem — once an iPhone actually re-registered with a new phone number, it no longer received iMessages from the old one. It did however continue to receive iMessages (over Wi-Fi) after the SIM card was removed, and in some cases even after a new inactive SIM card (one without a phone number) was inserted (since in this case, the iPhone can’t re-register with iMessage/FaceTime since it’s unable to send an SMS to do so). Note that when an old inactive SIM card was inserted (one that had a phone number on it), however, iMessages were no longer received by the iPhone; my guess here is that the iPhone may have simply been refusing the incoming iMessages due to a non-matching phone number (the same effect occurred with FaceTime when I tested it on iOS 4.0 last year).

Keep in mind there could still be a “perfect storm” of circumstances that can cause iMessage to re-register itself and there would likely be little Apple could do about this unless it were to begin tracking stolen iPhones by UDID — something the company doesn’t presently do (whether it should is a separate debate).

Consider that most users will probably issue a “remote wipe” before they call their cellular carrier, or at least around the same time. This is generally a good idea, since once the iPhone number has been disconnected, you’d be relying on the thief being on a Wi-Fi connection in order for the remote wipe to work. If your iPhone is locked with a passcode, it’s relatively unlikely that the person who has it will be on a valid Wi-Fi connection as they can’t configure a new one without getting into your device first.

So, you wipe your iPhone and it resets itself after the wipe. But guess what? Your SIM card is still in it, and still active when it reboots. So, iOS happily sends out an iMessage registration to Apple’s servers, via SMS, and activates iMessage at some point. This is a completely valid process, since your SIM card is still working in the iPhone, so of course it assumes this is what you want to do. When the carrier later deactivates the SIM card in the phone, iMessage remains registered and continues to work just fine, since the registration process doesn’t recur until you change the SIM card. Further, if the iPhone can’t register for iMessage with the new SIM card (for whatever reason, such as not being able to send an SMS message), Apple’s servers will have no way of knowing that the UDID should be reassigned to a new phone number.

On Apple’s side, a great solution to this particular problem would be to simply refuse to reactivate any services after a remote wipe until some type of authentication has occurred. However, there is something that everybody can do now and IMHO everybody should be doing anyway if you’re at all concerned about any GSM phone falling into the wrong hands…

Set a PIN code on your SIM card

You can find this setting under Settings->Phone->SIM PIN

Apple also has a support article on setting a SIM PIN that can be found here

Caution: Most SIM cards have a default PIN code which varies by carrier. If you enter your PIN wrong (default or your own) incorrectly too many times, it will lock out and require a call to your carrier to get a “PUK” code. The invalid PIN code limit also varies between carriers, but is usually 5. Default codes for carriers are usually “1111” (Bell Canada, AT&T), “1234” (Rogers Wireless), “0000” (Sprint). See the comments for others. Also, as Matt Drance points out, the settings UI on iOS for this is not intuitive that the first code it’s asking for it actually the old, default PIN code in most cases.

With a SIM PIN set, you will be required to enter the PIN code whenever you reset your iPhone or change SIM cards before the iPhone can connect to the cellular network at all. This means that after a remote wipe, the iPhone will not be able to send any SMS messages on your behalf to do a FaceTime or iMessage registration, nor will it be able to be used for pretty much anything without the person knowing the PIN. In fact, they can’t even take it out and swap it into another device without knowing the PIN. This is a SIM-level security function that should work to protect your SIM card on any GSM phone. Doing this will not only protect you from erroneous, otherwise-legitimate iMessage and FaceTime activations, but will prevent your SIM card being used to rack up thousands of dollars in long distance calls before you’re able to call your carrier and get it deactivated.

Using a SIM PIN doesn’t effect your normal use of the phone on a day-to-day basis unless you regularly power your iPhone down, in which case you’ll simply be prompted to enter the PIN code when you turn it back on. Otherwise, once entered the first time, it continues to be valid unless you change the SIM or reboot the iPhone (it therefore goes without saying that you should also use an iOS-level password as well).

This won’t necessarily solve the problem if Apple is still storing the UDID, and there are probably some small things that need to be fixed on Apple’s end… For example I have not been able to confirm in my testing whether setting up a new iPhone with the same phone number as the old one pushes the old iPhone UDID registration out of Apple’s servers. It should, but it’s something that’s difficult to test unless you actually have two SIM cards with the same phone number.