A class action complaint filed Monday takes aim at Apple and T-Mobile for a long-running iMessage and FaceTime flaw that tied Apple services to a specific cellular number, leaving users open to inadvertent and continuous access to private data when a number was recycled.
Filed with the U.S. District Court for the Southern District of New York, the proposed class action reaches back to an iMessage bug first discovered in 2011.
At the time, reports claimed stolen iPhones were receiving iMessages sent to a device's original owner. The activity continued in spite of proper safety protocols including changing an account holder's number, resetting an associated Apple ID and remotely wiping a stolen handset using iCloud security tools. Those early accounts were the first to document a more serious problem.
According to today's complaint, the underlying issue was tied to Apple's handling of device identifiers, a protocol that ensured iMessages were being routed to the correct user.
"Specifically, when an iPhone user ceased using a SIM card and the phone number associated with that SIM card was subsequently recycled by a wireless network carrier such as T-Mobile, the previous owner of the SIM card associated with that phone number would still be able to receive iMessages and FaceTime calls on his or her iPhone that were intended to be received by the new owner of that phone number," the filing reads.
While not explained in detail, the lawsuit alleges Apple ID maintained a "legacy connection" with the phone number associated with a device's original SIM card. The theory was first lobbed by security expert Jonathan Zdziarski in a statement to ArsTechnica in 2011.
"I can only speculate, but I can see this being plausible," Zdziarski said at the time. "iMessage registers with the subscriber's phone number from the SIM, so let's say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple's servers with the UDID of the phone."
The apparent flaw caused iMessages and FaceTime calls intended for one iPhone owner to be routed to a second user. More specifically, an iPhone user who switched numbers or carrier commitments would begin to receive messages and calls bound for another iMessage or FaceTime user. As SIMs are typically discarded when switching carriers or assigned numbers, phone number recycling appears to be at the root of the problem.
Plaintiffs in the current case, Tigran Ohanian and Regge Lopez, were allegedly impacted by the bug.
As described in the filing, Ohanian purchased an iPhone 6s while on vacation in New York. He activated the device on T-Mobile's network and used it for about one year. T-Mobile later recycled Ohanian's number for use by Lopez, who was assigned the number when he switched carriers. Ohanian, who had since removed the T-Mobile SIM from his iPhone 6s, began to receive "extensive amounts" of unwanted communications addressed to Lopez. These messages included private photos and other correspondence.
Apple failed to remedy the problem when contacted, and the company failed to address the larger "pervasive data security breach" publicly. T-Mobile is on the hook for engaging in "deceptive" SIM card practices, the suit alleges.
It is unclear how widespread the issue was at its peak, though it can be surmised that unwanted data access was limited to iPhones assigned a recycled number that was previously used with a first iPhone. Both iPhone users would need to provision the same number with their respective Apple ID accounts to trigger the flaw.
Apple's iOS 12, issued in 2018, ultimately squashed the bug by requiring two-factor authentication for certain iCloud services. It is unclear if Apple made attempts to rectify the issue in intervening software updates.
Plaintiffs seek class status, damages and court fees for alleged deceptive practices, false advertisement, fraudulent misrepresentation and unjust enrichment.
11 Comments
Simply forcing re-authentication and thus re-registration of the number to a new when the SIM is used in a different phone (through serial number or IMEI detection) would have fixed this. Either that or making the link between phone number and UDID or IMEI exclusive, such that one number can only be linked to one device. Forwarding could still work as that's AppleID based, not based on the mobile number.
Not fixing a major bug like that for 7 years is inexcusable. I normally these lawsuits, but a bug like that left for 7 years deserves a hearing.
So to be the clear the issue is:
User 1 has an iPhone with their mobile number associated with their Apple ID.