David Hovis recently had his wife’s iPhone stolen. They wiped the device, but shortly after discovered that the other phone was still receiving iMessages, and was able to reply to them. This was written up in a very thorough report by Ars Technica’s Jacqui Cheng.
While the bug itself may not be permanently fixable by anyone but Apple, iLounge editor Jesse Hollington has posted his thoughts on the issue and a relatively simple fix for those concerned. If you’re worried about your stolen iPhone being used to recieve and send iMessages, even after a wipe, just set a SIM PIN under Settings>Phone.
This will prevent your SIM from being used after the phone has been wiped or powered off and on. That way, you can be sure that no iMessages or Facetime calls can be placed by the thief.
In general, the issue appears to be caused by the fact that your phone number, which is tied to your SIM card, is recorded by Apple’s iMessage and Facetime servers, which route those requests. This means that even if you wipe your device and deactivate the SIM with your provider, the Apple servers will still identify that phone with your Apple ID until the SIM is replaced.
Warning: There are some caveats to this method. With a SIM PIN set, your device will require that you enter it any time you power it off and on or replace the SIM, which is a tad annoying if you power cycle your device. This is best used in conjunction with the iPhone’s regular passcode for the best security, obviously.
There is also the fact that setting a SIM PIN can be harder or easier depending on your carrier. While some carriers do not pre-set a PIN on your SIM, some do. You will need to get this from your carrier if you wish to set a custom PIN that you can remember. AT&T’s default PIN is 1111, I do not know the others.
Some carriers, like AT&T, also require that you unlock your device using a PUK (Personal Unlock Key) if you attempt to set a SIM PIN without knowing the default PIN. This means that your phone is out of commission if you enter an incorrect SIM PIN or attempt to set a new one without contacting AT&T first. So be sure to have a chat rep online from AT&T’s website, or a voice representative if you’re a sadist, before you attempt this.
Note that AT&T recommends that you call them after your device is stolen so that it can perform the SIM locking procedure remotely, instead of setting one ahead of time.
Once you’ve entered the PUK, you can set a SIM PIN which will protect it if you wipe the device or if the thief powers it off and back on.
This whole procedure is annoying, and can even prevent you from using your phone by disabling the SIM if you enter the PIN wrong too many times, so please read Apple’s instructions here carefully and make note of your carrier’s contact info before you try it.
Note that you should also go ahead and wipe your device if it is stolen, as your iMessage ID is still stored on it and will continue to work unless you do so. This is the way it has worked in my experience. My wife’s old iPhone 3GS continued to receive iMessages when she switched to the iPhone 4, even with no SIM in it. Once it had been wiped, it ceased receiving the messages.
Still, if you’re worried about iMessage and Facetime security and you’re not willing to wait for Apple to fix this behavior, it does offer an immediate solution.