- Apple and T-Mobile are facing a class action lawsuit over security concerns regarding an issue that made it possible for third parties to access communications sent through Apple’s iMessage and FaceTime services.
- The complaint says a flaw caused an Apple ID to remain tethered to a T-Mobile SIM card and phone number even after the iPhone owner in question had stopped using that SIM card and phone number.
- As such, the previous owner of the SIM card was able to receive FaceTime calls and iMessage texts intended for the new owner.
- The complaint accuses Apple of being misleading by positioning its products as being highly secure, and accuses T-Mobile of worsening the problem by not disclosing its SIM card practices.
- Visit Business Insider’s homepage for more stories.
Apple and T-Mobile are facing a class action lawsuit over allegations that their failure to disclose a security issue that made it possible for third parties to access messages and video calls sent through Apple’s iMessage and FaceTime apps jeopardized consumer privacy.
The plaintiffs, Tigran Ohanian and Regge Lopez, say Apple misled customers by promoting the security of its products without disclosing a vulnerability that made it possible for strangers to access iMessage and FaceTime interactions.
The complaint refers to an issue that prompted an Apple ID — the account required to download apps from the App Store and register Apple products with your iCloud account — to remain tied to a T-Mobile SIM card even after the iPhone owner had finished using that SIM card and switched phone numbers.
When an iPhone owner stopped using a T-Mobile SIM card, the phone number tied to that SIM card would remain attached to the associated Apple ID even after the carrier had recycled it and given it to a new customer, the lawsuit says. Because Apple IDs maintained a “legacy connection” with T-Mobile SIM cards, the previous owner of the SIM card would receive iMessages and FaceTime calls intended for the new owner.
“In other words, because of the legacy connection, iMessage correspondence and FaceTime calls directed to the new owner of a phone number would lead to the iMessage correspondence or FaceTime call being unknowingly and improperly misdirected to the prior owner of the phone number because of its previous association with the SIM card,” the complaint says.
Neither Apple nor T-Mobile required customers to manually disassociate their Apple ID from their phone number to prevent the issue, the lawsuit says. The plaintiffs also take issue with Apple’s marketing language that positions its products as being highly secure despite the flaw.
By not disclosing the flaw and SIM card practices, Apple and T-Mobile caused customers to become “unsuspecting victims of extensive security data breaches,” the complaint says.
Representatives for Apple and T-Mobile did not immediately respond to Business Insider’s request for comment.
The issue was covered in Ars Technica and Gizmodo back in 2011 and 2012, but wasn’t fixed until 2018 when Apple released its iOS 12 operating system update, which requires multi-factor authentication, says the complaint. In its coverage from 2011, Ars Technica spoke with a reader who encountered this issue when his wife’s iPhone was stolen. After the thief had stolen the phone, the buyer was able to send and receive messages from the phone posing as the reader’s wife.
It’s not the only time security issues have been reported with Apple’s FaceTime in recent years. In early 2019, Apple fixed a flaw that made it possible to eavesdrop on an iPhone through FaceTime’s group calling feature.