Class Action Against Apple, T-Mobile Claims Security Flaw Allowed Unauthorized Access to iPhone Texts, FaceTime Calls

Apple Inc. and T-Mobile USA, Inc. have been hit with a proposed class action this week over what two plaintiffs claim is a significant security flaw that has allowed iPhone users’ communications to be transmitted to third parties without their knowledge or consent.

According to the 34-page suit, a flaw in Apple’s iOS software, coupled with T-Mobile’s practice of recycling SIM cards without requiring previous users to manually disassociate their Apple IDs from their old phone numbers, has led to “innumerable unintended disclosures” of iPhone users’ iMessage and FaceTime correspondence for nearly seven years.

The lawsuit alleges that although Apple quietly attempted to resolve the security issue with the release of its iOS 12 software, neither Apple nor T-Mobile ever disclosed to iPhone users or the general public that their private data may have been exposed to strangers. Further, the case adds, those who haven’t installed the updated software may still be having their information exposed to this day.

Apple Promised to Keep Data “Safe and Secure,” Class Action Claims

For years, the case begins, Apple has “aggressively marketed” the security and privacy features of its iPhones, which became a significant selling point for consumers.

In fact, since at least 2009, Apple’s privacy policy purportedly assured consumers that “[y]our privacy is a priority at Apple, and we go to great lengths to protect it.”

When Apple introduced FaceTime in June 2010 and iMessage, an encrypted instant messaging service, in October 2011, both features were touted by the tech giant as “highly secure,” statements that remained in line with Apple’s representations that iPhones are “[s]afe and secure by design,” the suit says. The two features were designed to be used for communications between iPhone users and are incompatible with other smartphones.

The lawsuit alleges that although Apple between 2011 and 2017 “continuously and repeatedly” praised the security and privacy of the iPhone’s features, consumers were unaware that a flaw in the devices’ operating system allowed unauthorized third parties to view users’ iMessage and FaceTime correspondence through recycled subscriber identification modules—i.e., SIM cards.  

The Alleged SIM Card Security Flaw

The apparent security flaw in Apple’s operating system is rooted in the “legacy connection” between a user’s Apple ID and phone number, according to the case.

The lawsuit explains that when a consumer purchases an iPhone, the iMessage and FaceTime features become associated with the person’s phone number, Apple ID, and email address.

In order to use a wireless network, the user must insert a removable SIM card, provided by their mobile carrier, on which the consumer’s phone number and carrier information are stored, the case says. Once a SIM card is inserted into an iPhone, both the iMessage and FaceTime features then automatically register with the user’s phone number from the SIM card, according to the suit.

“Specifically,” the complaint explains, “in order to send iMessage correspondence or make a FaceTime call, the iPhone reads the iPhone user’s phone number from the SIM card.”

The security problem, according to the suit, occurs when a carrier such as T-Mobile recycles a SIM card and corresponding phone number that are still associated with the former user’s Apple ID.

Because of the “legacy connection” between the Apple ID and phone number, the previous owner of a recycled SIM card and corresponding phone number is able to receive iMessage and FaceTime communications on his or her iPhone that were intended for the new owner of the phone number.

“In other words,” the case reads, “because of the legacy connection, iMessage correspondence and FaceTime calls directed to the new owner of a phone number would lead to the iMessage correspondence or FaceTime call being unknowingly and improperly misdirected to the prior owner of the phone number because of its previous association with the SIM card.”

As such, the lawsuit argues, all iPhones in use while the security flaw was in place were capable of receiving iMessage and FaceTime communications that were intended for another iPhone user, and all outgoing messages were capable of being transmitted to an unintended recipient.

The case contends that Apple was aware of the security issue yet did nothing to prevent consumers’ private data from being disclosed to unauthorized third parties. Instead, the suit says, Apple “knowingly allowed” multiple unrelated Apple IDs to be associated with the same phone number while T-Mobile “compounded the problem” by recycling SIM cards without requiring that iPhone users manually disconnect their Apple IDs from their old phone numbers.

According to the suit, the security vulnerabilities went unchecked for nearly seven years until Apple purportedly resolved the data privacy issue with the release of its iOS 12 software in September 2018.

In order to remedy the problem of iPhone users’ communications being improperly disclosed to third parties, Apple never rewrote its code, nor did Apple advise consumers to manually disassociate their Apple IDs from the recycled SIM Cards. Instead, with the release of iOS 12 on or about September 17, 2018, Apple finally introduced mandatory multifactor authentication, which is a method by which an iPhone user can only be granted access to an iPhone by successfully presenting two or more factors in order to confirm his or her identity. Such factors may include a piece of information only the user would know or a password.”

Instead of informing consumers that their private information had been subject to “innumerable unintended disclosures” for nearly seven years, Apple, the case says, “merely updated its website” to state that two-factor authentication could no longer be turned off with the new iOS update.

Even now, however, some iPhone users have yet to update to the new software and could still be experiencing extensive data breaches without their knowledge, the suit says.

The Plaintiffs’ Experiences

The first plaintiff in the suit lives in Russia and purchased a SIM card from T-Mobile to use in his iPhone while on vacation in New York City, the suit says. The SIM card automatically linked to the plaintiff’s Apple ID and was in use for approximately one year, per the complaint.

The second plaintiff says he obtained a SIM card from T-Mobile after switching carriers and, unbeknownst to him, was assigned the same phone number that had previously been used by the first plaintiff. After inserting the SIM card, the plaintiff’s Apple account—and, by extension, his iMessage and FaceTime applications—became associated with the new phone number, the lawsuit explains.

Even though the first plaintiff’s SIM card was deactivated and no longer inserted into his iPhone, he began receiving “extensive amounts” of unwanted iMessage and FaceTime communications that appeared to be addressed to a new owner of his old number, per the complaint.

In all, the suit says, the first plaintiff received from “total strangers” over 100 iMessages and FaceTime calls, some of which contained private photographs, including pictures of young children.

Although the first plaintiff attempted to resolve the issue with Apple, the case argues that the proposed solution from the Apple privacy team “would do nothing” to resolve the wide-scale problem causing improper disclosure of iPhone users’ private messages.

The two plaintiffs eventually determined that the private communications received by the first plaintiff were intended to be sent to the second plaintiff. Because the phone number in question was still linked to the first plaintiff’s Apple ID, all iMessage correspondence and FaceTime calls directed to the second plaintiff were instead sent to the first plaintiff’s iPhone, the suit alleges.

According to the lawsuit, Apple was fully aware that iPhone users’ private communications could be intercepted by unintended third parties yet never informed the plaintiffs or any other customers how to avoid the data privacy problem. As stated in the complaint:

Apple never notified Named Plaintiffs – or any other members of the putative class – that they needed to manually disassociate old phone numbers utilized on iPhones from their Apple accounts to prevent those iPhone accounts from receiving unwanted (and potentially harmful) iMessage correspondence and FaceTime calls when those phone numbers are recycled by wireless network carriers, such as T-Mobile.”

The plaintiffs claim they suffered “significant and irreparable damages” as a result of the defendants’ conduct. The first plaintiff says his marriage was affected because he was unable to explain to his wife why he was receiving messages on his iPhone, including pictures of children, that appeared to be coming from another woman.

The second plaintiff says he has suffered emotional distress after not receiving the pictures of his child, which he says he can no longer obtain as his relationship with the child’s mother has ended.

“[The plaintiff] can never get those pictures or memories back,” the complaint states.

Who Does the Lawsuit Look to Cover?

The case looks to cover anyone who, within the applicable statute of limitations period, purchased an iPhone or a T-Mobile SIM card for use in an iPhone and utilized the phone’s iMessage or FaceTime features “by which they became victims of the pervasive data security breaches” described in the lawsuit.

Can I Join the Lawsuit?

Typically, there’s nothing you need to do to join a class action and only have to take action when and if the case settles. At that point, those affected should receive notice of the settlement with instructions on what to do next.

In the meantime, you can get class action news and updates sent straight to your inbox by signing up for ClassAction.org’s newsletter here.