If you have multiple Apple devices in your possession you should read this story and immediately take steps to make sure the next story is not about you. It seems that when you have multiple Apple devices under the same Apple ID it is very easy to have SMS messages meant for one device find their way onto a different Apple device with the same ID.
I first became aware of this problem a few months ago when my neighbor called me over at her wits end. It seemed that no matter what she tried to do, she could not stop her eleven and eight year old daughters from receiving her SMS messages. While it worked the other way around as well, she was receiving her daughters SMS messages as well, she didn't mind being able to "monitor" her daughters messages. But though she was not sending anything risqué, she needed her privacy. You can understand that. Who would want to share our private SMS messages with our young children or with anyone for that matter.
After poking around for an hour or two, I finally figured out that the issue was that all three devices were using the same Apple ID. While two of the devices were iPhones and one was an iTouch, they all were under the same Apple ID. The mom had done this so that they could share the music and apps in their iTune account. Also because the kids were young, she did not want them to have their own IDs.
Try as I might, it was really hard to separate out where the text messages went. Especially for the iTouch that did not have a phone number. The 8 year old who used that device did not have a unique email address either, so it hard to give it a unique ID. Finally, I suggested that the mom set up a unique Apple ID for each user and associate it with that device. Of course this meant no more sharing of music and apps between them, but I guess Apple wants you to do that. In Apple's world, what Apple wants, Apple gets.
But that was a tame version of this problem; let me give you the nightmare scenario. I received a call this morning from a lifelong friend of mine. He had gone through a somewhat bitter divorce (aren't they all) about a year ago. He has three beautiful little children and like most of us he has brought his kids some Apple devices. Each of the kids has an iTouch, iPad or iPhone (the oldest child). When my friend set up the devices he wanted them all to use the same apps, music and other content. You guessed it; he used his own Apple ID to set up the devices and his own email addresses so he could monitor what the kids were doing online.
Fast forward seven months later. The kids take their Apple devices from his house when they are staying with him and back to their mother's house when they are staying with her. They really enjoy their Apple devices. The play lots of games, listen to music, watch videos and read books. Life is grand. Grand that is until my friend's ex-wife called up berating him about what a sick individual he was and that she does not want any of his friends male and female around her kids.
My friend was shocked. What was she talking about? Well it seems that for the last 7 months his ex-wife has been able to monitor all of his text message replies because a copy of them goes to his son's iPad! Yes, that's right every single text message he has received in the last 7 months has also been received on his sons device, where not only his ex-wife but his son could read them as well. Evidently some of the messages he received were in jest or a little racy or inappropriate, including pictures. But it was not just inappropriate content. There was some confidential data about his business, bank account information, other private information that the people sending the text messages I am sure would not want leaked out or made public.
Think about this. What SMS messages have you received over the last 7 months? Is there anything that you would have a problem sharing with your ex-spouse or 7 year old child? If your answer is no, you are a better person then I. But even if your answer is no, don't you think you would feel a tremendous sense of violation? We have all heard that we should not have any expectations of privacy online, but SMS too? What would happen if his wife were to post this with names to Facebook or something?
Yes we can blame both my friend and neighbor for not setting up unique Apple IDs for each unique device they own. I am sure if we ask Apple that is exactly what they are going to say. How many of you out there have done this? How many of you understand why both of these parents used their own Apple IDs on their kid's devices?
If I know of these two instances one with such serious consequences, I am sure there are hundreds, if not thousands of other instances. Do you know of any? If so I would like to hear from you.
Apple should do something about this. Make a setting switch that lets users decide which device should receive messages from a give Apple ID. Perhaps make it impossible for more than one device to share the same Apple ID. It seems that this is probably an easy one to fix.
Privacy is something we all care about. When it strikes home like this we are all reminded that our new connected world is sometimes too connected. Until Apple does something to remedy this all too often problem, take heed so that you are not the next victim.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.