Voicemail privacy issue. Is Apple to blame?

After tinkering with and trying to raise attention to a serious privacy issue in Telstra’s MessageBank Plus (their implementation of Apple’s Visual Voicemail), I’m now convinced that the issue lies within Apple’s service and not Telstra’s implementation of it.

At the end of the day my contract is with Telstra. They’re the custodians of my privacy here and with them remaining absolutely silent, I’ve had no-one else to point the finger at. But my repeated replication of the issue makes me seriously consider the fact that this cannot be limited to the Telstra network.

I have definitely been told that Telstra doesn’t use IMEIs to authenticate devices for Visual Voicemail. And I remember reading that Visual Voicemail can use “invisible” SMS messages to authenticate and communicate with a device. This all lead me to finding this document – I have no idea if it’s the exact solution Telstra uses, but it sounds similar. And if so, my hypothesis is this:

That iOS does not send, or does not send a valid STATUS SMS (8.1.4) when a different SIM is inserted immediately following an iPhone’s activation.

I would love for people to test this issue on other carriers!

We Need You!

Do you have access to the following?

  • A spare iPhone you’re happy to wipe
  • Your SIM for a service WITH visual voicemail active
  • Another SIM for a service WITHOUT visual voicemail active on the same carrier

If so, fantastic!

Firstly, you’re about to wipe your phone. Do not continue if you have any data you wish to keep on this device!

Your steps may differ slightly than what my iPhone 5 gave me, for example Touch ID is on the 5S and above. I’m intentionally not setting up any services or features in order to save time and not add any complications.

  1. Insert your SIM (with VVM active) into the iPhone
  2. Open Settings, select General > Reset and Erase All Content and Settings
  3. Leave your SIM in and once it’s restarted, set up the iPhone as a new device:
    1. Select Your Country: Australia
    2. Choose a Wi-Fi Network: Use Mobile Connection
    3. Location Services: Disable Location Services
    4. Create a Passcode
    5. Set Up as New iPhone
    6. Apple ID: Don’t have an Apple ID then Set Up Later in Settings then Don’t Use
    7. Terms and Conditions: Agree then Agree
    8. Siri: Turn On Siri Later
    9. Diagnostics: Don’t Send
    10. Welcome to iPhone: Get Started
  4. Turn the iPhone off and remove your SIM
  5. Call your number and record yourself a message
  6. Insert the other (non-VVM) SIM
  7. Turn the phone on

Do you get the message? If you did, please leave as much detail about your service and where you are in a comment below.

 

2 Comments

  1. Hey,
    I was the reddit user that suggested Apple in the first place – my exact comment was “How do you know this isn’t an apple firmware issue? It seems like you’ve jumped to blame the carrier. How did you eliminate apple from your troubleshooting process?”. I found your blog and wondering if you’ve had any resolution from either Telstra or Apple on this issue. I would totally offer to help but I am an Android guy.

    Reply
    • Hi mate. Thanks for following up! Telstra’s official message to me this week is that they “implemented a fix that prevents access to visual voicemail on a handset after the associated SIM card is removed”. My understanding from all of the troubleshooting I did is that this is absolutely an Apple problem and while Telstra now has a workaround, other carriers are still vulnerable until Apple patches their firmware. I can’t officially confirm Apple knows about it, but you totally called it and as I hoped, Telstra got the wheels turning. 🙂

      Reply

Leave a Comment.