It appears that a bug in iMessage allows texts to be sent to a stolen iPhone, even after a remote wipe and disabling the SIM card, reports Ars Technica.
iMessage, introduced in iOS 5, is similar to RIM's BlackBerry messaging service. It sends text, picture, and video messages over Apple's servers instead of via the carrier's SMS service. This can lower the user's text messaging charges and adds features like delivery confirmation. It also allows users of non-cellular devices, like the iPad and iPod Touch, to send and receive text and picture messages -- as featured in a recent iPod Touch television ad.
According to Ars Technica:
Our attention was drawn to this story by Ars reader David Hovis, whose house was recently burglarized and his wife's iPhone 4S was stolen. According to Hovis, his wife deactivated her iPhone with her carrier, remote wiped it, and immediately changed her Apple ID password—"we picked up a new iPhone the next day, figuring that our insurance would end up paying for it," Hovis told Ars.
For most users, this would be the end of the story. The phone number had been transferred to a new device and the old one had been deactivated; what more is there to say? A lot, apparently, and in the form of iMessages. The thief who stole Mrs. Hovis' iPhone had sold the device to an unsuspecting buyer elsewhere in the state, and the buyer had begun sending and receiving iMessages from the phone as Mrs. Hovis—even though the stolen phone had apparently now been activated under a new number.
Hovis sent messages to new "owner" of his wife's old phone, with the messages going to both the old and new phone, but the other person was uncooperative. He discovered a thread on the MacRumors forums with several readers reporting the same issues.
Apple has not commented on the matter, but it's possible that the iMessage servers permanently links the UDID number of a particular handset to a phone number, so it knows what handset to deliver iMessages to. When the phone is remotely wiped, and a new SIM card installed, the iMessage servers don't update and messages continue to be sent to the stolen phone.