A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s website was found guilty on Tuesday.
Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization.
Auernheimer and Daniel Spitler, 26, of San Francisco, California, were charged last year after the two discovered a hole in AT&T’s web site in 2010 that allowed anyone to obtain the e-mail address and ICC-ID of iPad users. The ICC-ID is a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.
The iPad was released by Apple in April 2010. AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their e-mail address. AT&T linked the user’s email address to the ICC-ID, and each time the user accessed the AT&T web site, the site recognized the ICC-ID and displayed the user’s email address.
Aurnheimer and Spitler discovered that the site would leak email addresses to anyone who provided it with a ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” — to mimic the behavior of numerous iPads contacting the web site in order to harvest the email addresses of iPad users.
According to authorities, they obtained the ICC-ID and email address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.
The two contacted the Gawker web site to report the hole, a practice often followed by security researchers to call public attention to security holes that affect the public, and provided the web site with harvested data as proof of the vulnerability. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security.
AT&T maintained that the two did not contact it directly about the vulnerability and learned about the problem only from a “business customer.”
Auernheimer later sent an e-mail to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data, authorities say.
“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” he wrote, according to prosecutors. ”I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”
But prosecutors say his interest went beyond concern about the security of customer data.
According to the criminal complaint, a confidential informant helped federal authorities make their case against the two defendants by providing them with 150 pages of chat logs from an IRC channel where, prosecutors said, Spitler and Auernheimer admitted conducting the breach to tarnish AT&T’s reputation and promote themselves and Goatse Security.
Spitler: I just harvested 197 email addresses of iPad 3G subscribers there should be many more … weev: did you see my new project?
Auernheimer: no
Spitler: I’m stepping through iPad SIM ICCIDs to harvest email addresses if you use someones ICCID on the ipad service site it gives you their address
Auernheimer: loooool thats hilarious HILARIOUS oh man now this is big media news … is it scriptable? arent there SIM that spoof iccid?
Spitler: I wrote a script to generate valid iccids and it loads the site and pulls an email
Auernheimer: this could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails
…
Spitler: I hit fucking oil
Auernheimer: loooool nice
Spitler: If I can get a couple thousand out of this set where can we drop this for max lols?
Auernheimer: dunno i would collect as much data as possible the minute its dropped, itll be fixed BUT valleywag i have all the gawker media people on my facecrook friends after goin to a gawker party
At one point the two discussed the legal risks of what they were doing:
Spitler: sry dunno how legal this is or if they could sue for damages
Auernheimer: absolutely may be legal risk yeah, mostly civil you absolutely could get sued to fuck
At the same time, others on the IRC chat allegedly discussed the possibility of shorting AT&T’s stock.
Pynchon: hey, just an idea delay this outing for a couple days tommorrow short some at&t stock then out them on tuesday then fill your short and profit
Rucas: LOL
Auernheimer: well i will say this it would be against the law … for ME to short the att stock but if you want to do it go nuts
Spitler: I dont have any money to invest in ATT
…
Auernheimer: if you short ATT dont let me know about it
Spitler: IM TAKIN YOU ALL DOWN WITH ME SNITCH HIGH EVERYDAY
In the wake of news stories about the breach, they allegedly discussed their failure to report the vulnerability to a “full disclosure” mailing list, as well as the opportunity to push their Goetse Security business as a result of the breach:
Nstyr: you should’ve uploaded the list to full disclosure maybe you still can
Auernheimer: no no that is potentially criminal at this point we won
Nstyr: ah
Auernheimer: we dropepd the stock price
Auernheimer: lets not like do anything else we fucking win and i get to like spin us as a legitimate security organization
Spitler pleaded guilty to the charges last year.
Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data
This article
Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data
can be opened in url
http://refreshnewster.blogspot.com/2012/11/hacker-found-guilty-of-breaching-at.html
Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data
