IPAD Hackers Face Criminal Charges


NEW YORK (CNNMoney) -- Federal prosecutors said Tuesday that they have filed charges against two people accused of hacking AT&T's website and harvesting the e-mail addresses of 120,000 iPad owners.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco were taken into custody Tuesday morning by the FBI. Both men were charged with an alleged conspiracy to hack AT&T's (TFortune 500) servers and for possession of personal information obtained from the servers.
Auernheimer was arrested in Fayetteville while appearing in Arkansas state court on unrelated drug charges. Spitler surrendered to FBI agents in Newark, N.J., where the case is being pursued.
The charges stemmed from an exploit that took place seven months ago. In June, about one month after the iPad 3G went on sale, AT&T announced that it had fixed a security hole that inadvertently exposed the e-mail addresses of thousands of iPad 3G owners.
The company's announcement came shortly after tech blog Valleywag posted an expose of the breach. In the Valleywag article, hacker group Goatse Security said it had exploited a vulnerability on AT&T's website to harvest the e-mail addresses iPad buyers provided to activate their devices.
The list of affected users was star-studded, including major political figures, military officials, media executives and top politicians. The e-mail addresses the hackers grabbed included those of of former White House chief of staff Rahm Emanuel, Hollywood producer Harvey Weinstein and New York City Mayor Michael Bloomberg.
The attack: The federal complaint, filed in U.S. District Court in New Jersey, cast the intrusion as a "brute force" attack on AT&T's servers perpetrated "for the express purpose of causing monetary and reputational damage to AT&T."
But what the accused hackers actually did is fairly low-tech and exploited a hole that AT&T left wide open.
Auernheimer and Spitler discovered that plugging an iPad ICC-ID -- a unique identification number for each device -- into a publicly available script on AT&T's website would return the e-mail address associated with the ID. They created a script that randomly guessed at ID numbers. When it hit a correct one, it would retrieve the associated e-mail address.
That approach netted them a list of more than 120,000 e-mail addresses.
"This hack was very simple, but major in its significance," said Hemanshu Nigam, founder of cybersecurity consulting firm SSP Blue.
Auernheimer and Spitler didn't try to profit from their hack. They say their goal was simply to draw attention to the vulnerability.
One day after the breach was came to light, Goatse posted a scathing entry on its blog accusing AT&T and Apple (AAPLFortune 500of not taking security seriously.
The iPad hack took "just over a single hour of labor total," they wrote.
More recently, they've expressed shock at the vehemence of the law enforcement crackdown against them.
"None of us made any money off of this disclosure. We did it in public interests," they wrote in a June blog post after the FBI began investigating.
What's next: Spitler appeared in court in New Jersey on Tuesday, where he was banned from using the Internet outside of work. Spitler is employed as a security guard at a Borders bookstore.
Spitler was required to surrender his passport, and he is permitted to travel only to California and New Jersey. He waived his right to a preliminary hearing, and he will appear in court again March 7.
Apple did not respond to calls for comment. An AT&T spokesman said in an written statement that the company "take[s] our customers' privacy very seriously and we cooperate with law enforcement whenever necessary to protect it."
--CNN's Stephanie Gallman contributed to this report. To top of page

No comments