November 21, 2012
Hacker Found Guilty Of Stealing AT&T iPad User Information
Michael Harper for redOrbit.com — Your Universe Online
One of the hackers responsible for breaking into AT&T´s stores of data and stealing the personal information of more than 100,000 iPad owners has been found guilty. According to Wired, the jury was able to reach their verdict quickly, finding Andrew Auernheimer, a 26-year old from Arkansas, guilty on one count of identity fraud and one count of conspiracy to access a computer without authorization.
Better known at the time as “Goatse Security,” Auernheimer and Daniel Spitter, a 26-year old from San Francisco, discovered a security hole in AT&T´s Web site 2 years ago which allowed them to access customer information.
Apple had just debuted their first generation iPad months before and, just as it was in the early days of iPhone, the iPad operated in America solely on AT&T. Those iPads with 3G connectivity used ICC-IDs, identifiers which AT&T used to authenticate the SIM for each iPad. These ICC-IDs are specific to each Pad. Auernheimer and Spitter had discovered that the AT&T Web site would release the account holder´s email address if they only supplied it with this ICC-ID. The two then created a tool to generate these IDs, called the “iPad 3G Account Slurper,” and set it to work, feeding the Web site with generated ICC-IDs and receiving, in turn, a confirmed ID and the email address associated with it.
Before too long, Auernheimer and Spitter had gathered the personal information of more than 100,000 early adopters, many of whom were government and military officials, as well as corporate CEOs and media personalities.
In order to call attention to this security hole, the 2 hackers went to Gawker to tell their story. AT&T quickly repaired the hole, saying they fixed it after hearing complaints from a “business customer,” rather than hear about it from Gawker.
During Auerenheimer´s trial, the prosecutors presented several chat sessions wherein Auernheimer and Spitter discuss (in rather poor English) how they would steal the data from AT&T, where they would leak this data, and what they hoped to achieve through it all.
“dunno i would collect as much data as possible the minute its dropped, itll be fixed BUT valleywag i have all the gawker media people on my facecrook friends after goin to a gawker party,” writes Auernheimer in the chat sessions.
The two also mention that these actions could be illegal and that the two could face being sued if they go forward with their plan. In the chat sessions, these 2 hackers also mention their satisfaction when the AT&T stock price fell, something they believe “Goatse Security” had a hand in.
After Auernheimer was found guilty on Tuesday, he sent out a Tweet saying he expected these results.
“Hey epals don´t worry! We went in knowing there would be a guilty here. I´m appealing of course,” wrote Auernheimer.
Tor Ekeland, Aurenheimer´s lawyer, also said they plan to appeal. Speaking to Bloomberg, Ekeland said, “This is a dangerously vague and broad interpretation of what constitutes unauthorized access under the computer fraud and abuse act.”
“It criminalizes normal behavior.”
Spitter has already pleaded guilty to these charges.