A jury found a hacker guilty of federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s website.
A jury found Andrew Auernheimer, 26, of Fayetteville, AR, guilty last Tuesday in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization.
The jury reached its verdict just hours after getting the case. Auernheimer tweeted to supporters he expected the verdict and planned to appeal.
Auernheimer and Daniel Spitler, 26, of San Francisco, CA, ended up charged last year after the two discovered a hole in AT&T’s website in 2010 that allowed anyone to obtain the email address and ICC-ID of iPad users. The ICC-ID is a unique identifier used to authenticate the SIM card in a customer’s iPad to AT&T’s network.
Spitler pleaded guilty to the charges last year.
Apple released the iPad in April 2010. AT&T provided Internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their email address. AT&T linked the user’s email address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user’s email address.
Auernheimer and Spitler discovered the site would leak email addresses to anyone who provided it with an ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” — to mimic the behavior of numerous iPads contacting the web site in order to harvest the email addresses of iPad users.
According to authorities, they obtained the ICC-ID and email address for about 120,000 iPad users.
The two contacted the Gawker website to report the hole, a practice often followed by security researchers to call public attention to security holes that affect the public, and provided the website with harvested data as proof of the vulnerability. Gawker reported at the time a group called Goatse Security found the vulnerability.
AT&T maintained the two did not contact it directly about the vulnerability and learned about the problem only from a “business customer.”
Auernheimer later sent an email to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data, authorities said.
“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” he wrote, according to prosecutors. “I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”
Prosecutors said his interest went beyond concern about the security of customer data.
According to the criminal complaint, a confidential informant helped federal authorities make their case against the two defendants by providing them with 150 pages of chat logs from an IRC channel where, prosecutors said, Spitler and Auernheimer admitted conducting the breach to tarnish AT&T’s reputation and promote themselves and Goatse Security.