Two Charged in AT&T Hack of iPad Customer Data

Two suspects have been charged with federal crimes for allegedly hacking AT&T’s website last year to obtain the personal data of more than 100,000 iPad owners.

Daniel Spitler, 26, of San Francisco, California, was charged in New Jersey on Tuesday with one count of identity fraud and one count of conspiracy to access a computer without authorization. Andrew Auernheimer, 25, of Fayetteville, Arkansas, was charged in Arkansas for the same crimes.

Last summer the two allegedly contacted Gawker to report that a hole in AT&T’s website allowed anyone to access data on iPad owners, including government and military officials, corporate CEOs and media executives who purchased iPads.

The personal data included e-mail addresses and ICC-IDs – a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.

The leak snagged the details of dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota.

White House Chief of Staff Rahm Emanuel also appeared to be among the victims, Gawker reported, as were dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.

The iPad was released by Apple in January 2010. AT&T provided internet access for some iPad owners through its 3G wireless network. Customers had to provide AT&T with personal data when they opened their accounts, including their e-mail address, billing address and password.

Gawker reported at the time that the website vulnerability, which AT&T fixed, was discovered by a group calling itself Goatse Security, which authorities say included Spitler and Auernheimer.

The two allegedly wrote a script to harvest the data from AT&T’s website and apparently shared their script with others before AT&T patched the vulnerability.

AT&T maintained that the two did not contact it about the vulnerability, which legitimate security researchers often do prior to publicly disclosing a vulnerability. Instead, AT&T learned of the problem from a “business customer.”

According to the complaint filed by the Justice Department (.pdf) against the two suspects, the script they allegedly wrote spoofed the behavior of an iPad to AT&T’s server to harvest data on about 120,000 customers:

a. The Account Slurper was designed to mimic the behavior of an iPad 30 so that AT&T’s servers were fooled into believing that they were communicating with an actual iPad 30 and wrongly granted the Account Slurper access to AT&T’s servers.

b. Once deployed, the Account Slurper utilized a process known as a “brute force” attack — an iterative process used to obtain information from a computer system — against AT&T’s servers. Specifically, the Account Slurper randomly guessed at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-IDle-mail pairing for a specific, identifiable iPad 30 user.

After disclosing the hack to Gawker, the two did little to hide their identity. Auernheimer, who goes by the handle “Weev,” bragged about the attention the breach was getting on his blog, authorities say.

Oh hey, my security consulting group just found a privacy breach at AT&T[. ] . . . [T]his story has been broken for 15 minutes, twitter is blowing the fuck up, we are on the forntpage of google news and we are on drudge report (the big headline)[.]

Last November, he also allegedly sent an e-mail to the U.S. attorney’s office in New Jersey, discussing the data breach. “AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” Auernheimer allegedly wrote. ”I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”

The opinionated hacker also gave an interview to The New York Times on August 3, 2008 in which he stated: “I hack, I ruin, I make piles of money. I make people afraid for their lives. Trolling is basically internet eugenics. I want everyone off the internet. Bloggers are filth. They need to be destroyed. Blogging gives the illusion of participation to a bunch of retards…. We need to put these people in the oven!”

According to the criminal complaint, a confidential informant helped federal authorities make their case against the two defendants by providing them with 150 pages of chat logs from an IRC channel where Spitler and Auernheimer allegedly admitted conducting the breach to tarnish AT&T’s reputation and promote themselves and Goatse Security.

Spitler: I just harvested 197 email addresses of iPad 3G subscribers there should be many more … weev: did you see my new project?

Auernheimer: no

Spitler: I’m stepping through iPad SIM ICCIDs to harvest email addresses if you use someones ICCID on the ipad service site it gives you their address

Auernheimer: loooool thats hilarious HILARIOUS oh man now this is big media news … is it scriptable? arent there SIM that spoof iccid?

Spitler: I wrote a script to generate valid iccids and it loads the site and pulls an email

Auernheimer: this could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails

Spitler: I hit fucking oil

Auernheimer: loooool nice

Spitler: If I can get a couple thousand out of this set where can we drop this for max lols?

Auernheimer: dunno i would collect as much data as possible the minute its dropped, itll be fixed BUT valleywag i have all the gawker media people on my facecrook friends after goin to a gawker party

At one point the two discussed the legal risks of what they were allegedly doing:

Spitler: sry dunno how legal this is or if they could sue for damages

Auernheimer: absolutely may be legal risk yeah, mostly civil you absolutely could get sued to fuck

At the same time, others on the IRC chat allegedly discussed the possibility of shorting AT&T’s stock.

Pynchon: hey, just an idea delay this outing for a couple days tommorrow short some at&t stock then out them on tuesday then fill your short and profit

Rucas: LOL

Auernheimer: well i will say this it would be against the law … for ME to short the att stock but if you want to do it go nuts

Spitler: I dont have any money to invest in ATT

Auernheimer: if you short ATT dont let me know about it

Spitler: IM TAKIN YOU ALL DOWN WITH ME SNITCH HIGH EVERYDAY

In the wake of news stories about the breach, they allegedly discussed their failure to report the vulnerability to a “full disclosure” mailing list, as well as the opportunity to push their Goetse Security business as a result of the breach:

Nstyr: you should’ve uploaded the list to full disclosure maybe you still can

Auernheimer: no no that is potentially criminal at this point we won

Nstyr: ah

Auernheimer: we dropepd the stock price

Auernheimer: lets not like do anything else we fucking win and i get to like spin us as a legitimate security organization

Photo: Jim Merithew/Wired.com

See also: