iPad, AT&T server hacker convicted

iPad, AT&T server hacker convicted

 

Andrew Auernheimer

One of two apparently celebrity-seeking hackers disdainful of government and corporate America now faces 10 years in jail for illegally accessing AT&T servers and stealing information from 120,000 customers on the company's network, including Diane Sawyer, Harvey Weinstein, New York Mayor Michael Bloomberg, and then-White House chief of staff Rahm Emanuel.

On Nov. 20, a federal jury in New Jersey convicted Andrew Auernheimer, 27, of New York, the head of a self-described “security research” hacking group of breaching AT&T’s servers, stealing e-mail addresses and other personal information belonging to Apple iPad users, and disclosing that information to a reporter at Gawker magazine.

Auernheimer was convicted of conspiracy to access AT&T’s servers without authorization and identity theft, said the FBI in a Nov. 20 statement. Each count carries a five year prison sentence, it said.

Auernheimer’s co-conspirator, Daniel Spitler, 27, of San Francisco, CA, previously pleaded guilty to the same charges and is awaiting sentencing, it said.

The two men were charged in January, 2011 illegally accessing AT&T servers and stealing information from the telecommunication carrier’s servers.

According to court documents, AT&T provides iPad tablet users with Internet connectivity via AT&T’s 3G wireless network. During the registration process for subscribing to the network, a user is required to provide an e-mail address, billing address, and password, said the FBI.

Before June 2010, AT&T automatically linked an iPad 3G user’s e-mail address to the Integrated Circuit Card Identifier (ICC-ID), a number unique to the user’s iPad, when he or she registered. Every time a user accessed the AT&T website, the ICC-ID was recognized and the e-mail address was automatically populated for faster, user-friendly access to the site. AT&T kept the ICC-IDs and associated e-mail addresses confidential.

At that time, said court documents, when an iPad 3G communicated with AT&T’s website, its ICC-ID was automatically displayed in the Universal Resource Locator, or URL, of the AT&T website in plain text. Seeing this, and discovering that each ICC-ID was connected to an iPad 3G user e-mail address, hackers wrote a script termed the “iPad 3G Account Slurper” and deployed it against AT&T’s servers.

According to court documents, the Account Slurper attacked AT&T’s servers for several days in early June 2010 trying to harvest as many ICC-ID/e-mail address pairings as possible. It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be deceived into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user.

From June 5, 2010 through June 9, 2010, said court documents, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers.

Court documents and trial evidence said immediately following the theft, the hacker-authors of the Account Slurper provided the stolen e-mail addresses and ICC-IDs to the website Gawker, which published the stolen information in redacted form, along with an article concerning the breach, said court records and documents. The article indicated that the breach “exposed the most exclusive e-mail list on the planet” and named a number of famous individuals whose e-mails had been compromised, including Diane Sawyer, Harvey Weinstein, New York Mayor Michael Bloomberg, and then-White House Chief of Staff Rahm Emanuel. The article also stated that iPad users could be vulnerable to spam marketing and malicious hacking. A group calling itself “Goatse Security” was identified as obtaining the subscriber data, said court records.

Goatse Security is a so-called “security research” group, composed of Internet hackers, to which both Spitler and Auernheimer belonged, said court records.

During the data breach, Spitler and Auernheimer communicated with one another using Internet Relay Chat, an Internet instant messaging program, said court records. Prosecutors said those chats not only demonstrated the men were responsible for the data breach, but also that they conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security. As the data breach continued, so too did the discussions between Spitler, Auernheimer, and other Goatse Security members about the best way to take advantage of the breach and associated theft, said court records.