IPad hackers face criminal charges

apple_ipad_hack.gi.top.jpgGoatse Security said its iPad hack, which harvested 120,000 e-mail addresses, took "just over a single hour of labor total" By Julianne Pepitone, staff reporter

NEW YORK (CNNMoney) -- Federal prosecutors said Tuesday that they have filed charges against two people accused of hacking AT&T's website and harvesting the e-mail addresses of 120,000 iPad owners.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco were taken into custody Tuesday morning by the FBI. Both men were charged with an alleged conspiracy to hack AT&T's (T, Fortune 500) servers and for possession of personal information obtained from the servers.

Auernheimer was arrested in Fayetteville while appearing in Arkansas state court on unrelated drug charges. Spitler surrendered to FBI agents in Newark, N.J., where the case is being pursued.

The charges stemmed from an exploit that took place seven months ago. In June, about one month after the iPad 3G went on sale, AT&T announced that it had fixed a security hole that inadvertently exposed the e-mail addresses of thousands of iPad 3G owners.

The company's announcement came shortly after tech blog Valleywag posted an expose of the breach. In the Valleywag article, hacker group Goatse Security said it had exploited a vulnerability on AT&T's website to harvest the e-mail addresses iPad buyers provided to activate their devices.

The list of affected users was star-studded, including major political figures, military officials, media executives and top politicians. The e-mail addresses the hackers grabbed included those of of former White House chief of staff Rahm Emanuel, Hollywood producer Harvey Weinstein and New York City Mayor Michael Bloomberg.

The attack: The federal complaint, filed in U.S. District Court in New Jersey, cast the intrusion as a "brute force" attack on AT&T's servers perpetrated "for the express purpose of causing monetary and reputational damage to AT&T."

But what the accused hackers actually did is fairly low-tech and exploited a hole that AT&T left wide open.

Auernheimer and Spitler discovered that plugging an iPad ICC-ID -- a unique identification number for each device -- into a publicly available script on AT&T's website would return the e-mail address associated with the ID. They created a script that randomly guessed at ID numbers. When it hit a correct one, it would retrieve the associated e-mail address.

That approach netted them a list of more than 120,000 e-mail addresses.

"This hack was very simple, but major in its significance," said Hemanshu Nigam, founder of cybersecurity consulting firm SSP Blue.

Auernheimer and Spitler didn't try to profit from their hack. They say their goal was simply to draw attention to the vulnerability.

A rep for Goatse Security, a loose hacker collective Auernheimer and Spitler participated in, said in an e-mail that the charges would not make the group reconsider any future actions.

"Goatse Security will continue to release its research in an ethical manner," the rep wrote. "[We] still holds the position that no criminal act was committed. Spitler and Auernheimer acted entirely within the law, and entirely for the interests of public security."

One day after the breach was came to light, Goatse posted a scathing entry on its blog accusing AT&T and Apple (AAPL, Fortune 500) of not taking security seriously.

The iPad hack took "just over a single hour of labor total," they wrote.

More recently, they've expressed shock at the vehemence of the law enforcement crackdown against them.

"None of us made any money off of this disclosure. We did it in public interests," they wrote in a June blog post after the FBI began investigating.

What's next: Spitler appeared in court in New Jersey on Tuesday, where he was banned from using the Internet outside of work. Spitler is employed as a security guard at a Borders bookstore.

Spitler was required to surrender his passport, and he is permitted to travel only to California and New Jersey. He waived his right to a preliminary hearing, and he will appear in court again March 7.

Apple said it had no comment. An AT&T spokesman said in an written statement that the company "take[s] our customers' privacy very seriously and we cooperate with law enforcement whenever necessary to protect it."

--CNN's Stephanie Gallman contributed to this report. To top of page

Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 18,232.02 -53.72 -0.29%
Nasdaq 5,089.36 -1.43 -0.03%
S&P 500 2,126.06 -4.76 -0.22%
Treasuries 2.22 0.03 1.37%
Data as of 6:31am ET
Company Price Change % Change
Bank of America Corp... 16.75 0.02 0.12%
Apple Inc 132.54 1.15 0.88%
Hewlett-Packard Co 34.76 0.93 2.75%
AT&T Inc 34.71 -0.36 -1.03%
Microsoft Corp 46.90 -0.52 -1.10%
Data as of May 22


The record airbag recall and the GM ignition switch recalls has resulted in a huge percentage of cars on the road today having been recalled. More

The True Cost, a new documentary, chronicles the evils of the clothing industry and asks us to stop buying so much cheap stuff More

Sarah Kauss launched S'well to rid the world of plastic water bottles. In five years, she's sold 4 million of her stainless steel bottles. More