IPad hackers face criminal charges

apple_ipad_hack.gi.top.jpgGoatse Security said its iPad hack, which harvested 120,000 e-mail addresses, took "just over a single hour of labor total" By Julianne Pepitone, staff reporter


NEW YORK (CNNMoney) -- Federal prosecutors said Tuesday that they have filed charges against two people accused of hacking AT&T's website and harvesting the e-mail addresses of 120,000 iPad owners.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco were taken into custody Tuesday morning by the FBI. Both men were charged with an alleged conspiracy to hack AT&T's (T, Fortune 500) servers and for possession of personal information obtained from the servers.

Auernheimer was arrested in Fayetteville while appearing in Arkansas state court on unrelated drug charges. Spitler surrendered to FBI agents in Newark, N.J., where the case is being pursued.

The charges stemmed from an exploit that took place seven months ago. In June, about one month after the iPad 3G went on sale, AT&T announced that it had fixed a security hole that inadvertently exposed the e-mail addresses of thousands of iPad 3G owners.

The company's announcement came shortly after tech blog Valleywag posted an expose of the breach. In the Valleywag article, hacker group Goatse Security said it had exploited a vulnerability on AT&T's website to harvest the e-mail addresses iPad buyers provided to activate their devices.

The list of affected users was star-studded, including major political figures, military officials, media executives and top politicians. The e-mail addresses the hackers grabbed included those of of former White House chief of staff Rahm Emanuel, Hollywood producer Harvey Weinstein and New York City Mayor Michael Bloomberg.

The attack: The federal complaint, filed in U.S. District Court in New Jersey, cast the intrusion as a "brute force" attack on AT&T's servers perpetrated "for the express purpose of causing monetary and reputational damage to AT&T."

But what the accused hackers actually did is fairly low-tech and exploited a hole that AT&T left wide open.

Auernheimer and Spitler discovered that plugging an iPad ICC-ID -- a unique identification number for each device -- into a publicly available script on AT&T's website would return the e-mail address associated with the ID. They created a script that randomly guessed at ID numbers. When it hit a correct one, it would retrieve the associated e-mail address.

That approach netted them a list of more than 120,000 e-mail addresses.

"This hack was very simple, but major in its significance," said Hemanshu Nigam, founder of cybersecurity consulting firm SSP Blue.

Auernheimer and Spitler didn't try to profit from their hack. They say their goal was simply to draw attention to the vulnerability.

A rep for Goatse Security, a loose hacker collective Auernheimer and Spitler participated in, said in an e-mail that the charges would not make the group reconsider any future actions.

"Goatse Security will continue to release its research in an ethical manner," the rep wrote. "[We] still holds the position that no criminal act was committed. Spitler and Auernheimer acted entirely within the law, and entirely for the interests of public security."

One day after the breach was came to light, Goatse posted a scathing entry on its blog accusing AT&T and Apple (AAPL, Fortune 500) of not taking security seriously.

The iPad hack took "just over a single hour of labor total," they wrote.

More recently, they've expressed shock at the vehemence of the law enforcement crackdown against them.

"None of us made any money off of this disclosure. We did it in public interests," they wrote in a June blog post after the FBI began investigating.

What's next: Spitler appeared in court in New Jersey on Tuesday, where he was banned from using the Internet outside of work. Spitler is employed as a security guard at a Borders bookstore.

Spitler was required to surrender his passport, and he is permitted to travel only to California and New Jersey. He waived his right to a preliminary hearing, and he will appear in court again March 7.

Apple said it had no comment. An AT&T spokesman said in an written statement that the company "take[s] our customers' privacy very seriously and we cooperate with law enforcement whenever necessary to protect it."

--CNN's Stephanie Gallman contributed to this report. To top of page

Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 16,501.65 0.00 0.00%
Nasdaq 4,148.34 21.37 0.52%
S&P 500 1,878.61 0.00 0.00%
Treasuries 2.69 0.00 0.07%
Data as of 11:44pm ET
Company Price Change % Change
Facebook Inc 60.87 -0.49 -0.80%
Bank of America Corp... 16.34 -0.03 -0.18%
Microsoft Corp 39.86 0.17 0.43%
Verizon Communicatio... 46.28 -1.15 -2.42%
Micron Technology In... 26.16 -0.09 -0.34%
Data as of 4:01pm ET
Sponsors

Sections

Officials recommend that states allow Tesla to sell cars directly to consumers and argue that banning those sales stifles competition. More

Hundreds of postal workers nationwide protested outside Staples' stores on Thursday. More

Federal regulators are poised to lay down new rules of the road for how Americans access the Internet. More

Schwinn, Trek and Cannondale are all iconic American bicycle brands. But none of them are made in the United States. More

Do you feel like you are overworked? Here are how other people deal with the stress and politics in their jobs. More

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.