IPad hackers face criminal charges

apple_ipad_hack.gi.top.jpgGoatse Security said its iPad hack, which harvested 120,000 e-mail addresses, took "just over a single hour of labor total" By Julianne Pepitone, staff reporter


NEW YORK (CNNMoney) -- Federal prosecutors said Tuesday that they have filed charges against two people accused of hacking AT&T's website and harvesting the e-mail addresses of 120,000 iPad owners.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco were taken into custody Tuesday morning by the FBI. Both men were charged with an alleged conspiracy to hack AT&T's (T, Fortune 500) servers and for possession of personal information obtained from the servers.

Auernheimer was arrested in Fayetteville while appearing in Arkansas state court on unrelated drug charges. Spitler surrendered to FBI agents in Newark, N.J., where the case is being pursued.

The charges stemmed from an exploit that took place seven months ago. In June, about one month after the iPad 3G went on sale, AT&T announced that it had fixed a security hole that inadvertently exposed the e-mail addresses of thousands of iPad 3G owners.

The company's announcement came shortly after tech blog Valleywag posted an expose of the breach. In the Valleywag article, hacker group Goatse Security said it had exploited a vulnerability on AT&T's website to harvest the e-mail addresses iPad buyers provided to activate their devices.

The list of affected users was star-studded, including major political figures, military officials, media executives and top politicians. The e-mail addresses the hackers grabbed included those of of former White House chief of staff Rahm Emanuel, Hollywood producer Harvey Weinstein and New York City Mayor Michael Bloomberg.

The attack: The federal complaint, filed in U.S. District Court in New Jersey, cast the intrusion as a "brute force" attack on AT&T's servers perpetrated "for the express purpose of causing monetary and reputational damage to AT&T."

But what the accused hackers actually did is fairly low-tech and exploited a hole that AT&T left wide open.

Auernheimer and Spitler discovered that plugging an iPad ICC-ID -- a unique identification number for each device -- into a publicly available script on AT&T's website would return the e-mail address associated with the ID. They created a script that randomly guessed at ID numbers. When it hit a correct one, it would retrieve the associated e-mail address.

That approach netted them a list of more than 120,000 e-mail addresses.

"This hack was very simple, but major in its significance," said Hemanshu Nigam, founder of cybersecurity consulting firm SSP Blue.

Auernheimer and Spitler didn't try to profit from their hack. They say their goal was simply to draw attention to the vulnerability.

A rep for Goatse Security, a loose hacker collective Auernheimer and Spitler participated in, said in an e-mail that the charges would not make the group reconsider any future actions.

"Goatse Security will continue to release its research in an ethical manner," the rep wrote. "[We] still holds the position that no criminal act was committed. Spitler and Auernheimer acted entirely within the law, and entirely for the interests of public security."

One day after the breach was came to light, Goatse posted a scathing entry on its blog accusing AT&T and Apple (AAPL, Fortune 500) of not taking security seriously.

The iPad hack took "just over a single hour of labor total," they wrote.

More recently, they've expressed shock at the vehemence of the law enforcement crackdown against them.

"None of us made any money off of this disclosure. We did it in public interests," they wrote in a June blog post after the FBI began investigating.

What's next: Spitler appeared in court in New Jersey on Tuesday, where he was banned from using the Internet outside of work. Spitler is employed as a security guard at a Borders bookstore.

Spitler was required to surrender his passport, and he is permitted to travel only to California and New Jersey. He waived his right to a preliminary hearing, and he will appear in court again March 7.

Apple said it had no comment. An AT&T spokesman said in an written statement that the company "take[s] our customers' privacy very seriously and we cooperate with law enforcement whenever necessary to protect it."

--CNN's Stephanie Gallman contributed to this report. To top of page

Just the hot list include
Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 32,627.97 -234.33 -0.71%
Nasdaq 13,215.24 99.07 0.76%
S&P 500 3,913.10 -2.36 -0.06%
Treasuries 1.73 0.00 0.12%
Data as of 6:29am ET
Company Price Change % Change
Ford Motor Co 8.29 0.05 0.61%
Advanced Micro Devic... 54.59 0.70 1.30%
Cisco Systems Inc 47.49 -2.44 -4.89%
General Electric Co 13.00 -0.16 -1.22%
Kraft Heinz Co 27.84 -2.20 -7.32%
Data as of 2:44pm ET
Sponsors

Sections

Bankrupt toy retailer tells bankruptcy court it is looking at possibly reviving the Toys 'R' Us and Babies 'R' Us brands. More

Land O'Lakes CEO Beth Ford charts her career path, from her first job to becoming the first openly gay CEO at a Fortune 500 company in an interview with CNN's Boss Files. More

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.