Breach, Data Security

AT&T hacker to submit plea for lesser sentencing

A week before his official sentencing, a hacker charged with helping to publicize a critical vulnerability on AT&T's website will submit a plea asking for a lighter penalty.

In November, Andrew Auernheimer, 26, also known by the online alias,“Weev,” was found guilty of identity fraud and conspiracy to violate the Computer Fraud and Abuse Act (CFAA).

A memo, which was filed in court Wednesday, will be presented by Auernheimer's legal team to the judge prior to the sentencing. The document states that his punishment should be months of probation rather than years in prison.

“A sentence of probation in this matter would be adequate to reflect the seriousness of the offense, to afford adequate deterrence, and to protect the public from further crimes,” the memo read.

In early 2011, Auernheimer was charged, along with co-conspirator Daniel Spitler, with discovering and exploiting a flaw that allowed them to obtain data on roughly 120,000 Apple iPad users. Spitler pleaded guilty to charges in June 2011. The duo are part of the gray-hat hacker outfit, Goatse Security.

The memo also addresses an internal email from AT&T investigators which states that Auernheimer did not bypass security measures put in place by AT&T, evidence that may be damning to the prosecution's case.

“I do not believe there is a case here,” said the email. “No security was circumvented. A poorly crafted/designed feature was available and exploited.”

While prosecutors said the duo accessed email addresses, unique SIM card codes and integrated circuit identifiers (ICC-IDs), Auernheimer argues that no “sophisticated means” or “special skills” were used to obtain the data.

AT&T complained of financial loss due to the incident, but the plea dismisses it as “not the type of loss which may be attributed to the defendant.”

In addition, a Presentence Investigation Report for the case said that the $73,167 “loss” was based on costs associated with direct mailing to AT&T iPad subscribers affected by the data breach.

“The evidence at trial established…that there was no damage to AT&T's computer servers, and no attempt was ever made by either Daniel Spitler or Andrew Auernheimer to alter or damage AT&T's servers,” the report said.

The case has received criticism from many in the tech community who question the rights of individuals who share security vulnerabilities with the public.

In an email to SCMagazine.com on Thursday, Marcia Hofmann, senior staff attorney at the Electronic Frontier Foundation, believes that the initial ruling was incorrect and ultimately will be rectified through an appeal.

"We think the trial court got it wrong, and we look forward to seeing this fixed on appeal," Hofmann said.

Auernheimer is set for sentencing on March 18 in a Newark, N.J. court.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.