Updated Wednesday, Jan. 19, 2011 at 9:57 a.m. EST
Federal prosecutors in New Jersey have charged two men they believe stole the personal information of 120,000 iPad users from AT&T's network in June.
Andrew Auernheimer, 25, of Fayetteville, Ark. and Daniel Spitler, 26, of San Francisco, were arrested and each charged with one count of conspiracy to access a computer without authorization and one count of fraud, according to a criminal complaint, filed on Thursday in U.S. District Court in New Jersey.
Auernheimer was arrested in Arkansas while appearing in state court on unrelated drug charges, and Spitler surrendered to FBI agents in New Jersey.
The hackers discovered and exploited a flaw on the AT&T site to obtain iPad users' email addresses and integrated circuit card identifiers (ICC-IDs), unique SIM card codes that are meant to identify subscribers and their devices.
Prior to the flaw being fixed in June, when an iPad 3G device communicated with AT&T's website, its ICC-ID was automatically displayed in the URL in plain text, according to the complaint. Knowing that each ICC-ID was connected to an iPad 3G user's email address, the hackers wrote a script called “iPad 3G slurper” that was designed to gain unauthorized access to AT&T's servers and automate the harvesting of data.
The script mimicked the behavior of an iPad 3G so that AT&T's servers were tricked into believing that they were communicating with a legitimate device, the complaint states. Once deployed, the script used brute force techniques to randomly guess ICC-IDs. A correct guess was rewarded with an ICC-ID/email pairing for a specific and identifiable iPad user,
From June 5 to 9, the hackers stole approximately 120,000 ICC-ID/email pairings for iPad 3G customers.
Some of the email addresses belonged to well-known early adopters, including New York Mayor Michael Bloomberg and then-White House Chief of Staff Rahm Emanuel.
The hackers were members of an internet hacker group called Goatse Security, which in late June claimed responsibility for the attack.
On June 9, Auernheimer and Spitler provided the stolen information to news and gossip blog Gawker, which published the data along with an article about the breach.
"AT&T needs to be held accountable for their insecure infrastructure as a public utility, and we must defend the rights of consumers, over the rights of shareholders,” Auernheimer wrote in a Nov. 17 email to officials in New Jersey, according to the complaint. “I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure."
In a statement sent to SCMagazineUS.com on Tuesday, an AT&T spokesman said the company takes the privacy of its customers very seriously.
“We cooperate with law enforcement whenever necessary to protect it,” the spokesman said.
Auernheimer and Spitler allegedly communicated during the scheme via internet relay chat (IRC), an instant messaging program.
Federal investigators obtained chat logs of conversations between the two hackers and other members of Goatse Security, allegedly pinning them to the intrusion.
During one chat on June 5, Spitler discussed with two other individuals, using the aliases “Nstyr” and “Phynchon," the benefits of harvesting ICC-ID/email pairings, noting that they could be sold to spammers “for thousands” or be used to “tarnish AT&T,” according to the complaint.
Later the same day, Spitler reported to Auernheimer that he harvested 197 email addresses and wrote a script to automate the process.
“This could be like, a future massive phishing operation,” Auernheimer said.
Auernheimer later encouraged Spitler to amass more ICC-ID/email pairings, and he offered to provide the stolen data to members of the press.
U.S. Attorney Paul Fishman said in a statement said that other researchers should think twice before using their technical skills for illegal purposes.
“Hacking is not a competitive sport, and security breaches are not a game,” U.S. Attorney Paul Fishman said in a statement. “Those who use technological expertise for malicious purposes take note: Your activities in cyberspace can have serious consequences for you in the real world."
In a statement sent to SCMagazineUS.com late Tuesday, Goatse Security said it still holds the position that no criminal act was committed.
“Spitler and Auernheimer acted entirely within the law, and entirely for the interests of public security,” the group said. “The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering of the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously).”