Breach, Data Security

Second person guilty in AT&T iPad prank hack

A hacker who helped publicize a vulnerability on AT&T's website, which affected more than 100,000 iPad 3G owners, has been convicted in federal court.

Andrew Auernheimer was found guilty last week of two charges: identity fraud and conspiracy to violate the Computer Fraud and Abuse Act (CFAA). But the ruling has caused many in the tech community to question the rights of individuals who share security flaws with the public.

Also known by his online alias, “weev,” Auernheimer, 26, was charged in early 2011 with discovering and exploiting a flaw on AT&T's site. It allowed him and co-conspirator Daniel Spitler, 26, to obtain data on roughly 120,000 Apple iPad users, including politicians and celebrities.

In June 2010, prosecutors said the duo, part of the gray-hat hacker outfit Goatse Security, accessed email addresses, unique SIM card codes and integrated circuit identifiers (ICC-IDs). AT&T fixed the security hole that same month, around the time Gawker, a news and gossip blog, published an article about the breach after being tipped off by Auernheimer and Spitler.

While Spitler pleaded guilty to charges in June 2011 and subsequently released on bail, Auernheimer was found guilty last Tuesday by a jury who heard his case in a Newark, N.J. federal court. He now faces up to 10 years in prison and is scheduled to be sentenced in 90 days. According to reports, he will appeal the ruling.

The flaw on AT&T's site allowed Spitler and Auernheimer to spoof iPad 3G communication and display email addresses linked to users' ICC-IDs. Both men were charged with writing a script, called “iPad 3G account slurper,” which permitted them "unauthorized access to [AT&T's] servers, and ultimately stole...approximately 120,000 ICC-ID/email address pairings for iPad 3G customers,” according to court documents. ICC-IDs are unique SIM card codes that are meant to identify subscribers and their devices.

Auernheimer, who is currently out on bail and intends to appeal the ruling, told independent journalist Tim Pool in a video interview published Monday that he was prosecuted under an antiquated law.

“At any time, if a company, as they did in my case, publishes something on the open internet, but later declares your access to it unauthorized because they think that you used it in a way that they didn't like – to make fun of them, to issue comment and criticism – then you can be thrown in prison like me or sued,” Auernheimer said.

David Navetta, an attorney who founded Manhattan Beach, Calif.-based Information Law Group, which specializes in privacy and data security legal matters, told on Monday that he is not surprised the men were charged.

“In terms of publishing information through second- or third-hand sources, [this] could obviously lead to someone questioning how you got that information, especially if the information causes the company to incur damages through sensitive information being exposed,” Navetta said. “When companies are hurt that way, they seek recourse.” reached out to AT&T regarding the outcome of the case, but the company did not immediately respond.

UPDATE: A Goatse spokesman emailed Monday evening, calling the ruling "disturbing." 

"This sets a disturbing precedent for security researchers everywhere," said the comment. "Now a precedent has been set where even responsible disclosure of security flaws will be treated as harshly as black-hat hacking. This does not bode well for the future of electronic security."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.