Vulnerability Management

Security researchers file appeal for Weev following AT&T/iPad “hack”

A group of well-known security researchers on Monday asked an appeals court to overturn the sentence of a hacker who was jailed in March for taking advantage of an AT&T website flaw to expose iPad users' data.

Thirteen erudite security professionals, including Dan Kaminsky, Peiter "Mudge" Zatko and professor Gabriella Coleman, filed an amicus brief with the 3rd U.S. Circuit Court of Appeals in New Jersey, requesting that the conviction and 41-month sentence of Andrew "Weev" Auernheimer be tossed because he was found guilty for something that legitimate researchers regularly do as part of their profession: analyze the security of publicly available websites and applications.

It's the second time in a week that an amicus brief has been filed calling for the release of Auernheimer. Earlier, a team of high-profile computer crime defense attorneys authored an appeal.

The information security research community largely has rallied around the 27-year-old since his arrest, not necessarily because they agree with his decision to expose users' email addresses and their unique iPad ID numbers – Auernheimer, a self-described internet troll, has written that he wanted to embarrass a large corporation like AT&T for its shoddy security – but because he was imprisoned based on a legal interpretation that they regularly violate.

Prosecutors allege he unlawfully accessed AT&T's servers, but his defenders disagree. They say he never used any hacking techniques to receive the data.

"The data Mr. Auernheimer helped to access was intentionally made available by AT&T to the entire internet, and access occurred through standard protocols that are used by every web user," the brief said. "Since any determination that the data was somehow non-public was made by a private corporation in secret, with no external signal or possibility of notice whatsoever, such a determination amounts to a private law of which no reasonable internet user could have notice. On this basis alone, Mr. Auernheimer's conviction must be overturned."

The researchers also contended that Auernheimer's actions should be excused because they were committed for the public good, likening it to someone telling the health department that they had seen a rat at a restaurant.

"In the situation at hand, AT&T was improperly safeguarding the personal information of hundreds of thousands ofconsumers," they wrote. "When Mr. Auernheimer discovered this fact, he publicized it, in precisely the same way that Consumers Union, publisher of Consumer Reports, does with each consumer-safety violation that it uncovers: 18 he made it available to the press."

Law student Brendan O'Connor, founder of security consultancy Malice Afterthought and the chief drafter of the brief, posted Friday that he is aware of researchers who have scrapped their work since Auernheimer's conviction out of fear that they too would face charges.

He added that although Auernheimer is a polarizing figure who many people don't like, one doesn't have to agree him to support him.

"We don't have to like someone to agree that they need their rights protected – because if we don't defend them, we will all lose our rights," O'Connor wrote. "That's the way criminal law works. So we defend Weev, because in doing so, we defend us all. Not a bad idea."

According to prosecutors, Auernheimer and co-defendant Daniel Spitler discovered and exploited a flaw on the AT&T site to obtain iPad users' email addresses and integrated circuit card identifiers (ICC-IDs), unique SIM card codes that are meant to identify subscribers and their devices.

Prior to the flaw being fixed in June 2010, whenever an iPad 3G device communicated with AT&T's website, its ICC-ID was automatically displayed in the URL in plain text, prosecutors said. Knowing that each ICC-ID was connected to an iPad 3G user's email address, the pair wrote a script called “iPad 3G Account Slurper."

The script mimicked the behavior of an iPad 3G so that AT&T's servers were tricked into believing that they were communicating with a legitimate device, prosecutors said.

Last week, a team of well-known computer crime defense lawyers filed a separate amicus brief. According to that 63-page brief (PDF), the lawyers' major argument is that Auernheimer didn't violate the federal Computer Fraud and Abuse Act because he only visited an unprotected web page.

UPDATE: Two researchers at Stanford University have written a third amicus brief (PDF) calling for the conviction of Auernheimer to be tossed.

Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, and Jonathan Mayer, a graduate student in Computer Science and Law at Stanford, authored the appeal. More than 45 notable information security researchers and academics signed off on the filing, including Bruce Schneier, H.D. Moore, Edward Felten, Cesar Cerrudo, Matt Blaze, Dave Aitel, Charlie Miller and Brian Martin.

"In the brief, we show that legitimate, highly valuable security and privacy research commonly employs techniques that are essentially identical to what Auernheimer did in this case," Granick wrote in a post. "Most importantly, like Auernheimer, researchers cannot always conduct testing with the approval of a computer system's owner. Such independent research is of great value to academics, government regulators and the public even when – often especially when — conducted without permission and contrary to the website owner's subjective wishes."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.