FBI: Two Hackers Charged for Stealing IPAD Email Addresses from AT&T 3G servers
NEWARK, NJ—Two self-described Internet “trolls” were arrested today for allegedly hacking AT&T’s servers and stealing e-mail addresses and other personal information belonging to approximately 120,000 Apple iPad users who accessed the Internet via AT&T’s 3G network, United States Attorney Paul J. Fishman announced.
Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, Calif., were taken into custody this morning by special agents of the FBI—each charged with an alleged conspiracy to hack AT&T’s servers and for possession of personal subscriber information obtained from the servers. Auernheimer was arrested in Fayetteville while appearing in Arkansas state court on unrelated drug charges, and is expected to appear this afternoon before United States Magistrate Judge Erin L. Setser in Fayetteville federal court. Spitler surrendered to FBI agents in Newark and is expected to appear in Newark federal court before United States Magistrate Judge Claire C. Cecchi.
According to the Complaint unsealed today:
The iPad is a touch-screen tablet computer, developed and marketed by Apple Computers, Inc., which allows users to, among other things, access the Internet and send and receive electronic mail. Since the introduction of the iPad in January 2010, AT&T has provided iPad users with Internet connectivity via AT&T’s 3G wireless network. During the registration process for subscribing to the network, a user is required to provide an e-mail address, billing address, and password.
Prior to mid-June 2010, AT&T automatically linked an iPad 3G user’s e-mail address to the Integrated Circuit Card Identifier (“ICC-ID”), a number unique to the user’s iPad, when he registered. As a result, every time a user accessed the AT&T website, his ICC-ID was recognized and his e-mail address was automatically populated for faster, user-friendly access to the site. AT&T kept the ICC-IDs and associated e-mail addresses confidential.
At that time, when an iPad 3G communicated with AT&T’s website, its ICC-ID was automatically displayed in the Universal Resource Locator, or “URL,” of the AT&T website in plain text. Seeing this, and discovering that each ICC-ID was connected to an iPad 3G user e-mail address, hackers wrote a script termed the “iPad 3G Account Slurper”and deployed it against AT&T’s servers.
The Account Slurper attacked AT&T’s servers for several days in early June 2010, and was designed to harvest as many ICC-ID/e-mail address pairings as possible. It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be fooled into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” attack—an iterative process used to obtain information from a computer system—against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user.
From June 5 through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers. Immediately following the theft, the hacker-authors of the Account Slurper provided the stolen e-mail addresses and ICC-IDs to the website Gawker, which published the stolen information in redacted form, along with an article concerning the breach. The article indicated that the breach “exposed the most exclusive e-mail list on the planet,”and named a number of famous individuals whose e-mails had been compromised, including Diane Sawyer, Harvey Weinstein, Mayor Michael Bloomberg, and Rahm Emanuel. The article also stated that iPad users could be vulnerable to spam marketing and malicious hacking. A group calling itself “Goatse Security” was identified as obtaining the subscriber data.
According to its website, Goatse Security is a loose association of Internet hackers and self-professed Internet “trolls”—people who intentionally, and without authorization, disrupt services and content on the Internet—to which both Spitler and Auernheimer belong.