Two Arrested For AT&T iPad Network Breach

One of the men charged argues it's AT&T that should be blamed.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 18, 2011

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Top 10 Security Stories Of 2010

Top 10 Security Stories Of 2010


(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

United States Attorney Paul J. Fishman on Tuesday announced the arrest of "two self-described Internet 'trolls'" for their alleged involvement in the harvesting of e-mail addresses from some 120,000 Apple iPad users in June, 2010.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, Calif., were arrested on Tuesday by FBI agents on charges that they conspired to hack into AT&T's servers and that they were in possession of information obtained from those servers.

The complaint against the two men says that they created a script called "iPad 3G Account Slurper" to harvest data from AT&T's servers. Prior to June, 2010, AT&T associated the e-mail addresses of subscribers to its iPad 3G data plan with an Integrated Circuit Card Identifier (“ICC-ID”). The company kept this information confidential but unwittingly exposed ICC-ID numbers in URLs associated with its Web site.

The Account Slurper script was designed to look like an iPad 3G to AT&T's servers. It presented a series ICC-ID numbers as a brute force attack and received paired e-mail addresses when the guessed ICC-ID number was valid.

Between June 5 and 9, 2010, Auernheimer and Spitler are said to have obtained 120,000 e-mail addresses associated with iPad users. The pair then provided this information to Gawker.com, which called the incident "Apple's worst security breach," even as it conceded in the article that "[t]he slip up appears to be AT&T's fault..." (One reason for this may be that articles with "Apple" in the headline tend to get more visitor traffic than articles with "AT&T" in the headline.)

The breach exposed the e-mail addresses of a number of prominent people, including television journalist Diane Sawyer, film mogul Harvey Weinstein, New York Mayor Michael Bloomberg, and former White House Chief of Staff Rahm Emanuel.

The Gawker article says the data was provided by Goatse Security, a group in which Auernheimer and Spitler participated, claim government investigators. The government describes the group as "a loose association of Internet hackers and self-professed Internet 'trolls.'"

"Hacking is not a competitive sport, and security breaches are not a game," said U.S. Attorney Fishman in a statement. "Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations, and unwanted contact."

Fishman stated that breaking into computers and spreading malicious code is a threat to national, corporate, and personal security, and warned that such activities have real-world consequences.

In an e-mail sent to the U.S. Attorney's Office in New Jersey on November 17, 2010, Auernheimer argued that AT&T should be blamed for inadequately securing its network. "AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders," he wrote.

Each of the two charges faced by both defendants carries a penalty of as much as five years in prison and a fine of as much as $250,000.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights