Federal prosecutors in New Jersey have charged two men they believe stole the personal information of 120,000 iPad users from AT&T's network in June.
Andrew Auernheimer and Daniel Spitler were arrested and each charged with one count of conspiracy to access a computer without authorisation and one count of fraud, according to a criminal complaint filed in a US District Court in New Jersey.
Auernheimer was arrested in Arkansas while appearing in state court on unrelated drug charges, and Spitler surrendered to FBI agents in New Jersey.
The hackers discovered and exploited a flaw on the AT&T site to obtain iPad users' email addresses and integrated circuit card identifiers (ICC-IDs), unique SIM card codes that are meant to identify subscribers and their devices.
Prior to the flaw being fixed in June, when an iPad 3G device communicated with AT&T's website, its ICC-ID was automatically displayed in the URL in plain text, according to the complaint.
Knowing that each ICC-ID was connected to an iPad 3G user's email address, the hackers wrote a script called “iPad 3G slurper” that was designed to gain unauthorised access to AT&T's servers and automate the harvesting of data.
The script mimicked the behavior of an iPad 3G so that AT&T's servers were tricked into believing that they were communicating with a legitimate device, the complaint states. Once deployed, the script used brute force techniques to randomly guess ICC-IDs. A correct guess was rewarded with an ICC-ID/email pairing for a specific and identifiable iPad user.
From June 5 to 9, the hackers stole approximately 120,000 ICC-ID/email pairings for iPad 3G customers.
Some of the email addresses belonged to well-known early adopters, including New York mayor Michael Bloomberg and then-White House chief-of-staff Rahm Emanuel.
The hackers were members of an internet hacker group called Goatse Security, which in late June claimed responsibility for the attack.
On June 9, Auernheimer and Spitler provided the stolen information to news and gossip blog Gawker, which published the data along with an article about the breach.
"AT&T needs to be held accountable for their insecure infrastructure as a public utility, and we must defend the rights of consumers, over the rights of shareholders,” Auernheimer wrote in a November 17 email to officials in New Jersey, according to the complaint. “I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure."
In a statement sent to SCMagazineUS.com this week, an AT&T spokesman said the company takes the privacy of its customers very seriously.
“We co-operate with law enforcement whenever necessary to protect it,” the spokesman said.
Auernheimer and Spitler allegedly communicated during the scheme via internet relay chat (IRC), an instant messaging program.
Federal investigators obtained chat logs of conversations between the two hackers and other members of Goatse Security, allegedly pinning them to the intrusion. During one chat on June 5, Spitler discussed with two other individuals, using the aliases “Nstyr” and “Phynchon", the benefits of harvesting ICC-ID/email pairings, noting that they could be sold to spammers “for thousands” or be used to “tarnish AT&T,” according to the complaint.
Later the same day, Spitler reported to Auernheimer that he harvested 197 email addresses and wrote a script to automate the process.
“This could be like, a future massive phishing operation,” Auernheimer said.
Auernheimer later encouraged Spitler to amass more ICC-ID/email pairings, and he offered to provide the stolen data to members of the press. US Attorney Paul Fishman said that other researchers should think twice before using their technical skills for illegal purposes.
“Hacking is not a competitive sport, and security breaches are not a game,” Fishman said in a statement. “Those who use technological expertise for malicious purposes take note: Your activities in cyberspace can have serious consequences for you in the real world."