iTnews
  • Home
  • News
  • Technology
  • Security

iPad hackers arrested, facing charges

By Angela Moscaritolo on Jan 19, 2011 12:47PM

Exploited flaw on AT&T site.

Federal prosecutors in New Jersey have charged two men they believe stole the personal information of 120,000 iPad users from AT&T's network in June.

Andrew Auernheimer and Daniel Spitler were arrested and each charged with one count of conspiracy to access a computer without authorisation and one count of fraud, according to a criminal complaint filed in a US District Court in New Jersey.

Auernheimer was arrested in Arkansas while appearing in state court on unrelated drug charges, and Spitler surrendered to FBI agents in New Jersey.

The hackers discovered and exploited a flaw on the AT&T site to obtain iPad users' email addresses and integrated circuit card identifiers (ICC-IDs), unique SIM card codes that are meant to identify subscribers and their devices. 

Prior to the flaw being fixed in June, when an iPad 3G device communicated with AT&T's website, its ICC-ID was automatically displayed in the URL in plain text, according to the complaint.

Knowing that each ICC-ID was connected to an iPad 3G user's email address, the hackers wrote a script called “iPad 3G slurper” that was designed to gain unauthorised access to AT&T's servers and automate the harvesting of data.

The script mimicked the behavior of an iPad 3G so that AT&T's servers were tricked into believing that they were communicating with a legitimate device, the complaint states. Once deployed, the script used brute force techniques to randomly guess ICC-IDs. A correct guess was rewarded with an ICC-ID/email pairing for a specific and identifiable iPad user.

From June 5 to 9, the hackers stole approximately 120,000 ICC-ID/email pairings for iPad 3G customers.

Some of the email addresses belonged to well-known early adopters, including New York mayor Michael Bloomberg and then-White House chief-of-staff Rahm Emanuel.

The hackers were members of an internet hacker group called Goatse Security, which in late June claimed responsibility for the attack.

On June 9, Auernheimer and Spitler provided the stolen information to news and gossip blog Gawker, which published the data along with an article about the breach.  

"AT&T needs to be held accountable for their insecure infrastructure as a public utility, and we must defend the rights of consumers, over the rights of shareholders,” Auernheimer wrote in a November 17 email to officials in New Jersey, according to the complaint. “I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure."

In a statement sent to SCMagazineUS.com this week, an AT&T spokesman said the company takes the privacy of its customers very seriously.

“We co-operate with law enforcement whenever necessary to protect it,” the spokesman said.

Auernheimer and Spitler allegedly communicated during the scheme via internet relay chat (IRC), an instant messaging program.

Federal investigators obtained chat logs of conversations between the two hackers and other members of Goatse Security, allegedly pinning them to the intrusion. During one chat on June 5, Spitler discussed with two other individuals, using the aliases “Nstyr” and “Phynchon", the benefits of harvesting ICC-ID/email pairings, noting that they could be sold to spammers “for thousands” or be used to “tarnish AT&T,” according to the complaint.    

Later the same day, Spitler reported to Auernheimer that he harvested 197 email addresses and wrote a script to automate the process.

“This could be like, a future massive phishing operation,” Auernheimer said.

Auernheimer later encouraged Spitler to amass more ICC-ID/email pairings, and he offered to provide the stolen data to members of the press. US Attorney Paul Fishman said that other researchers should think twice before using their technical skills for illegal purposes.  

“Hacking is not a competitive sport, and security breaches are not a game,” Fishman said in a statement. “Those who use technological expertise for malicious purposes take note: Your activities in cyberspace can have serious consequences for you in the real world."

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
arrestedchargesfacinghackersipadsecurity

Partner Content

The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
Winning strategies for complaints and disputes management in financial services
Promoted Content Winning strategies for complaints and disputes management in financial services

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Angela Moscaritolo
Jan 19 2011
12:47PM
0 Comments

Related Articles

  • US SEC charges three with insider trading tied to Equifax hack
  • Federal Court puts cyber security onus on financial services firms
  • US says advanced hackers can hijack critical infrastructure
  • US and European partners take down hacker website RaidForums
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Services Australia sets changeover date for myGov

Services Australia sets changeover date for myGov

Google Cloud IoT Core goes on the end-of-life list

Google Cloud IoT Core goes on the end-of-life list

NBN Co proposes to axe CVC across all plans by mid-2026

NBN Co proposes to axe CVC across all plans by mid-2026

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

Digital Nation

Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
Save the Date — Digital Nation Live launches on October 25
Save the Date — Digital Nation Live launches on October 25
Edge and IoT critical to Web3 infrastructure
Edge and IoT critical to Web3 infrastructure
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.