Hacker Convicted for 2010 Breach of AT&T iPad 3G Customer Data

Hacker Convicted for 2010 Breach of AT&T iPad 3G Customer Data

While it can take a hacker mere hours to breach networks and make off with a bounty of sensitive data, the slow-turning wheels of the legal system typically take years to bring the offender to justice. Such is the case of Andrew Auernheimer, the infamous AT&T hacker sentenced last week for his 2010 exploit that exposed the personal information of more than one-hundred thousand Apple iPad users.

Auernheimer, who goes by the handle “weev,” was convicted in a U.S. District Court on charges of conspiracy to access private servers without authorization with the intent to disclose protected data and for the illegal possession and transfer of personally identifiable information.

Auernheimer, along with fellow conspirator Daniel Spitler who had previously pleaded guilty to similar charges, both belonged to the small hacker collective called “Goatse Security” which maintained that the hack against AT&T was meant to draw attention to the lax security efforts that left customers susceptible to exposure. The clientele whose data was disclosed in the breach included New York Mayor Michael Bloomberg, White House Chief of Staff at the time Rahm Emanuel, and television news personality Diane Sawyer, among others.

The vulnerability exploited by the hackers was related to AT&T's automatic linking of the Integrated Circuit Card Identifier (ICC-ID) numbers, which are unique to every Apple iPad, to the company's database of customer email and billing addresses.

“Every time a user accessed the AT&T website, the ICC-ID was recognized and the e-mail address was automatically populated for faster, user-friendly access to the site,” the FBI press release on the case explained. “When an iPad 3G communicated with AT&T’s website, its ICC-ID was automatically displayed in the Universal Resource Locator, or URL, of the AT&T website in plain text.”

Auernheimer and other members of the Goatse Security clan designed a script they called the “iPad 3G Account Slurper” which was able to fool the AT&T servers into divulging the ICC-ID numbers and corresponding e-mail addresses. The script ran over a four day period, harvesting more than 120,000 sets of account details for AT&T iPad 3G customers.

The hackers then proceeded to disclose the stolen data to a reporter for Gawker, who followed up with an article discussing the group's successful exploit. Following an investigation and subsequent indictments against members of the group who had on multiple occasions discussed the breach in private communications, Aurenheimer remained adamant that the action was not meant to be malicious, but was intended to serve a a warning about the insecure data storage practices of large enterprises and the risk those practices exposed consumers to.

“What I do never involves hacking. It just involves public records,” Aurenheimer told Forbes shortly after his arrest. “There was no password, no firewall, no breaking or entering. All I did was inform people that AT&T had put them at risk.”

Auernheimer faces a maximum five-year prison sentence and $250,000 fine on each of the two counts for which he was convicted, though the hacker believes that acts of digital civil disobedience – as he describes the AT&T breach – will not likely be deterred by high profile convictions such as his.

“I think that martyrdom has always triggered more activity. You can put people like me in cells all that you want. There will be 30 more like me,” Aurenheimer had said.