Court Convicts Hacker of Stealing Apple iPad Details
Published on: 21st Nov 2012
Note -- this news article is more than a year old.
A New Jersey court has found a computer hacker guilty of breaking into an AT&T website and stealing the account details of around 120,000 Apple iPad users.
Andrew Auernheimer, 26 was arrested last January, along with an accomplice, Daniel Spitler, 26.
The two men were accused of writing a script that took advantage of the way that AT&T associated account details with the iPad serial number before June 2010. The systems were later changed.
Prior to mid-June 2010, AT&T automatically linked an iPad 3G user's e-mail address to the Integrated Circuit Card Identifier (ICC-ID), a number unique to the user's iPad, when he registered. As a result, every time a user accessed the AT&T website, his ICC-ID was recognized and his e-mail address was automatically populated for faster, user-friendly access to the site. AT&T kept the ICC-IDs and associated e-mail addresses confidential.
At that time, when an iPad 3G communicated with AT&T's website, its ICC-ID was automatically displayed in the Universal Resource Locator, or "URL," of the AT&T website in plain text. Seeing this, and discovering that each ICC-ID was connected to an iPad 3G user email address, hackers are alleged to have written a script termed the "iPad 3G Account Slurper"and deployed it against AT&T's servers.
The Account Slurper attacked AT&T's servers for several days in early June 2010, and was designed to harvest as many ICC-ID/e-mail address pairings as possible. It worked by mimicking the behavior of an iPad 3G so that AT&T's servers would be fooled into granting the Account Slurper access.
From June 5 through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers.
The two men then passed the details to the Gawker website, which published an article about the hack.
The defendant claimed that as a hacker, he was simply exposing a security flaw in the AT&T systems, however, the code-of-practice in such situations is to notify the company first and only reveal the hack after the flaw has been fixed - or after the flaw is ignored despite several warnings.
AT&T said it only learnt of the problem when it was published on the Gawker website, and removed the flaw.
Auernheimer is appealing the conviction.