Skip to main content

Security researcher found guilty of conspiracy and identity fraud in 'hackless' AT&T iPad hack

Security researcher found guilty of conspiracy and identity fraud in 'hackless' AT&T iPad hack

Share this story

weev (pinguino flickr)
weev (pinguino flickr)

The trial surrounding Goatse Security’s 2010 collection and disclosure of AT&T iPad users’ emails has come to a close — one that again calls into question the legitimacy of the 1986 Computer Fraud and Abuse Act. 27-year-old Andrew Auernheimer, who goes by the name "weev" online, was found guilty in a New Jersey court on one count of identity fraud and one count of conspiracy to access a computer without authorization. That means the defendant is facing two consecutive five-year felonies for his online exploits. But what makes the case significant is that Auernheimer cracked no codes, stole no passwords, or in any way "broke into" AT&T’s customer database — something company representatives confirmed during testimony.

Back in 2010, AT&T was making its iPad 3G users’ email addresses available to anyone with the associated ICC-ID — a unique number that authenticates the user’s SIM card to AT&T. According to chat transcripts posted by Wired, Auernheimer and 27-year-old Daniel Spitler (who accepted a plea bargain last year) wrote a script that randomly pinged AT&T's website with ICC-IDs, harvesting the email addresses it spit out. In the end, the two compiled a list of about 114,000 users, allegedly including people like Michael Bloomberg, Rahm Emanuel, and Diane Sawyer, before contacting Gawker in June to report their findings. By this time AT&T had already fixed the security hole.

"Have you ever received permission from Google to go to Google?"

The 1986 Computer Fraud and Abuse Act, which Auernheimer was found to have violated, predates the web and contains language that is frequently criticized for being unintelligibly vague in an era of ubiquitous networked computers. The Act makes it illegal to "access a computer without authorization or exceed authorized access" on any "protected computer" — for instance, one that is "used in interstate or foreign commerce or communication." TechNews Daily reports that while the jury was deliberating, Auernheimer said to the press, "the ‘protected computer’ is any network computer. You access a protected computer every day," before asking rhetorically, "have you ever received permission from Google to go to Google?"

"The 'protected computer' is any network computer."

Despite the guilty verdicts, Auernheimer remained upbeat, reportedly saying the jury’s decision was largely due to the general population’s comparative computer illiteracy, and telling his Twitter followers that he planned to appeal the case. Following the verdict, Auernheimer stressed, "R. David Halsey from AT&T used the words, ‘there was no security bypass.’ It can’t be clearer than that. The definition of ‘unauthorized access’ has to include the bypass of security measures."