Federal prosecutors in New Jersey on Tuesday announced the arrest of two self-described hackers who had been accused of stealing email addresses and other personal information from over 100,000 AT&T 3G iPad users in June of last year.
The two, Daniel Spitler of San Francisco, CA and Andrew Auernheimer of Fayettevile, AR, have been charged with fraud and conspiracy to access a computer without authorization, though they believe they did more good than harm by publicizing the weakness in AT&T’s system.
AT&T sent out a letter to their customers, describing the security breach as follows:
“On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the e-mail address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the e-mail address associated with the ICC-ID already populated on the log-in screen.”
Dorothy Attwood, Senior Vice President and Public Policy and Chief Privacy Officer for AT&T, goes on in the letter to explain that the company took “swift action” against the breach to correct the issue and protect their valued customers’ data.
However, in a blog post on Goatse Security’s Web site, Escher Auernheimer responded to AT&T’s letter and defended his group’s actions.
“When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare,” Auernheimer writes. “We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.”
Apparently, federal prosecutors haven’t been impressed with the good will of the hackers, and have sided with AT&T and their commitment to prosecute those who pursue unauthorized access of their system, whether it is meant to be helpful or not.
Something tells me that someone at AT&T was upset over being upstaged by a bunch of hackers. Unfortunately, these guys are likely going to face some serious penalties for taking the display of their talents a bit too far.