A 27-year-old New York man known online as “Weev” was convicted Tuesday of “impersonating” an iPad in order to gain access to AT&T’s servers and swiping 114,000 email addresses, including some belonging to celebrities.

Andrew Auernheimer faces up to 10 years in prison after being found guilty of conspiracy to access a protected computer without authorization and fraud in connection with personal information.

The charges stem from a data breach shortly after the launch of the original 3G-enabled iPad in April 2010. Auernheimer and Daniel Spitler, also known as “JacksonBrowne,” uncovered a flaw on AT&T’s Web site that prefilled in a user’s email address when the site was loaded from the iPad. The tablet was encoded with a unique cellular ID number (ICC ID) that appeared in the URL when accessing the AT&T website.

The duo, said to be part of a group called Goatse Security, discovered if someone altered the ICC ID numbers in the URL, other email addresses were generated on the AT&T site.

Spitler then wrote a script to automate the guesswork and harvested 114,000 addresses. Auernheimer contacted media outlets to expose how the pair gained the emails of the early adopters, which included film mogul Harvey Weinstein, network news anchor Diane Sawyer and New York Mayor Michael Bloomberg. The gossip site Gawker ran a June 2010 article warning of the security flaw and noted that Goatse Security had contacted AT&T about the flaw, which was patched by the time of publication. The email addresses were not been made public, nor were any cases of related identity theft reported, according to published reports. Federal authorities launched an investigation.

Both Auernheimer and Spitler, of San Francisco, were arrested in January 2011. Spitler, then 26, pleaded guilty that June and agreed to testify against Auernheimer, who previously lived in Fayetteville, Ark.

A defense attorney claimed during the Newark, N.J., trial that the spoofed iPad ICC IDs — found on the SIM cards — were akin to an appliance serial number, not a security mechanism, and available to anyone who entered the correct URL into a Web browser. As such, the two men did not “attack” AT&T servers to steal email addresses as the indictment indicated.

Prosecutors compared the ICC IDs to Social Security numbers and noted Auernheimer used deceptive means to access the servers and steal data.

Auernheimer gained some notoriety when he was featured in an August 2008 New York Times Magazine article on Internet trolls

“Hey epals don’t worry! We went in knowing there would be a guilty here. I’m appealing of course,” he wrote in a tweet following the verdict.



Categories: Government, Hacks

Comments (7)

  1. Anonymous

    Rediculous.  It’s against the law to alter the URL on a web page?  It’s just there, right in your address bar, you can type whatever you want.  If it’s simply accessible to anyone in the outside world by typing in an URL, then it’s not attacking….it’s surfing. 

  2. TheTruth

    No, it isn’t against the law to change a URL – but it IS against the law to use that as a means to access a server that belongs to someone else (and download data therefrom).

  3. Anonymous

    Anyone who sets up a web site with such glaring and open vulnerabilities is the one who is responsible for the attack IMHO. It’s not even an attack – it’s a fail by AT&T. AT&T have offered a service to the public that is not fit! I would not give them my data…..

    These guys have done nothing – maybe they might not have harvested 114k addresses but they did not make them public. Just another case of the law being an ass.

    Does not make an environment conducive to the reporting of security issues does it…? If I found one with AT&T I’d give greater consideration to informing the underground and not go near AT&T for the trouble it would cause.

  4. Anonymous

    I’m no lawyer, but it was an externally facing website available for public use correct? No contractual agreement or guidelines of ‘intended use’? Sad story, but the saddest part is that Spitler chose to testify against his friend…

  5. Anonymous

    If you leave your front door open and somebody walks in and takes something, it is still theft.

    But, if you leave your front door open in a hostile neighborhood, your an idiot.

    Youthful  mis-judgement can explain Andrews mistake.

    What explains ATT’s foolishness?


Comments are closed.