A 27-year-old New York man known online as “Weev” was convicted Tuesday of “impersonating” an iPad in order to gain access to AT&T’s servers and swiping 114,000 email addresses, including some belonging to celebrities.
Andrew Auernheimer faces up to 10 years in prison after being found guilty of conspiracy to access a protected computer without authorization and fraud in connection with personal information.
The charges stem from a data breach shortly after the launch of the original 3G-enabled iPad in April 2010. Auernheimer and Daniel Spitler, also known as “JacksonBrowne,” uncovered a flaw on AT&T’s Web site that prefilled in a user’s email address when the site was loaded from the iPad. The tablet was encoded with a unique cellular ID number (ICC ID) that appeared in the URL when accessing the AT&T website.
The duo, said to be part of a group called Goatse Security, discovered if someone altered the ICC ID numbers in the URL, other email addresses were generated on the AT&T site.
Spitler then wrote a script to automate the guesswork and harvested 114,000 addresses. Auernheimer contacted media outlets to expose how the pair gained the emails of the early adopters, which included film mogul Harvey Weinstein, network news anchor Diane Sawyer and New York Mayor Michael Bloomberg. The gossip site Gawker ran a June 2010 article warning of the security flaw and noted that Goatse Security had contacted AT&T about the flaw, which was patched by the time of publication. The email addresses were not been made public, nor were any cases of related identity theft reported, according to published reports. Federal authorities launched an investigation.
Both Auernheimer and Spitler, of San Francisco, were arrested in January 2011. Spitler, then 26, pleaded guilty that June and agreed to testify against Auernheimer, who previously lived in Fayetteville, Ark.
A defense attorney claimed during the Newark, N.J., trial that the spoofed iPad ICC IDs — found on the SIM cards — were akin to an appliance serial number, not a security mechanism, and available to anyone who entered the correct URL into a Web browser. As such, the two men did not “attack” AT&T servers to steal email addresses as the indictment indicated.
Prosecutors compared the ICC IDs to Social Security numbers and noted Auernheimer used deceptive means to access the servers and steal data.
Auernheimer gained some notoriety when he was featured in an August 2008 New York Times Magazine article on Internet trolls.
“Hey epals don’t worry! We went in knowing there would be a guilty here. I’m appealing of course,” he wrote in a tweet following the verdict.