Feds Nab Web 'Trolls' In AT&T, iPad Hack

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, were taken into FBI custody on Tuesday and each charged in the alleged conspiracy to hack into AT&T's servers and for the possession of personal user information obtained during the hack, according to documents released by United States Attorney Paul J. Fishman's office. Auernheimer was arrested in Fayetteville while in court on an unrelated matter, while Spitler surrendered to the FBI in Newark.

The pair allegedly created a script called the "iPad 3G Account Slurper" which plucked iPad user data when those users accessed the Web over AT&T's 3G network. The Slurper hack pulled usernames, e-mail addresses, billing addresses and passwords off of AT&T servers by pairing a unique Integrated Circuit Card Identifier (ICC-ID) and e-mail address that were recognized and populated when users accessed the 3G network from their Apple iPad.

The iPad 3G Account Slurper attacked AT&T servers for several days in June 2010 and harvested as many ICC-ID and e-mail address parings as possible by mimicking the behavior of an iPad 3G for server access, the U.S. Attorneys office said. The brute force attack, which was carried out from June 5, 2010 through June 9, 2010 raked data for more than 120,000 user accounts; data the hackers allegedly then turned over to Gawker, which published the information in redacted form. The published list included personal data for high-profile iPad users like Diane Sawyer, Harvey Weinstein, New York Mayor Michael Bloomberg and Rahm Emanuel.

At the time of the attack, the group that obtained the user data called itself Goatse Security, and billed itself as a loose association of hackers and self-professed Internet trolls bent on disrupting services and content on the internet, the U.S. Attorneys office said. Spitler and Auernheimer belong to Goatse Security and allegedly communicated with each other via Internet Relay Chat and discussed the breach, which was allegedly perpetrated to damage AT&T while also prompting Goatse Security. On June 10, Spitler and Auernheimer went public with the breach but said they destroyed all of the evidence. The FBI immediately launched an investigation into the AT&T and iPad security breach. Once the security hole enabling the breach was fixed, AT&T issued an apology to affected Apple iPad users and pointed the finger at malicious hackers.

"Hacking is not a competitive sport, and security breaches are not a game," U.S. Attorney Fishman said in a statement. "Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations, and unwanted contact. Computer intrusions and the spread of malicious code are a threat to national security, corporate security, and personal security. Those who use technological expertise for malicious purposes take note: your activities in cyberspace can have serious consequences for you in the real world."

Spitler and Auernheimer are each charged with one count of conspiracy to access a computer without authorization and one count of fraud in connection with the personal information obtained. Each count carries a maximum penalty of five years in prison and a fine of $250,000.

"One primary principle of our society is confidence in a reasonable expectation of personal privacy, which includes expectations of financial privacy, medical privacy, and privacy in our communications," Michael B. Ward, Special Agent in Charge of the FBI’s Newark field office, said in a statement. "Unauthorized intrusions into personal privacy adversely affect individual citizens, businesses, and even national security. Such intrusion cases, regardless if the motive is criminal gain or prestige among peers in the cyber-hacking world, must and will be aggressively pursued to ensure these rights are protected to the highest degree."