19 Mar 2013
A man convicted of hacking the AT&T website has been sentenced to 41 months in prison after accessing e-mail addresses of more than 120,000 Apple iPad owners.
Andrew Auernheimer, 26, and his partner, 27 year-old Daniel Spitler, were found guilty of hacking into AT&T’s servers by exploiting a flaw in the authentication process from iPad devices. To facilitate the authentication process, AT&T used GET requests with ICC-IDs – unique identifiers hard-coded into the SIM card to identify which user has what e-mail address. The ICC-IDs substituted for the user’s associated password and were displayed in clear as part of the URL.
The two automated the process by creating a script called 'iPad 3G Account Slurper' and used it to exploit a hole in the AT&T website to steal as many ICC-ID/email pairs as possible.
"Andrew Auernheimer knew he was breaking the law when he and his partner hacked into AT&T’s servers and stole personal information from unsuspecting iPad users," U.S. Attorney Fishman told Security Week. "When it became clear that he was in trouble, he concocted the fiction that he was trying to make the Internet more secure, and that all he did was walk in through an unlocked door. The jury didn’t buy it, and neither did the Court in imposing sentence upon him today."
In addition to the 3.5 years of prison, Auernheimer was ordered to pay $73,162.