Goatse Security said its iPad hack, which harvested 120,000 e-mail addresses, took “just over a single hour of labor total”
NEW YORK (CNNMoney) — Federal prosecutors said Tuesday that they have filed charges against two people accused of hacking ATT’s website and harvesting the e-mail addresses of 120,000 iPad owners.
Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco were taken into custody Tuesday morning by the FBI. Both men were charged with an alleged conspiracy to hack ATT’s (T, Fortune 500) servers and for possession of personal information obtained from the servers.
Auernheimer was arrested in Fayetteville while appearing in Arkansas state court on unrelated drug charges. Spitler surrendered to FBI agents in Newark, N.J., where the case is being pursued.
The charges stemmed from an exploit that took place seven months ago. In June, about one month after the iPad 3G went on sale, ATT announced that it had fixed a security hole that inadvertently exposed the e-mail addresses of thousands of iPad 3G owners.
The company’s announcement came shortly after tech blog Valleywag posted an expose of the breach. In the Valleywag article, hacker group Goatse Security said it had exploited a vulnerability on ATT’s website to harvest the e-mail addresses iPad buyers provided to activate their devices.
The list of affected users was star-studded, including major political figures, military officials, media executives and top politicians. The e-mail addresses the hackers grabbed included those of of former White House chief of staff Rahm Emanuel, Hollywood producer Harvey Weinstein and New York City Mayor Michael Bloomberg.
The attack: The federal complaint, filed in U.S. District Court in New Jersey, cast the intrusion as a “brute force” attack on ATT’s servers perpetrated “for the express purpose of causing monetary and reputational damage to ATT.”
But what the accused hackers actually did is fairly low-tech and exploited a hole that ATT left wide open.
Auernheimer and Spitler discovered that plugging an iPad ICC-ID — a unique identification number for each device — into a publicly available script on ATT’s website would return the e-mail address associated with the ID. They created a script that randomly guessed at ID numbers. When it hit a correct one, it would retrieve the associated e-mail address.
That approach netted them a list of more than 120,000 e-mail addresses.
“This hack was very simple, but major in its significance,” said Hemanshu Nigam, founder of cybersecurity consulting firm SSP Blue.
Auernheimer and Spitler didn’t try to profit from their hack. They say their goal was simply to draw attention to the vulnerability.
One day after the breach was came to light, Goatse posted a scathing entry on its blog accusing ATT and Apple (AAPL, Fortune 500) of not taking security seriously.
The iPad hack took “just over a single hour of labor total,” they wrote.
More recently, they’ve expressed shock at the vehemence of the law enforcement crackdown against them.
“None of us made any money off of this disclosure. We did it in public interests,” they wrote in a June blog post after the FBI began investigating.
What’s next: Spitler appeared in court in New Jersey on Tuesday, where he was banned from using the Internet outside of work. Spitler is employed as a security guard at a Borders bookstore.
Spitler was required to surrender his passport, and he is permitted to travel only to California and New Jersey. He waived his right to a preliminary hearing, and he will appear in court again March 7.
Apple did not respond to calls for comment. An ATT spokesman said in an written statement that the company “take[s] our customers’ privacy very seriously and we cooperate with law enforcement whenever necessary to protect it.”
–CNN’s Stephanie Gallman contributed to this report. 
Article source: http://money.cnn.com/rssclick/2011/01/18/technology/ipad_hackers_arrested/index.htm?section=money_mostpopular
Category: Vulnerabilities/Exploits