A San Francisco man who was charged with exploiting a flaw on the AT&T website to obtain personal information about Apple iPad subscribers has pleaded guilty, prosecutors said Thursday.
Daniel Spitler, 26, of San Francisco admitted to one count of conspiracy to gain unauthorized access to a computer and one count of identity theft. He turned himself in on Jan. 18.
He faces up to five years in prison and a $250,00 fine when he is sentenced on Sept. 28.
According to prosecutors, Spitler and Andrew Auernheimer, 25, of Fayetteville, Ark., discovered and exploited a flaw on the AT&T site to obtain iPad users' email addresses and integrated circuit card identifiers (ICC-IDs), unique SIM card codes that are meant to identify subscribers and their devices.
Prior to the flaw being fixed in June 2010, whenever an iPad 3G device communicated with AT&T's website, its ICC-ID was automatically displayed in the URL in plain text, prosecutors said. Knowing that each ICC-ID was connected to an iPad 3G user's email address, the hackers wrote a script called “iPad 3G Account Slurper” that was designed to gain unauthorized access to AT&T's servers and automate the harvesting of data.
The script mimicked the behavior of an iPad 3G so that AT&T's servers were tricked into believing that they were communicating with a legitimate device, investigators said. Once deployed, the script used brute force techniques to randomly guess ICC-IDs.A correct guess was rewarded with an ICC-ID/email pairing for a specific and identifiable iPad user.
From June 5 to 9, the hackers stole approximately 120,000 ICC-ID/email pairings for iPad 3G customers, prosecutors said. Some of the email addresses belonged to well-known early adopters, including New York Mayor Michael Bloomberg, journalist Diane Sawyer and then-White House Chief of Staff Rahm Emanuel.
The hackers were members of an internet hacker group called Goatse Security, which has claimed responsibility. Last June, Auernheimer and Spitler provided the stolen information to news and gossip blog Gawker, which published the data along with an article about the breach.
Shortly after, Goatse sent a statement defending two men. The company said AT&T was not targeted, and the compromised data was not used for any illegal means.
Auernheimer is free on bail, and his case still is pending.
A message left with Susan Cassell, the New Jersey lawyer representing Spitler, was not immediately returned.
Leon Kaiser, a spokesman for Goatse, said the researchers merely wanted to help the public by pointing out a security flaw.
"No information was made public," he told SCMagazineUS.com in an email Thursday. "Not one email address. The list was given to Gawker, merely to assure them that we weren't kidding. They sifted through it to find interesting names. Only a handful of names were ever released. No email addresses were ever released, nor were any ICC-IDs. All copies of the list were immediately deleted after sending it to Gawker.
Paul Fishman, the U.S. attorney for New Jersey, referenced the recent string of data breaches when discussing the case, according to a statement.
“Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves,” he said. “Hacks have serious implications – from the personal devastation of a stolen identity to danger to our national security. In the wake of other recent hacking attacks by loose-knit organizations like Anonymous and LulzSec, Daniel Spitler's guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport.”