appleinsider logo
Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Two charged in exploit of AT&T website to obtain iPad user data

US prosecutors filed charges against two men in conjunction with the alleged hacking of AT&T's website last year, which resulted in a list of 120,000 users' names, email addresses, and serial numbers.

A report by Reuters detailed that one count of fraud and one count of conspiracy to access a computer without authorization were filed against both defendants, Daniel Spitler and Andrew Auernheimer.

The website attack was reported last summer, initially by Gawker, which described the event as "another embarrassment" for Apple.

Rather than being a sophisticated attack on iPads or AT&T's computer systems, as initial reports suggested, a group referring to itself as a security company simply discovered that AT&T had set up a website that allowed users to type in their iPad 3G's serial number and would then look up and automatically populated the users' email address in the web form.

A sensational hacker event

The "attackers" simply created a script that submitted HTTP requests for thousands of plausible serial numbers and collected the email addresses the server responded with. While AT&T's website deserved some criticism for defaulting to provide user convenience at the expense of a minor privacy threat, reports by Gawker and others trumpeted the data scraping trick as a serious attack with terrifying potential, leaving the suggestion that there was something insecure about the iPad itself.

The thousands of iPad 3G users involved "could be vulnerable to spam marketing and malicious hacking," the site stated. It also reported that affected iPad 3G users might be vulnerable to remote attacks based on the list of known SIM serial numbers (ICC IDs) it had obtained from those involved in the web site data harvesting operation.

It cited those involved in the security breach as claiming that "recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID."

Two other sources Gawker cited were less impressed. Emmanuel Gadaix, a "mobile security consultant and Nokia veteran," said that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID […] as far as I know, there are no vulnerability or exploit methods involving the ICC ID."

Karsten Nohl, a "white hat GSM hacker and University of Virginia computer science PhD," added that "while text-message and voice security in mobile phones is weak," the "data connections are typically well encrypted […] the disclosure of the ICC-ID has no direct security consequences."

Don't try this at home

AT&T responded to the situation by releasing a statement saying, "this issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."

Reuters noted that the Federal Bureau of Investigation and the U.S. attorney for the District of New Jersey, Paul Fishman, plan to hold a press conference later this afternoon to discuss the charges.