Hacker pleads guilty to role in AT&T iPad user data theft
updated 04:10 pm EDT, Thu June 23, 2011
Incident revealed 120,000 iPad owners
A 26-year-old man from San Francisco, Daniel Spitler, has plead guilty to charges of identity theft and a conspiracy to gain unauthorized access to computers, according to the Wall Street Journal. Spitler, along with Andrew Auernheimer, was arrested in January for creating software used to attack AT&T servers in June 2010 and steal the email addresses of iPad owners. Auernheimer is in the middle of plea negotiations; Spitler could face up to five years in prison on each charge, and will be sentenced on September 28th.
Some 120,000 iPad owners were exposed, including high-profile government officials and corporate executives. Among those in the former category were New York City mayor Michael Bloomberg and then-White House Chief of Staff Rahm Emanuel. Federal prosecutors claim that Auernheimer and Spitler were aiming to do damage to AT&T, while promoting themselves and a hacker group going by the alias Goatse Security.
Prosecutors have also provided some small information on how the attack was orchestrated. To get into AT&T servers Spitler is said to have written a spoof program, posing as an iPad 3G. How this allowed 120,000 email addresses to be revealed is unknown.
Fresh-Faced Recruit
Joined: Oct 2010
It's completely known!
The old AT&T protocol for accessing your 3G account was that your iPad sent your cellular identifier(s) (SMEI?) and AT&T's servers responded with the login page, with the email address registered to that identifier already filled in. Cycle through possible identifiers and collect all the email addresses. This was described when the addresses were first known to be collected. That's why you now have to enter your email address every time. (It would be nice if your iPad actually remembered your account address, at the least.)