AT&T Hacker Jailed For Three Years For Exposing iPad Owners' Email Addresses

Prison Window

A security researcher who exploited a flaw in AT&T's security around iPad users to reveal details of 114,000 emails in 2010 has been sentenced to 41 months in prison, and ordered with a co-defendant to pay $73,000 (£48,000) compensation to the phone company.

Andrew "Weev" Auernheimer, who ran Goatse Security with co-defendant Daniel Spitler, was found guilty in November of one charge of identity fraud and one of conspiracy to access a computer without authorisation. He had faced a maximum of five years in prison for each charge.

The hack, carried out in June 2010 just two months after the iPad went on sale, exposed details of the then White House chief of staff, Rahm Emanuel, as well as chief executives and military officials. Only email addresses were exposed. The exploit used the fact that AT&T had allocated sim cards for 3G-enabled iPads with successive numbers and no security checks to prevent anyone accessing the details. A printout of the details was then sent to the Gawker website.

The night before his sentencing, Auernheimer took part in a Reddit "Ask Me Anything" session. There he explained how he had carried out the hack: "In June of 2010 there was a public AT&T webserver that had a URL for a public API with a number at the end of it. If you added one to this number you might see the next iPad 3G user email address. I aggregated a sample of this data and sent it to a journalist. I contend that I as an American have the right to profit from accessing a public webserver, adding one to a number and embarrassing a large corporation.

"Despite an email from AT&T stating the data was 'published', 'no security was bypassed' and 'I don't think they [the feds] have a case', the feds [federal prosecutors] disagreed. In November of 2012 I was found guilty of violating the Computer Fraud and Abuse Act, the same law used against Matthew Keys, Aaron Swartz and Stephen Watt."

Speaking on the courthouse steps before his sentencing, Auernheimer said: "I'm going to jail for doing arithmetic".

In describing the sentence, federal prosecutors referred three times to Auernheimer's Reddit AMA session, in one part of which he said: "My regret is being nice enough to give AT&T a chance to patch [the flaw] before dropping the dataset to Gawker. I won't nearly be as nice [sic] next time."

Ahead of his sentencing on Monday, Auernheimer had been bullish: "No matter what the outcome, I will not be broken," he tweeted. "I am antifragile," he added – a reference to the book by the economist Nassim Nicholas Taleb about systems that are robust enough to cope with disaster.

The two were charged in January 2011. Their security company – which was also sometimes described as a hacker group – had previously pointed out flaws in the Mozilla Firefox and Apple Safari browsers.

Spitler took a plea bargain in 2011.

Powered by article was written by Charles Arthur, technology editor, for on Monday 18th March 2013 19.01 Europe/London © Guardian News and Media Limited 2010