Print 28 comment(s) - last by Piiman.. on May 4 at 11:32 AM

Exploiting iPad flaw proves costly for researcher, despite relatively responsible disclosure process

Nearly four years behind bars; that's the fate a New York security "researcher" faces after being found guilty by a jury of his peers and sentenced by a federal judge on cybercrime charges involving his 2010 exploitation of a flaw in the security of iPad service provider AT&T. He allegedly used the flaw to expose the email address of over 100,000 individuals.

I. A Leaky Hole

The story began in June 2010.  Apple, Inc. (AAPL) had just released the first generation iPad, a tablet computer that transformed the form factor from overlooked to in vogue.  And the service provider du jour for iPads with 3G data connectivity was AT&T, Inc. (T).  

But AT&T's iPad support services had a relatively minor, but notable security flaw.  AT&T's iPad-related servers ran a script that accepted an ICC-ID (integrated circuit card identifiers), an identifier unique to each device.  

If sent a valid ICC-ID, the script served up the personal email of the subscriber associated with that device.  AT&T had planned to use the feature to generate a slick AJAX-style response on its web applications for the iPad.

iPad hole
AT&T left a gaping hole in their iPad web scripts. [Image Source: DailyTech/Jason Mick]

But Andrew Auernheimer, Daniel Spitler, and other hackers with the profanely named "troll" hacker collective Goatse Security identified the vulnerability when they were probing AT&T's servers.  They quickly wrote a so-called "data slurper" -- a script that performed a brute force attack, working through tables of ICC-IDs and recording the ones that received a response.

AT&T apologized for the breach and took down the script, closing its hole.

II. Investigation, Trial Conclude in Guilty Verdict

But the damage was already done.  Goatse Sec. had published its results to the blog site Gawker, revealing parts of a data set that contained roughly 114,000 email addresses.  Among the high-profile figures exposed were ABC News anchor Diane Sawyer, New York City Mayor Michael Bloomberg, and current Chicago Mayor Rahm Emanuel.

Soon after the data loss, U.S. Federal Bureau of Investigation agents investigating the incident conducted a raid on the home Mr. Auernheimer who had moved from New York to a residence in Arkansas.  Mr. Auernheimer, aka "weev" or "Escher Auernheimer" was arrested by federal agents on suspicion of computer crimes.  Authorities also allegedly found cocaine, LSD, and ecstasy in his residence.  Lawyers for Mr. Auernheimer contend that the raid was unnecessary and illegal.  The security "researcher" has yet to face charges on the drugs found.

However, he was charged with one count of conspiracy to access servers without permission and one count of identity theft.  These offenses -- spelled out in the Computer Fraud and Abuse Act of 1986 (18 USC § 1030) -- carry a maximum sentence of five years in prison and a fine of up to $250,000 USD.

Andrew Auernheimer
Goatse Security "researcher" Andrew Auernheimer was found guilty of two counts of computer crimes and may be sentenced to up to five years in prison, pending appeal. [Image Source: AP]

Mr. Auernheimer was charged in U.S. District Court for the District of New Jersey, the location where his co-defendant (Daniel Spitler) was charged.  Initially, federal authorities had planned to charge the two members separately, which would have resulted in a trial of Mr. Auernheimer in an Arkansas District Court.  However, the case was eventually shuffled to the New Jersey District Court.

In June 2011, Mr. Spitler, aka "JacksonBrown" pled guilty to the two cybercrimes counts, in hopes of receiving a lighter sentence.  He is currently awaiting sentencing.

Mr. Auernheimer fought the charges, and but the triakl with the jury finding Mr. Auernheimer guilty of both counts, despite the fact that Mr. Auernheimer only accessed a gaping open system.

III. Auernheimer to Cyber-Dissidents: Rise Up

Four months after that guilty verdict Mr. Auernheimer seems more at peace with his coming time behind bars.  He participated in a mostly lighthearted 
Reddit AmA ("Ask Me Anything") on Sunday before the sentencing.  

Ironically, prosecutors tried to turn Mr. Auernheier's upbeat and sarcastic Reddit comments against him at the sentencing hearing the next day.  They pushed for 4 years -- nearly the maximum sentence.  The judge instead sentenced him to a slightly shorter 41 months sentence, to be followed by 3 years of supervised release, during which time his electronic behavior will be monitored.

The accused read John Keats' The Fall of Hyperion and told reporters at a press conference, "I'm going to jail for doing arithmetic."

Andrew Auernheimer
Andrew Auernheimer will soon be headed to a nearly four year stay in prison.
[Image Source: The Verge]

The statement comes just months after his proclamation that he hoped he would get the maximum 5 year sentence to encourage Anonymous and other cyber-rebels to "rise up and storm the decks."

He and his co-defendant Mr. Spitler will have to pay $73,000 USD in restitution if the verdict sticks.  Mr. Auernehimer is currently appealing the sentence.  His attorney, Tor Ekeland told The Verge in an interview that courts are divided on what exactly constitutes "unauthorized access" in the CFAA, pointing to a possible route for the appeal.

Source: The Verge

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

You'll all find out, every single one of you.
By strapmonkey on 3/20/2013 9:21:43 PM , Rating: 2
In 2009, while working as a contract pharmacist in a rural healthcare facility, I got a call from the PA on shift. The PA explained that one of the EMT's was at the clinic with his dog ($3000 bird dog, 2 years old). The dog had ingested a large quantity of rat poison, the antidote for which is Vitamin K. The nearest vet was 60 miles away, the EMT was on call (wasn't even supposed to be at the clinic, but we were only a block or so from the EMT quarters). The dog wasn't going to survive the trip anyway. The PA asked if we had any injectable Vit K on hand, and if so, if I'd see fit to dispense the medication to the EMT that he might save his friend. I said yes, and thereby became a federal felon.

For dispensing $143 worth of medication (which amount I tried to reimburse the clinic the following day, and was rebuked), we lost everything. Our house, vehicles, my ability to ever earn a living in my chosen profession (although I still retain my professional license in good standing, I am banned from working for any entity that bills a federally funded program; e.g. Medicare/Medicaid, i.e. all entities). The OIG rousted me out of Wanblee, SD a week after I buried my father. Armed Federal agents arrested me at gun point after threatening me and my wife, the week after we buried my father-in-law. They could have made a phone call; instead they sent armed marshals to point loaded weapons at us whilst screaming obscenities.

I copped a plea and received 3 years probation. Had I gone to trial, I would've lost and served 2 years in a Federal penitentiary.

For $443 (the final determination of restitution), the Federal government was willing to spend upward of $100,000 over a three year period, all to keep a "dangerous felon" off the streets. This does not include $150,000 in Federally insured student loans I will never be able to repay, or the hundreds of thousands of dollars of lost tax revenue over the span of my career.

I currently work day labor for minimum wage. With a Federal larceny conviction, I can't get a job mowing lawns.

Tommy Chong served 18 months in prison for allowing his likeness to be displayed on a brand of marijuana paraphernalia. When he got out, he said "People come up to me and ask "Whoa, man, prison; what was that like?" I tell them "You'll find out. Every single one of you is going to find out." God help us, he is right.

The Federal prosecutorial system is completely off the rails. Their decision to indict and prosecute a case is based entirely on what that prosecution will do for the AUSA in charge. Whether you are low hanging fruit, like me, or a high ticket item, like Schwartz, all "civilians" are viewed as an expediency to a higher pay grade, and another notch on the prosecutor's gun. The cost to the individual, and to society as a whole, doesn't even enter the equation.

It is time for the American people to wake up. The longer we wait, the more difficult that awakening becomes.

Bye the bye, the dog survived. Every time the EMT came into the clinic, he made a point of thanking me, and shaking my hand. It was never about the dog, kids. It was about not letting a young man watch his friend die a horrible death, when I could do something to prevent that. For what this has cost me, cost my family, not acting would've cost me so much more. My soul, my humanity and my free will.

By Piiman on 5/4/2013 11:32:15 AM , Rating: 2
You should have taken this to every media outlet you could find.

Since the only reason they go after people without deep pockets in the first place is to pretend they are doing their jobs the only way to get this jerks to back down is to make them look bad.

"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki