NEWARK – A computer hacker who helped write the malicious code behind a breach of AT&T’s computer servers admitted today to conspiring to hack into the servers, steal information regarding iPad subscribers, and publicize the crime, U.S. Attorney Paul J. Fishman announced.
Daniel Spitler, 26, of San Francisco, Calif., pleaded guilty to one count of conspiracy to gain unauthorized access to computers connected to the Internet and one count of identity theft. Spitler surrendered to FBI agents on Jan. 18, and was originally charged by complaint with the conspiracy. Spitler entered his guilty plea before U.S. District Judge Susan D. Wigenton this afternoon in Newark federal court.
“Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves,” said Fishman. “Hacks have serious implications – from the personal devastation of a stolen identity to danger to our national security. In the wake of other recent hacking attacks by loose-knit organizations like Anonymous and LulzSec, Daniel Spitler’s guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport.”
“The magnitude of this crime affected everyone from high ranking members of the White House staff to the average American citizen,” said Michael B. Ward, Special Agent In Charge of the FBI’s Newark Division. “It’s important to note that it wasn’t just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information. Because of the popularity and widespread use of the new and emerging technology of the iPad and devices like it, it was absolutely critical that emerging threats to it were addressed promptly and aggressively. The FBI’s Cyber Crimes Task Force did so by remaining on the cutting edge of computer forensics, quickly zeroing in on the perpetrators who mistakenly believed they were hidden behind a cloak of cyberspace, ultimately exposing them to justice and the world.”
According to documents filed in this case and statements made in Newark federal court, Spitler admitted that he was a member of an organization known as Goatse Security. According to its website, it is a loose association of Internet hackers and self-professed Internet “trolls” – people who intentionally, and without authorization, disrupt services and content on the Internet.
Prior to mid-June 2010, AT&T automatically linked an iPad 3G user’s e-mail address to the Integrated Circuit Card Identifier (“ICC-ID”), a number unique to the user’s iPad, when the user registered. As a result, every time a user accessed the AT&T website, his or her ICC-ID was recognized and his or her e-mail address was automatically populated for faster, user-friendly access to the site. AT&T kept the ICC-IDs and associated e-mail addresses confidential.
Seeing this, and discovering that each ICC-ID was connected to an iPad 3G user e-mail address, hackers, including Spitler, wrote a script termed the “iPad 3G Account Slurper”and deployed it against AT&T’s servers.
The Account Slurper attacked AT&T’s servers for several days in early June 2010, and was designed to harvest as many ICC-ID/e-mail address pairings as possible. It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be fooled into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” attack – an iterative process used to obtain information from a computer system – against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user.
Immediately following the theft, the hacker-authors of the Account Slurper provided the stolen e-mail addresses and ICC-IDs to the website Gawker, which published the stolen information in redacted form, along with an article concerning the breach. The article indicated that the breach “exposed the most exclusive email list on the planet,”and named a number of famous individuals whose emails had been compromised, including Diane Sawyer, Harvey Weinstein, Mayor Michael Bloomberg, and Rahm Emanuel. The article also stated that iPad users could be vulnerable to spam marketing and malicious hacking.
The charges to which Spitler pleaded guilty each carry a maximum potential penalty of five years in prison and a $250,000 fine. Sentencing is currently scheduled for Sept.28.
Connect with NJTODAY.NET
Join NJTODAY.NET's free Email List to receive occasional updates delivered right to your email address!