Who’s to Blame in iPad Hacking Case?
When news broke last June that AT&T’s iPad servers had been hacked, exposing the ICC IDs and e-mail addresses of about 120,000 customers, AT&T tried to deflect outrage over the incident toward Goatse Security, the group claiming responsibility for the breach.
AT&T claimed the hackers "went to great efforts" to extract ICC IDs and their associated e-mails, and was notified of the security breach by a “business customer,” not Goatse Security. Goatse said the flaw in AT&T’s security was an obvious one and claimed it went public with the hack only after AT&T failed to act.
Given the facts I had at the time, I argued that anger over the breach should be directed not just at the hackers but also at AT&T, which failed to address an easily discoverable security flaw in its Web application. Now, details have emerged that indicate the hackers responsible for the breach never gave AT&T a chance to fix the problem before going public, contrary to their claims that AT&T had “plenty of time to inform the public before our disclosure.”
According to evidence provided by federal prosecutors, Goatse Security hackers Andrew Auernheimer and Daniel Spitler used homemade software script to break into AT&T’s iPad servers from June 5 to June 9, and then immediately provided the stolen e-mail addresses and ICC-IDs to Gawker.com, which published the information in redacted form. If this is true, Goatse’s claim that it released the information to the media because AT&T failed to act is false.
Federal prosecutors also released chat conversations that seem to indicate that Auernheimer and Spitler launched the attack to “tarnish” AT&T, and considered selling the e-mails or launching a “massive phishing operation” that would have inundated AT&T’s iPad customers with spam. The pair eventually decided to take the information straight to the media. Prosecutors don’t indicate how AT&T came to learn of the security breach, but they make clear that Goatse never notified AT&T of the problem.
This exonerates AT&T – in part. We’ll never know whether AT&T would have notified customers of the security breach if the hackers at Goatse had given them time to do so. We’ll never know whether AT&T would have noticed the security flaw without being notified by Goatse Security, however unfairly the notice came through.
What we do know is that AT&T fixed the security flaw as soon as it was notified, and then let customers know if their information was compromised. We also know that AT&T wasn’t entirely truthful when they said Goatse “went to great efforts" to exploit the fault in its servers – security experts told me that the breach was easily avoidable, as claimed by the hackers who discovered the flaw. Federal prosecutors said AT&T actually displayed the ICC IDs of its users in its URL when the iPad 3G communicated with AT&T’s website – information that led directly to users’ e-mail addresses, including those of prominent politicians, government officials and media figures. Whoops.
Given these new facts, the blame for the incident lays more evenly between AT&T and the two hackers who claimed responsibility for the breach, and neither side comes out completely clean. It appears that Auernheimer and Spitler were more interested in damaging AT&T and promoting themselves than protecting the vulnerable information of iPad users. It also seems that AT&T acted appropriately to deal with the flaw once it discovered it, but should have done a better job to secure the e-mail addresses and ICC IDs of its users.
Auernheimer and Spitler each have been charged with one count of conspiracy to access a computer without authorization and one count of fraud. Each count carries a maximum potential penalty of five years in prison and a fine of $250,000. That’s a hefty price to get your name in the news.