A man who successfully exploited a hole in AT&T’s web security to obtain information about iPad customers was sentenced on Monday to 41 months in prison and an additional three years of supervision following his release. While Andrew Auernheimer didn’t put the information he obtained to any malicious use, under the Computer Fraud and Abuse Act, he did commit a serious computer crime. He was charged with one count of identity fraud, as well as one count of conspiracy to access a computer without authorization.
The hacking occurred back in 2010, when he and a colleague discovered a security hole in AT&T’s website and wrote a program they called the iPad 3G Account Slurper. The program allowed them to access the email addresses and ICC-ID numbers, and other data about the users affected. (ICC-ID numbers identify an iPad and who it belongs to.) Rather than taking the information they retrieved and using it to harm the users affected, they sent their findings to a popular website so the security hole could be publicized and hopefully fixed. It’s just the latest in what seems to be a growing trend in hacktivism.
What are hacktivists?
So-called hacktivists often look for ways to break through security measures, more as a challenge than through any wish to cause malicious damage. They tend to publicly share their findings, which can cause some harm to users affected if the identifiers aren’t properly redacted before publication. For example, recently a security breach at a large email and search site allowed hackers to access the email addresses and passwords of thousands of people. These were published online. Some of those users are still dealing with the fallout.
However, that is not to say that there isn’t any damage, even unintended left in their wake or that all hacktivists are the Robin Hoods of the Internet world.
Andrew Auernheimer and his colleague, Daniel Spitler could easily fall into the category as hacktivists because it appears their intentions were to expose a security threat, not to cause damage to the users of AT&T’s wireless internet. However, the law still rules against them, because just accessing the data without permission is a crime. In reality, maybe the company should be charged with being negligent in protecting the privacy of its’ customers.
Or perhaps it’s a sign that companies need to hire white-hat hackers to test their systems for any holes such as the one that allowed Andrew Auernheimer access to the stolen data. Shoot, they should have hired him for the job.