U.S. investigators will be holding a press conference this afternoon to announce criminal charges related to the alleged theft of email addresses and other personal information from 120,000 iPad users. The theft occurred back in June of this year, when hackers compromised AT&T’s servers with an automated script. At the time, a group calling itself Goatse Security claimed responsibility for the breach, saying it was motivated to show iPad users their data was not as secure as they thought.
According to a breaking news report from Reuters, Paul Fishman, the U.S. attorney for the District of New Jersey, and the FBI plan to hold a press conference this afternoon to discuss the charges.
Remember this Attack?
If this story sounds familiar to you, it should. This summer, the news spread like wildfire around the Web, not just because of the hack attempt itself, but also because of the name of the so-called “security firm” itself, which refers to a decidedly NSFW (not safe for work) Web prank. The news story was broken by Gawker originally. For a refresher, you can read all the details here.
The security firm, really just a group of hackers calling itself a firm, exploited a security flaw on AT&T’s Web servers which allowed them to obtain email addresses from the SIM cards of iPad 3G users. This hack did not affect users of Wi-Fi only iPads.
At the time of the original report, the number of comprised accounts was said to be around 114,000. Today, it seems that number was just a bit higher: 120,000.
How the Attack Worked
The hackers had used a specially formatted HTTP request, which would return a user’s ICC-ID, that is, their iPad 3G SIM card address. This number, which stands for “integrated circuit card identifier” is used to identify SIM cards by associating a mobile subscriber with their device. A script on AT&T’s website allowed anyone to submit an ICC-ID and it would then return the subscriber’s email address.
The hackers found the ICC-ID’s thanks to many public photos hosted on the photo-sharing website Flickr and other similar sites. They were also able to guess a large number of ICC-ID’s just by looking at known IDs and making educated guesses.
To harvest the data from the AT&T servers, the hackers wrote an automated PHP script which would send a request to the website that made it appear as if the request came from a specific iPad user’s device.
Goatse Security said it notified AT&T of the breach, but only after sharing the script with an unknown number of third-parties. AT&T closed the security hole shortly after being notified.
Who Was Affected?
Among the users affected were many high-profile government officials and military personnel. Based on the email addresses gathered, the hackers had managed to snoop out accounts from the major service branches of the military, NASA, the FCC, DARPA, the Senate, the House of Representatives, the Department of Justice, the Department of Homeland Security and the National Institute of Health.
In other industries, the affected individuals included top executives from The New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO, Hearst as well as others from Google, Amazon, AOL, Microsoft, Goldman Sachs, JP Morgan, Citigroup and Morgan Stanley.
AT&T said it would inform customers whose email address had been obtained through this attack, but generally downplayed the breach saying “the only information that can be derived from the ICC-ID’s is the email address attached to that device.”
From Reuters’ report, it sounds as if there is other personal data involved, too. However, we may not know if that’s an accurate statement until this afternoon’s press conference.
Soon after the attack occurred, the FBI announced it would open an investigation into the iPad breach. Today’s charges are the result of that investigation. We imagine that with a name like “Goatse,” this hacker group wasn’t too hard to track down.
According to Retuers, the defendants Daniel Spitler and Andrew Auernheimer were each charged with one count of fraud and one count of conspiracy to access a computer without authorization. Spitler will appear in federal court in Newark, New Jersey on Tuesday and Aurenheimer will appear in an Arkansas federal court.