|Main Archive Page > Month Archives > infosec-news archives|
By Dan Goodin in San Francisco
23rd June 2011
A San Francisco man has admitted writing the code that plucked personal
data of 120,000 early iPad adopters from servers AT&T had left wide open
to the attack.
Daniel Spitler, 26, pleaded guilty in federal court in New Jersey to one
count each of identity theft and conspiracy to gain unauthorized access
to internet-connected computers, prosecutors said. A member of the troll
and griefer collective known as Goatse Security, he surrendered to
authorities in January, when he and alleged accomplice, Andrew
Auernheimer, were criminally charged in the hack.
Auernheimer, aka Weev, has pleaded not guilty.
According to prosecutors, Spitler, Auernheimer, and other Goatse members
identified a vulnerability on AT&T's servers that mapped an iPad's
ICC-ID, or integrated circuit card identifier, to the name and email
address of its owner.
Spitler admitted he was the one who wrote the "iPad 3G Account Slurper"
script, which exploited the flaw to harvest as much data as possible. It
worked by injecting large numbers of possible ICC-IDs into AT&T web
addresses and recording the information that was returned each time it
successfully guessed a valid number. For the attack to work, Spitler had
to make his code mimic characteristics of the iPad.
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.