The conviction last week of a well-known hacker accused of breaching thousands of email addresses of AT&T customers brings to light the often treacherous path the government and computer security community have to navigate in the burgeoning cyber crime frontier. It also serves as an important reminder of the law of unintended consequences.
Andrew Auernheimer, known in hacker circles as Weev, was found guilty last week of conspiracy to access a computer without authorization and fraud in connection with personal information. Auernheimer allegedly worked with Daniel Spitler in a scheme that exposed 120,000 email addresses of Apple (AAPL) iPad users on AT&T’s (T) 3G wireless network.
In early June 2010, Spitler found a security lapse in the system AT&T customers use to update account information. He realized that if one feeds the system an ICC-ID number connected to an iPad registered on AT&T’s network, the system will return a webpage with the email address associated with that iPad, along with a box to enter a password. An ICC-ID is simply a 19 to 20 digit number that identifies a device on a wireless carrier’s network.
Looking to automate the process of mining email addresses from AT&T’s system, Spitler developed a program called the “Account Slurper,” according to a complaint filed in U.S. federal court in New Jersey by the Justice Department. The program “was designed to mimic the behavior of an iPad 3G so that AT&T’s servers were fooled into believing that they were communicating with an actual iPad 3G,” the complaint alleges.
The program functioned by “randomly” guessing ICC-IDs and punching them into AT&T’s system through a website address, or URL. A successful guess returned an email address of an AT&T iPad 3G customer, and an incorrect guess provided no additional information. The program could be run in “brute force” fashion, meaning it would try over and over again in a bid to glean as much information as possible.
On June 5 that year, Spitler logged on to a popular online instant messaging platform called Internet Relay Chat, or IRC, to discuss his findings with several individuals whose identities were not revealed, according to the complaint. Initially, Spitler called the findings “boring,” although the individuals with whom he was chatting suggested he could either sell any potential email addresses to spammers or use them to “tarnish” AT&T’s reputation.
Later that day, Spitler again logged on to IRC where he bragged that he “harvested” 197 email addresses. At this point, Spitler specifically reached out to Auernheimer in the chat-room and described his exploits. Auernheimer responded by saying that the vulnerability is “hilarious HILARIOUS.” Apparently realizing the significance of the findings, he said it represents “big media news” and at one point suggested it could also be used for a “massive phishing operation.” Phishing is when nefarious individuals send emails purporting to be from legitimate organizations asking for account or other personal data.
The following day, Spitler gloated that he had “hit [expletive] oil,” and asked Auernheimer who he should send the list to for maximum impact. Auernheimer recommended collecting “as much data as possible.” Auernheimer also hinted that he could potentially send the list to people he had previously encountered at Internet magazine Gawker.
Forebodingly, Spitler grew nervous about potential legal ramifications as the list grew longer and longer. He asked Auernheimer if he had to get involved with the press blitz, saying he wasn’t clear “how legal this is or if they (AT&T) could sue for damages.” Auernheimer obliged, and noted that there “absolutely may be legal risk … mostly civil … you could get sued to [expletive].”
Auernheimer appeared to take over the operation from there, asking for the computer code for the Account Slurper and saying he could “wrangle the press.”
As the operation widened and continued snagging more email addresses, Auernheimer, Spitler and other members of a loosely-defined security team called Goatse Security, continued discussing ways of leveraging the data. One unnamed individual, referred to as Rucas, suggested sending out phishing emails and deploying an iPad trojan. However, Auernheimer remained stuck on the idea of sending the list to media outlets.
“If we get a reporters (sic) address with this somehow we instantly have a story,” Auernheimer wrote to Spitler, according to the complaint. “The best way to have a leadin (sic) on it … HI I STOLE YOUR EMAIL FROM AT&&T (sic) WANT TO KNOW HOW?”
Auernheimer allegedly did just that. According to the complaint, he emailed an unnamed member of News Corporation’s (NWSA) board of directors whose email address he mined and described his exploit. He said that he would be happy to discuss the issue further with a journalist at the news giant and “would be absolutely happy to describe the method of theft in more detail.” (News Corp. is the parent of FOX Business Network.)
A brief by Justice Department attorneys filed with the court ahead of the trial said Auernheimer made similar offers to describe the methods behind the “theft” to other major media outlets including the Washington Post, San Francisco Chronicle and Thomson Reuters (TRI).
As the day progressed, Auernheimer, Spitler and other members of the Goatse group continued discussing ways of utilizing the data. At one point, a person nicknamed Pynchon suggested shorting AT&T’s stock ahead of any release – essentially a bet the share price will fall. Auernheimer said it would probably be illegal for him to do that, but told others to “go nuts” if they would like to. He went as far as to say he didn’t want to know about it if anyone did short the stock.
By June 9, the list swelled to 120,000 users. The Goatse team decided to send it to Gawker, the Internet magazine, which ran parts in redacted form along with an article describing the exploit. The list published to Gawker included many prominent individuals, including media executives, tech company employees, and military and civilian government officials.
Auernheimer went to his personal LiveJournal blog that day to boast about the exploit and Gawker story. He gleefully described how the story was picked up on Google News, Drudge Report and elsewhere.
Spitler’s reaction was tenser than Auernheimer’s. The complaint said he suffered from “post-troll paranoia” and “solicited advice from other Goatse Security members.” Rucas gave him a couple pointers presumably aimed at avoiding criminal charges. Among the suggestions was taking down security on his WiFi network to create “plausible deniability” about who was using the Internet. He also advised Spitler on invoking his Miranda rights. In Rucas’ view, Spitler committed a federal crime. Rucas wouldn’t be alone in that assessment.
Later that day, Auernheimer essentially admitted on IRC that he did not tell AT&T about the security lapse before publicizing it through Gawker, adding that he hopes AT&T sues him. In comments to FOX Business, Auernheimer claims the vulnerability was fixed before the article was published. That claim could not be independently verified.
He also said repeatedly on IRC that Goatse won, and even dropped AT&T’s stock price. It’s unclear as to whether the breach had any material impact on AT&T’s stock price.
The next day, Spitler and Auernheimer grew more fearful of “the criminal repercussions,” according to the complaint. The duo discussed destroying the list of email addresses and the script that was used to obtain it. It wasn’t clear from court documents reviewed by FOX Business whether the list or program were, in fact, destroyed.
While Spitler and Auernheimer didn’t apparently benefit monetarily from the heist, AT&T was stuck with a sizeable bill. According to the complaint, it cost AT&T $73,000 to remedy the breach, including reaching out to the customers who were impacted. AT&T declined a request by FOX Business for the full cost of the breach.
With no apparent financial incentive, why did Auernheimer and Spitler embark on what both knew could be a perilous project? Notoriety seems to have been the key driver, at least for Auernheimer.
When asked what he wanted to achieve by exposing so many email addresses, Auernheimer said through his attorney, Tor Ekeland, that “the public embarrassment of a corporation that was displaying a cavalier disregard for its customers (sic) safety” led to his decision. He went on to say that the iPad is “a very hip device,” and that Apple and AT&T are companies he was “very interested in issuing criticism of.”
Auernheimer said he doesn’t regret turning the data into Gawker: “We have the right as Americans to inform the press of matters of public concern,” he said.
Research or Crime? That is the Question.
In the world of cyber security, gray area abounds. The line separating research and crime is often blurred in this new world.
Auernheimer’s and Spitler’s intentions in this case weren’t purely motivated by research, of course. As evidenced by the complaint, the team went out of its way to exact as big a reputational toll as possible on AT&T, and even Apple to a lesser extent. It cost AT&T money to make the situation right for customers and certainly compromised the privacy of innocent third parties who merely registered on AT&T’s network.
Hence, the Justice Department pursued criminal charges against Auernheimer and Spitler. Specifically, both were charged with conspiracy to access a computer without authorization and fraud in connection with personal information.
Spitler pleaded guilty to both counts in June 2011. Auernheimer was found guilty on both counts in federal court in New Jersey last week. His lawyer has vowed to appeal the verdict.
What has some in the security community concerned is the definition of unauthorized access in the first count. The portion of the Computer Fraud and Abuse Act (CFAA) that the two were charged for breaching makes it illegal to intentionally access a computer without authorization and thereby obtain information from a “protected computer.” AT&T’s Web servers represented protected computers because they affect interstate commerce, the government charged.
However, the issue, according to some in the security community, is that the team essentially entered numbers into URLs, which yielded the email addresses. Does that constitute unauthorized access?
“Web crawlers … are automatic indexers which search through content on a website and index the information for easy access in search engines. This is a regular part of the Internet that is essential to the functionality of websites such as Google and Yahoo,” analysts at one well-respected security consultancy wrote to clients in a report. The firm requested anonymity because of the sensitivity of the matter.
“Most commentators believe that if data is revealed to un-authorized users who use the above technique, then the responsibility is on the data owner to secure that information behind a password or some other authentication mechanism. If [these individuals] can be arrested for adjusting a URL in a numerical sequence, then to what degree can other users be arrested for entering any URL?”
An analyst from the same firm jested in an interview that Auernheimer probably “would have faced a lot less severe penalties if he just sold the information to the Russian mob.” The person said now individuals performing such exploits, either for good or bad, will be “much less inclined to be upfront with the companies about the vulnerabilities that they find.”
Christopher Soghoian, a senior policy analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union, expressed similar concerns.
“It is alarming that AT&T has not been held accountable for its awful security,” he said in an email. “Had AT&T employed the most basic security mechanisms, weev (Auernheimer) would never have been able to download anything.”
An AT&T spokesperson declined to comment on the matter.
Neither Soghoian nor the ACLU have any connection to Auernheimer or any involvement with the case. Soghoian, who is also a visiting fellow at Yale Law School's Information Society Project, has a long history of exposing and publicizing security flaws that compromise security at major companies and government agencies.
Auernheimer’s attorney, Tor Ekeland, plans on taking a similar argument to Soghoian at Auernheimer’s appeal.
“The key fact here is that no password or security was bypassed. It was essentially information AT&T servers published based on a query from a web browser,” he said. “This is no different from when you type” a URL into a Web browser.
Ekeland said he took the case on a pro bono basis because he is worried about the broader implications it could have.
“The theory of unauthorized access the government pushed is that it is unauthorized access because AT&T said it was. That to us is a dangerously broad and vague interpretation that criminalizes what people consider normal behavior,” he said.
Attorneys for the Justice Department declined to comment specifically for this report, citing the ongoing nature of the case. However, they point out the fact that Auernheimer was found guilty on both counts by a jury of his peers. They also defended the basis for their unauthorized access charges as part of a 48-page brief filed with the court in opposition to the defendant’s initial motion to dismiss the case.
“The relevant definitions of unauthorized access are clear and unambiguous, and provide reasonable persons with fair notice that their conduct puts them at risk of punishment,” the brief said.
The brief suggests the ICC-ID number is similar to a person’s social security number in that it is “unique to every iPad (and) qualifies as an individualized grant of access.”
Then there is the matter of Auernheimer’s intent when he accessed AT&T’s systems.
“Rather than remain silent about his criminal conduct, the defendant boasted about his crime on his weblog and posted a link to the Gawker article,” the brief said. The brief also noted repeatedly that Auernheimer “described his conduct as a ‘theft’” in emails he sent to media organizations.
Daniel Stein, a lawyer at Richards Kibbe & Orbe and a former U.S. prosecutor, who isn’t involved in the case, said proving criminal hacking doesn't always need to rely on a defendant's motive to make financial gains. The intention of ones actions are important when mounting such a case, he said.
“In a criminal case it’s ultimately what you can convince the jury of based on the circumstantial evidence,” he said. “These guys were trying to get attention for this security hole. It strikes me as fairly straightforward application of that statute."