Why conviction of the AT&T iPad ‘hacker’ is a problem for us all

Andrew Auernheimer AT&T iPad hacker convicted

The security researcher responsible for exposing a hole in AT&T’s website that revealed more than 100,000 iPad owners’ email addresses and unique device IDs was convicted today on federal charges. He faces a maximum sentence of 10 years behind bars and fines of up to $500,000. Why is this a big deal for the rest of us? He didn’t actually “hack” AT&T’s system any more than you are “hacking” this website right now.

The AT&T iPad hack

Andrew “weev” Auernheimer, 26, was convicted on one count of conspiracy to gain access to a computer without authorization, and one count of identity theft, in a federal court in New Jersey today. Wired reports that the jury only took hours to reach a verdict.

Auernheimer’s case goes back to 2010 when he and fellow self-described security researcher Daniel Spitler, 26, discovered that AT&T’s website would reveal the email address of iPad owners who used the wireless provider’s 3G network. And it would do this without requiring any passwords or code-breaking. Instead, all AT&T’s system needed was something called an ICC-ID, which is a unique ID number assigned to each iPad. Input the ICC-ID into AT&T’s website, and it would spit out a registered iPad user’s email address.

So Auernheimer and Spitler decided to investigate how deep the hole went by writing a program called “iPad 3G Account Slurper,” which would automatically input ICC-IDs, and collect the revealed email addresses. The result: More than 120,000 email addresses revealed, according to authorities, including those of high-profile figures like New York City Mayor Michael Bloomberg, former White House Chief of Staff Rahm Emanuel, and ABC News’s Diane Sawyer, among others.

The pair then leaked the data to Gawker, which published a story about the security hole in AT&T’s system. AT&T then confirmed the “breach,” and the FBI launched an investigation. Auernheimer and Spitler were charged by January 2011. Spitler pled guilty to the charges, and later settled. Auernheimer fought the charges, and lost today. In a tweet posted after the verdict came in, Auernheimer said he “went in knowing there would be a guilty [verdict] here,” and he’s “appealing of course.”

What Auernheimer and Spitler (really) did wrong

Official charges aside, the main problems for Auernheimer and Spitler arose from their apparent “trolling” of AT&T. In chat logs published by Wired, the pair admitted to discovering the breach, and joked about plans to use the security hole to make AT&T look irresponsible. Later chat logs with other individuals showed some floated plans to short AT&T’s stock ahead the Gawker article on the assumption that it would cause the company’s shares to fall. (They did – though neither Auernheimer nor Spitler took part in any short-selling.)

Furthermore, AT&T said that the pair did not contact AT&T directly about the security hole, which is standard practice for security researchers. Lastly, the Auernheimer marketed himself and Spitler to the media as “Goatse Security” (a play on the infamous goatse shock website), but were in fact just two guys, not a legitimate cyber security organization.

In short: Auernheimer and Spitler were massive jerks to AT&T and the customers whose data they collected, and made a name for themselves by doing so.

Why this is bad for the rest of us

As tempting as it may be to argue that Auernheimer and Spitler got what they deserved, one must also recognize that Auernheimer’s prosecution highlights a massive flaw in the law under which he was convicted.

Known as the Computer Fraud & Abuse Act, or CFAA, the law states that it is illegal to have “knowingly accessed a computer without authorization.” It also prohibits garnering “information from any protected computer.” Problem is, CFAA was written in 1986, before the Web existed, at a time when accessing most computers or networks required a password. That is no longer the case: Every time you visit a website, you are in effect accessing a computer without explicit authorization to do so.

“Everybody here accesses a protected computer by the definition of the law,” said Auernheimer while the jury was deliberating, according to TechNewsDaily. “The ‘protected computer’ is any network computer. You access a protected computer every day. Have you ever received permission from Google to go to Google? No. Nobody has …”

While Auernheimer’s example is simplistic, it perfectly explains his bind: All he and Spitler did was access AT&T’s website and gather information from it – no system breach took place since anyone could technically access the same information.

Cybersecurity expert Robert David Graham explained the situation in a blog post this way:

A well-known legal phrase is ‘ignorance of the law is no defense.’ But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between ‘authorized’ and ‘unauthorized’ access. We won’t know until if and when somebody tries to prosecute you.

Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying ‘look at what these idiots have done.’ As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA.

As Graham later explains, the vagueness of CFAA, and today’s prosecution of Auernheimer, gives cybersecurity researchers a disincentive to find security flaws, which in turn makes the rest of us less safe on the Web.

“For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken,” he wrote. “When we see [a security flaw], what do we do? Do we keep our head down, or do we speak up? Even if we’ll probably be found innocent, why take the risk? Better to keep quiet.”

Image via Twitter

Mobile

Michael Kors updates its Sofie smartwatch, but still uses a processor from 2016

Michael Kors announced an update to the Sofie smartwatch, now offering heart rate monitoring, GPS, and NFC support. There's only one problem — the device still offers the Snapdragon Wear 2100 processor.
Mobile

Solve a galaxy of problems with a simple reset of your S10

If your Samsung smartphone is acting up, then you may want to try resetting it. We'll show you how to overcome simple issues with a soft reset and also how to tackle bigger problems or prep it for sale with a factory reset.
Computing

AMD's upcoming Navi graphics cards are incoming. Here's what to expect

AMD's Navi graphics cards could be available as soon as July 2019 — as long as it's not delayed by stock problems. Billed as a successor to Polaris, Navi promises to deliver better performance to consoles like Sony's PlayStation 5.
Home Theater

Banish the buffer screen with these tips for silky smooth streaming video

If you’ve been having troubles with streaming Internet videos from Netflix and other services in HD, the problem may be your network. Here’s how to make sure your streaming video experience goes smoothly.
Mobile

Whether by the pool or the sea, make a splash with the best waterproof phones

Whether you're looking for a phone you can use in the bath, or you just want that extra peace of mind, waterproof phones are here and they're amazing. Check out our selection of the best ones you can buy.
Mobile

Walmart drops a killer deal on the Apple iPad Mini 4 tablet

The Apple iPad still reigns supreme in the tablet market, and the pint-sized 7.9-inch iPad Mini is the perfect everyday carry companion. Now’s the perfect chance to score a deal on the last-gen iPad Mini 4 before it’s gone for good.
Mobile

Google Creative Lab’s new AR experiment helps you learn how to draw

Google's Creative Lab developed an experiment called Drawalong AR that could make it easier for aspiring artists to follow YouTube tutorials. The experiment essentially leverages Google's ARCore to create a virtual tracing paper.
Home Theater

Set your ears free with the best completely wireless earbuds

If you can't stand the tangle of cords, or you're just excited about completely wireless earbuds, you're going to need some help separating the wheat from the chaff. Our list serves up the best true wireless earbuds around.
Mobile

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.
Mobile

On a budget? We found the best affordable smartphones you can buy

Here are the best affordable phones for anyone working with a tight budget, whether you're a fan of stock Android or marathon battery life. Find out what you can get for under $500 or far, far less as we round up the best budget…
Mobile

Which smartphone has the best camera? We found the sharpest shooters

They say that the best camera is always the one you have with you and that makes your smartphone camera very important indeed. Join us for a closer look at the best camera phones available right now.
Mobile

We tried all the latest and greatest smartphones to find the best of 2019

Smartphones are perhaps the most important and personal piece of tech on the planet. That’s why it’s important to pick the best phone for your individual needs. Here are the best smartphones you can buy.
Mobile

Step into Childish Gambino’s musical universe with the Pharos AR app

Childish Gambino seems to be on a mission to take over everyone's smartphones. Now you can experience his musical and visual universe through his new Pharos AR app, available on Android now and iOS soon.
Mobile

iFixit's teardown might show the reason the Galaxy Fold keeps breaking

The Samsung Galaxy Fold has arrived, and it goes on sale soon. Folding out from a 4.6-inch display to a tablet-sized 7.3-inch display, this unique device has six cameras, two batteries, and special software to help you use multiple apps.