Why conviction of the AT&T iPad ‘hacker’ is a problem for us all

Andrew Auernheimer AT&T iPad hacker convicted

The security researcher responsible for exposing a hole in AT&T’s website that revealed more than 100,000 iPad owners’ email addresses and unique device IDs was convicted today on federal charges. He faces a maximum sentence of 10 years behind bars and fines of up to $500,000. Why is this a big deal for the rest of us? He didn’t actually “hack” AT&T’s system any more than you are “hacking” this website right now.

The AT&T iPad hack

Andrew “weev” Auernheimer, 26, was convicted on one count of conspiracy to gain access to a computer without authorization, and one count of identity theft, in a federal court in New Jersey today. Wired reports that the jury only took hours to reach a verdict.

Auernheimer’s case goes back to 2010 when he and fellow self-described security researcher Daniel Spitler, 26, discovered that AT&T’s website would reveal the email address of iPad owners who used the wireless provider’s 3G network. And it would do this without requiring any passwords or code-breaking. Instead, all AT&T’s system needed was something called an ICC-ID, which is a unique ID number assigned to each iPad. Input the ICC-ID into AT&T’s website, and it would spit out a registered iPad user’s email address.

So Auernheimer and Spitler decided to investigate how deep the hole went by writing a program called “iPad 3G Account Slurper,” which would automatically input ICC-IDs, and collect the revealed email addresses. The result: More than 120,000 email addresses revealed, according to authorities, including those of high-profile figures like New York City Mayor Michael Bloomberg, former White House Chief of Staff Rahm Emanuel, and ABC News’s Diane Sawyer, among others.

The pair then leaked the data to Gawker, which published a story about the security hole in AT&T’s system. AT&T then confirmed the “breach,” and the FBI launched an investigation. Auernheimer and Spitler were charged by January 2011. Spitler pled guilty to the charges, and later settled. Auernheimer fought the charges, and lost today. In a tweet posted after the verdict came in, Auernheimer said he “went in knowing there would be a guilty [verdict] here,” and he’s “appealing of course.”

What Auernheimer and Spitler (really) did wrong

Official charges aside, the main problems for Auernheimer and Spitler arose from their apparent “trolling” of AT&T. In chat logs published by Wired, the pair admitted to discovering the breach, and joked about plans to use the security hole to make AT&T look irresponsible. Later chat logs with other individuals showed some floated plans to short AT&T’s stock ahead the Gawker article on the assumption that it would cause the company’s shares to fall. (They did – though neither Auernheimer nor Spitler took part in any short-selling.)

Furthermore, AT&T said that the pair did not contact AT&T directly about the security hole, which is standard practice for security researchers. Lastly, the Auernheimer marketed himself and Spitler to the media as “Goatse Security” (a play on the infamous goatse shock website), but were in fact just two guys, not a legitimate cyber security organization.

In short: Auernheimer and Spitler were massive jerks to AT&T and the customers whose data they collected, and made a name for themselves by doing so.

Why this is bad for the rest of us

As tempting as it may be to argue that Auernheimer and Spitler got what they deserved, one must also recognize that Auernheimer’s prosecution highlights a massive flaw in the law under which he was convicted.

Known as the Computer Fraud & Abuse Act, or CFAA, the law states that it is illegal to have “knowingly accessed a computer without authorization.” It also prohibits garnering “information from any protected computer.” Problem is, CFAA was written in 1986, before the Web existed, at a time when accessing most computers or networks required a password. That is no longer the case: Every time you visit a website, you are in effect accessing a computer without explicit authorization to do so.

“Everybody here accesses a protected computer by the definition of the law,” said Auernheimer while the jury was deliberating, according to TechNewsDaily. “The ‘protected computer’ is any network computer. You access a protected computer every day. Have you ever received permission from Google to go to Google? No. Nobody has …”

While Auernheimer’s example is simplistic, it perfectly explains his bind: All he and Spitler did was access AT&T’s website and gather information from it – no system breach took place since anyone could technically access the same information.

Cybersecurity expert Robert David Graham explained the situation in a blog post this way:

A well-known legal phrase is ‘ignorance of the law is no defense.’ But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between ‘authorized’ and ‘unauthorized’ access. We won’t know until if and when somebody tries to prosecute you.

Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying ‘look at what these idiots have done.’ As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA.

As Graham later explains, the vagueness of CFAA, and today’s prosecution of Auernheimer, gives cybersecurity researchers a disincentive to find security flaws, which in turn makes the rest of us less safe on the Web.

“For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken,” he wrote. “When we see [a security flaw], what do we do? Do we keep our head down, or do we speak up? Even if we’ll probably be found innocent, why take the risk? Better to keep quiet.”

Image via Twitter

Wearables

Lack of regulation means wearables aren’t held accountable for health claims

As fitness trackers become more like health monitors, some physicians are concerned they can lead to over-diagnosis of non-existent problems. It’s already happening with wearable baby monitors.
Gaming

Having issues with your PS4? Check out our solutions to its most common problems

Just because the PlayStation 4 is a remarkable system doesn't mean that it's immune to the occasional hiccup. Thankfully, we've vetted some of the bigger PS4 problems and found solutions for whatever might ail you.
Computing

Microsoft leans on A.I. to resume safe delivery of Windows 10 Update

Microsoft is leaning on artificial intelligence as it resumes the automatic rollout of the Windows 10 October 2018 Update. You should start seeing the update soon now that Microsoft has resolved problems with the initial software.
Home Theater

Here are some common AirPods problems, and how to fix them

Apple’s AirPods are among the best fully wireless earbuds we’ve seen, but they’re not perfect. If you’re having trouble, take a look at our guide to the most common problems and what you can do to fix them.
Mobile

Apple Pay coming to more top U.S. stores, including Target and Taco Bell

Apple Pay is the best way to pay on your iPhone and Apple Watch. Apple Pay support is being rolled out across the U.S. for a variety of top retailers, including Taco Bell, Target, Hy-Vee, and more.
Music

Tune in to the best internet radio stations for your listening pleasure

Even in the streaming era, radio stations get some of the best exclusives and curate some of the finest handpicked playlists around. Here are the best internet radio stations, for your listening pleasure.
Mobile

The 2020 iPhones may only use OLED displays and Intel 5G modems

While some reports hinted that Apple was looking to move away from using Intel tech, a new report suggests the exact opposite. Reportedly, Apple has chosen Intel to supply 5G modems for Apple's first 5G-enabled iPhone, due in 2020.
Home Theater

Spotify adds artist-blocking feature, despite its denials

Though it continues to claim you can't do it, there is plenty of evidence that Spotify added an artist-blocking feature to its platform, making it easy for users to never hear a specific musician or band.
Wearables

With weeklong battery life, the new Honor Watches are a real Dream to wear

Honor has unveiled the new Honor View 20, one of the best smartphones of the year. Alongside it, however, the company also took the wraps off of the new Honor Watch Magic and Honor Watch Dream.
Mobile

2019's 10 best dating apps to help you find the perfect companion

Everyone knows online dating can be stressful, time-consuming, and downright awful. Check out our top picks for the best dating apps, so you can streamline the process and find the right date, whatever you're looking for.
Mobile

Moschino glams up the 48-megapixel Honor View 20 at Paris launch

After its success with the View 10 in 2018, Honor has announced its sequel, the Honor View 20 with an entirely new type of display which has a hole-punch for the camera rather than a notch.
Wearables

10 top features you should be using on your Apple Watch

The Apple Watch can do more than just tell you the time, but you may not be aware of all the different functions it has. Our list of the 10 most often used functions and features will help you understand what it can really do.
Mobile

Get your photos on billboards with Apple’s 2019 ‘Shot on iPhone’ program

Like previous years, Apple has once again launched its Shot on iPhone program, which encourages users to submit the best photos they've taken with their iPhone. Ultimately, the winners will get their photos featured on billboards.
Mobile

Embrace your inner Dr. Frankenstein with the Huawei Mate 20 Pro and this cool app

Ever wanted to make your favorite toy come alive? If so, and you have a Huawei Mate 20 Pro, then you need to grab the 3D Live Maker app and try out some augmented reality magic. Here's how to use it.