Why conviction of the AT&T iPad ‘hacker’ is a problem for us all

Andrew Auernheimer AT&T iPad hacker convicted

The security researcher responsible for exposing a hole in AT&T’s website that revealed more than 100,000 iPad owners’ email addresses and unique device IDs was convicted today on federal charges. He faces a maximum sentence of 10 years behind bars and fines of up to $500,000. Why is this a big deal for the rest of us? He didn’t actually “hack” AT&T’s system any more than you are “hacking” this website right now.

The AT&T iPad hack

Andrew “weev” Auernheimer, 26, was convicted on one count of conspiracy to gain access to a computer without authorization, and one count of identity theft, in a federal court in New Jersey today. Wired reports that the jury only took hours to reach a verdict.

Auernheimer’s case goes back to 2010 when he and fellow self-described security researcher Daniel Spitler, 26, discovered that AT&T’s website would reveal the email address of iPad owners who used the wireless provider’s 3G network. And it would do this without requiring any passwords or code-breaking. Instead, all AT&T’s system needed was something called an ICC-ID, which is a unique ID number assigned to each iPad. Input the ICC-ID into AT&T’s website, and it would spit out a registered iPad user’s email address.

So Auernheimer and Spitler decided to investigate how deep the hole went by writing a program called “iPad 3G Account Slurper,” which would automatically input ICC-IDs, and collect the revealed email addresses. The result: More than 120,000 email addresses revealed, according to authorities, including those of high-profile figures like New York City Mayor Michael Bloomberg, former White House Chief of Staff Rahm Emanuel, and ABC News’s Diane Sawyer, among others.

The pair then leaked the data to Gawker, which published a story about the security hole in AT&T’s system. AT&T then confirmed the “breach,” and the FBI launched an investigation. Auernheimer and Spitler were charged by January 2011. Spitler pled guilty to the charges, and later settled. Auernheimer fought the charges, and lost today. In a tweet posted after the verdict came in, Auernheimer said he “went in knowing there would be a guilty [verdict] here,” and he’s “appealing of course.”

What Auernheimer and Spitler (really) did wrong

Official charges aside, the main problems for Auernheimer and Spitler arose from their apparent “trolling” of AT&T. In chat logs published by Wired, the pair admitted to discovering the breach, and joked about plans to use the security hole to make AT&T look irresponsible. Later chat logs with other individuals showed some floated plans to short AT&T’s stock ahead the Gawker article on the assumption that it would cause the company’s shares to fall. (They did – though neither Auernheimer nor Spitler took part in any short-selling.)

Furthermore, AT&T said that the pair did not contact AT&T directly about the security hole, which is standard practice for security researchers. Lastly, the Auernheimer marketed himself and Spitler to the media as “Goatse Security” (a play on the infamous goatse shock website), but were in fact just two guys, not a legitimate cyber security organization.

In short: Auernheimer and Spitler were massive jerks to AT&T and the customers whose data they collected, and made a name for themselves by doing so.

Why this is bad for the rest of us

As tempting as it may be to argue that Auernheimer and Spitler got what they deserved, one must also recognize that Auernheimer’s prosecution highlights a massive flaw in the law under which he was convicted.

Known as the Computer Fraud & Abuse Act, or CFAA, the law states that it is illegal to have “knowingly accessed a computer without authorization.” It also prohibits garnering “information from any protected computer.” Problem is, CFAA was written in 1986, before the Web existed, at a time when accessing most computers or networks required a password. That is no longer the case: Every time you visit a website, you are in effect accessing a computer without explicit authorization to do so.

“Everybody here accesses a protected computer by the definition of the law,” said Auernheimer while the jury was deliberating, according to TechNewsDaily. “The ‘protected computer’ is any network computer. You access a protected computer every day. Have you ever received permission from Google to go to Google? No. Nobody has …”

While Auernheimer’s example is simplistic, it perfectly explains his bind: All he and Spitler did was access AT&T’s website and gather information from it – no system breach took place since anyone could technically access the same information.

Cybersecurity expert Robert David Graham explained the situation in a blog post this way:

A well-known legal phrase is ‘ignorance of the law is no defense.’ But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between ‘authorized’ and ‘unauthorized’ access. We won’t know until if and when somebody tries to prosecute you.

Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying ‘look at what these idiots have done.’ As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA.

As Graham later explains, the vagueness of CFAA, and today’s prosecution of Auernheimer, gives cybersecurity researchers a disincentive to find security flaws, which in turn makes the rest of us less safe on the Web.

“For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken,” he wrote. “When we see [a security flaw], what do we do? Do we keep our head down, or do we speak up? Even if we’ll probably be found innocent, why take the risk? Better to keep quiet.”

Image via Twitter

Emerging Tech

A silver bullet is being aimed at the drug-resistant superbugs on the ISS

A bacteria which is benign here on Earth can mutate into a drug-resistant superbug once it enters space. Now this problem is being tackled by a team of microbiologists who have found a way to inhibit the spread of bacteria in the ISS.
Computing

After fourth attack, hacker puts personal records of 26M people up for sale

A serial hacker going by the name of Gnosticplayers is selling the personal data of 26 million people who have been using the services of six different companies from across the world.
Computing

Windows updates shouldn't cause problems, but if they do, here's how to fix them

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Mobile

Samsung commits to improving the Galaxy S10’s ultrasonic fingerprint sensor

The Galaxy S10 has a new ultrasonic fingerprint sensor under the screen, and while it's better than other examples, people have experienced problems. Samsung has committed to making further accuracy improvements over time.
Mobile

The Black Shark 2’s Ludicrous Mode promises the smoothest mobile gaming

Xiaomi-backed Black Shark has a follow-up to last year's Black Shark gaming phone, complete with high specs and a low price. Here's everything we know about the Black Shark 2 gaming phone.
Deals

Need a new tablet? Here are the best iPad deals for March 2019

In the wide world of tablets, Apple is still the king. If you're on team Apple and just can't live without iOS, we've curated an up-to-date list of all of the best iPad deals currently available for March 2018.
Gaming

Angry Birds AR: Isle of Pigs brings 3D demolition into your living room

Angry Birds is releasing its next entry in the spring of 2019 - with a new spin. Bringing 3D environments and destruction, Angry Birds AR: Isle of Pigs uses augmented reality to add a new dimension to a classic series.
Deals

Amazon drops price on Apple Watch Series 4 with a rare deal

Since Apple first unveiled the Series 4, the price for one has pretty much held fast. This has finally started to change with a nice little $15 discount on Amazon. If you've been wanting the newest Apple Watch, now is a great time.
Computing

Sending SMS messages from your PC is easier than you might think

Texting is a fact of life, but what to do when you're in the middle of something on your laptop or just don't have your phone handy? Here's how to send a text message from a computer, whether you prefer to use an email client or Windows 10.
Mobile

Google's midrange Pixels might be called the Pixel 3a and Pixel 3a XL

The Google Pixel 3 and Pixel 3 XL are considered to be two of the best Android smartphones, but it looks like Google could be prepping a midrange line. Say hello to the Pixel 3a and Pixel 3a XL.
Mobile

Whether by the pool or the sea, make a splash with the best waterproof phones

Whether you're looking for a phone you can use in the bath, or you just want that extra peace of mind, waterproof phones are here and they're amazing. Check out our selection of the best ones you can buy.
Gaming

Blackout to go? Call of Duty: Mobile is coming this summer

Activision and Tencent have partnered to create Call of Duty: Mobile, a free-to-play version of the popular shooter franchise that will be available on iOS and Android devices this summer.
Mobile

Here are 15 of our favorite iPad Mini cases, covers to protect your tiny tablet

We take a look at the best iPad Mini cases and covers on the market. We have cases in a range of styles and prices, with all sorts of distinguishing features. If you have an Apple iPad Mini 4 or iPad Mini 5 then get a case now.
Cars

Say goodbye to Uber for good: Here's how to cut ties with the ridesharing service

If you thought that deleting the Uber app would also delete your account, think again. You'll have to deactivate your account, then wait 30 days in order to do so. Here, we outlined how to delete your Uber account once and for all.