AT&T IPad Hacker Faces Jail

A 26-year-old man who last year helped hackers steal personal information belonging to about 120,000 iPad users pleaded guilty to fraud and hacking charges in a New Jersey court Thursday.

Daniel Spitler pleaded guilty in federal court to two felony charges, according to Rebekah Carmichael, a spokeswoman with the U.S. Department of Justice. He faces a maximum of 10 years in prison on the charges, but his plea agreement recommends a 12- to 18-month sentence.

He is one of two men charged in the June 2010 incident that embarrassed Apple and AT&T and brought international attention. The other man, Andrew Auernheimer, is still in negotiations over a plea agreement, according to court records. Both men are facing charges in the U.S. District Court for the District of New Jersey.

At the time of the incident, Goatse hackers claimed that they were merely trying to make AT&T aware of a security issue on its website. They discovered that anyone could query the site and learn the e-mail addresses and unique ICC-ID (integrated circuit card identifier) numbers belonging to the iPad users.

According to reports and court filings, they wrote a script that guessed the ICC-ID numbers (used to identify the iPad’s SIM card) and then queried AT&T’s website until it returned an e-mail address. Spitler had been accused of co-authoring this software, called “iPad 3G Account Slurper.”

The group uncovered e-mail addresses belonging to members of the military, politicians, and business leaders including New York Mayor Michael Bloomberg and former White House Chief of Staff Rahm Emanuel.

The incident became a huge embarrassment for AT&T after Auernheimer and Spitler handed their findings over to a reporter at Gawker.com.

In interviews after the hack, Auernheimer said his group had notified AT&T about the issue. But online chat logs filed in court by the prosecution cast doubt on that claim. “[Y]ou DID call tech support right?” asked one hacker, named Nstyr, in a chat log excerpt obtained by prosecutors. “[T]otally but not really,” Auernheimer replied. “[I] don’t… care [I] hope they sue me.”

In other chat log excerpts, Spitler and Auernheimer appear to be publicizing their data in order to cause the maximum amount of embarrassment to the companies involved — for “lols,” in hacker-speak. At one point, Spitler asks Auernheimer, “where can we drop this for max lols?”

On Thursday Goatse spokesman Leon Kaiser said iPad users would have faced serious consequences if the group hadn’t gone public with its information. “Goatse Securities’ disclosure process was kinder and safer than many well-respected security researchers,” he said in an e-mail message. “AT&T refused to take responsibility for this gaping hole, and instead decided to take it out on two of our own in order to save face.”

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com