Hacker admits AT&T iPad attack

A San Francisco man has admitted writing the code used to steal the personal data of 120,000 iPad users from AT&T servers last June.

Daniel Spitler, 26, pleaded guilty in a New Jersey federal court to  identity theft and conspiracy to gain unauthorized access to internet-connected computers. Each charge carries a potential penalty of five years in jail and a $250,000 fine.

Spitler was arrested in January, along with 25-year-old Andrew Auernheimer, of Arkansas. Both are members of the self-styled ‘internet troll’ group Goatse Security.

The attack was carried out using an ‘account slurper’, which hit AT&T servers with random sets of login info, harvesting the combinations which worked.

Until mid-June 2010, AT&T automatically linked an iPad 3G user’s email address to the Integrated Circuit Card Identifier (ICC-ID) – a unique number associated with individual iPads. The aim was to give faster, more user-friendly access to the site.

But Spitler was able to exploit this to write a script called the “iPad 3G Account Slurper” and use it against AT&T’s servers.

“The magnitude of this crime affected everyone from high ranking members of the White House staff to the average American citizen,” said Michael B Ward, special agent in charge of the FBI’s Newark Division.

“It’s important to note that it wasn’t just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information.”

Spitler’s admitted to discussing the data breach – including how to destroy evidence of the crime – with Auernheimer. Auenheimer remains on bail.

Spitler will be sentenced on September 28.