FBI Takes iPad Hacker Into Custody

The FBI announced it detained a member of a group of computer programmers allegedly involved in the Apple iPad 3G security breach that exposed the identities of more than 100,000 iPad users, including celebrities and top government officials. The breach occurred through an exploit of AT&T’s website, which allowed the organisation access to iPad users’ email addresses. The arrest of Andrew Auernheimer, 24, came after the FBI searched his house and found drug paraphernalia, the agency reported.

The Wall Street Journal reported FBI Special Agent Bryan Travers confirmed the search and Auernheimer was being held on state drug charges. The paper also reported a man named Kyle Barnthouse, identifying himself as the spokesman of Goatse Security, the group behind the breach, was not involved in writing the code leading to the security breach at AT&T. The telecommunications giant runs the wireless network the iPad operates on. The leak was first reported on Gawker, which noted political luminaries such as White House Chief of Staff Rahm Emmanuel and New York City Mayor Michael Bloomberg were among those whose email addresses were exposed through the breach.

AT&T dishonest?

Auernheimer, who operates under the pseudonym Weev, has been linked to several attacks on Internet sites and a group of computer hackers that exposed a flaw in AT&T security, which allowed the email addresses of iPad users to be revealed. After the breach, AT&T sent an email to iPad 3G owners impacted by the leak of 114,000 email addresses last week, blaming the incident on “unauthorized computer hackers” and promises to cooperate with the federal investigation into the incident.

Goatse Security revealed on 9 June that it had obtained the email addresses using a script that exploited a feature on the AT&T website. In defending itself following the letter AT&T sent to its customers, Auernheimer, writing under the name “Escher,” wrote a blog post calling AT&T dishonest. “AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable,” he wrote. “It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organisation might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.”