A security researcher who was convicted of accessing a non-password protected portion of AT&T's Web site and sentenced to more than three years in prison has appealed his conviction.
Andrew Auernheimer, who goes by the nickname "Weev," was convicted by a federal jury last year of hacking and sentenced to 41 months in prison for exploiting a security hole on AT&T's servers to obtain the e-mail addresses of more than 100,000 iPad users.
Auernheimer and co-defendant Daniel Spitler were arrested and charged in January 2011 after they created a script to download the records and gave the results to Gawker. Auernheimer was convicted last November of one count of conspiracy to gain unauthorized access to computers and one count of identity theft. Spitler pleaded guilty to the charges in June 2011.
In their appeal, filed Monday with the U.S. Court of Appeals for the Third District, Auernheimer's lawyers contend that Auernheimer actions did not violate theft because as a result of AT&T's lax security, the information was freely available on the Internet.
The appeal notes that AT&T had linked the users' Integrated Circuit Card ID (ICC-ID), the serial number on iPad SIM cards, with their e-mail addresses. When a user visited AT&T's Web site, the e-mail field would automatically be populated by the device's ICC-ID.
Auernheimer and Spitler discovered a new e-mail address would appear when they changed a single digit in the ICC-ID. Spitler then wrote a script called the "iPad 3G Account Slurper" to harvest the e-mail addresses and associated unique iPad numbers.
"AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers," the appeal reads. "The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information."