Tuesday, April 5, 2022

Forged Emergency Data Requests

William Turton:

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.”

[…]

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co. and Nvidia Corp., among others, the people said.

[…]

The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple guideline states.

Juli Clover:

Typically, Apple provides this information with a search warrant or subpoena from a judge, but that does not apply with emergency requests because they are used in cases of imminent danger.

Brian Krebs:

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

[…]

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

[…]

“The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?”

Bruce Schneier:

The “credentials” are even more insecure than we could have imagined: access to an email address. And the data, of course, isn’t very secure. But imagine how this kind of thing could be abused with a law enforcement encryption backdoor.

Nick Heer:

Yet again, the most effective techniques for illicitly obtaining information are confidence tricks, not technical expertise.

Brian Krebs:

The current scourge of fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for privileged subscriber data. In July 2021, Sen. Wyden and others introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.

However, hackers could still get unauthorized access to the digital signing key instead of the e-mail account.

Thomas Clement:

This is exactly why end-to-end encryption exists, which iCloud is still not doing.

Previously:

8 Comments RSS · Twitter

>In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

Perhaps treating "24" as a documentary was the original sin.

>This is exactly why end-to-end encryption exists, which iCloud is still not doing.

Trickier than it sounds. Do you kill the web client? How about iCloud for Windows: do you write a whole mechanism to authenticate a Windows machine against iCloud, or do you kill access from Outlook to iCloud Mail, too? Etc.

@Sören At the least, the services that don’t have web clients could be E2E.

Yeah. I was thinking e-mail in particular, maybe because you spoke of e-mail in the paragraph above the quote.

One possible way would be to combine “The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” with pre-authorisation of police departments and a 2FA token (such as an RSA token with rotating number). Thus compromising the email would be insufficient since you would also need the token.

Of course, that still leaves the normal social engineering of the podunk police department, but at least it is more limited than just compromising email.

"Do you kill the web client?"

There are cloud services with end-to-end encryption that have web clients. It's not magic, it's just more work.

"the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately"

Quick, this person is threatening to shoot hostages unless we tell him his ex-girlfriend's new address!

"Perhaps treating "24" as a documentary was the original sin."

What! Are you telling me that just randomly torturing everybody is not the best way to prevent terrorism? My life is a lie.

>There are cloud services with end-to-end encryption that have web clients. It's not magic, it's just more work.

Are there? I imagine that's quite tricky, especially with browsers aggressively purging local storage (and therefore your private key) after a while.

For example, WhatsApp until recently just didn't bother at all and only allowed a single device (your phone); every other computer of yours just acted as a client to that device, rather than to the service. That way, only one key (the phone's) needed to exist. Now they have a setup more like iMessage, where each computer generates its own key, and each transmitted message is encrypted separately with each of those keys.

> What! Are you telling me that just randomly torturing everybody is not the best way to prevent terrorism?

That, too, but more generally, I was saying let's not model policing based on the rare extreme worst-case scenario of "everything is on fire and we can only catch the criminal if we throw away all privacy precautions right this second" and rather the far more common scenario of "actually, police investigations are grueling, tiresome work that takes months and often fails altogether, and throwing technology at that doesn't move the needle much anyway, so there should be plenty of time for Apple to do a few phone calls to verify that the police request is, in fact, legit".

Maybe allowing law enforcement to request things with no oversight is the problem...

Old Unix Geek

@MattB and who watches the watchers?

Ultimately there is only one solution: end to end encryption. But the "authorities" don't like this solution, because they want to see and judge our every act.

Quoting from https://www.eff.org/cyberspace-independence :

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.

Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.

You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.

You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don't exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different.

Leave a Comment