{"id":35461,"date":"2022-04-05T14:59:31","date_gmt":"2022-04-05T18:59:31","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=35461"},"modified":"2024-11-08T15:33:30","modified_gmt":"2024-11-08T20:33:30","slug":"forged-emergency-data-requests","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/04\/05\/forged-emergency-data-requests\/","title":{"rendered":"Forged Emergency Data Requests"},"content":{"rendered":"

William Turton<\/a>:<\/p>\n

\n

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.”<\/p>\n

[…]<\/p>\n

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co. and Nvidia Corp., among others, the people said.<\/p>\n

[…]<\/p>\n

The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple guideline states.<\/p>\n<\/blockquote>\n\n

Juli Clover<\/a>:<\/p>\n

\n

Typically, Apple provides this information with a search warrant or subpoena from a judge, but that does not apply with emergency requests because they are used in cases of imminent danger.<\/p>\n<\/blockquote>\n\n

Brian Krebs<\/a>:<\/p>\n

\n

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.<\/p>\n

[…]<\/p>\n

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.<\/p>\n

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.<\/p>\n

[…]<\/p>\n

“The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?”<\/p>\n<\/blockquote>\n\n

Bruce Schneier<\/a>:<\/p>\n

\n

The “credentials” are even more insecure than we could have imagined: access to an email address. And the data, of course, isn’t very secure. But imagine how this kind of thing could be abused with a law enforcement encryption backdoor.<\/p>\n<\/blockquote>\n\n

Nick Heer<\/a>:<\/p>\n

\n

Yet again<\/a>, the most effective techniques for illicitly obtaining information are confidence tricks, not technical expertise.<\/p>\n<\/blockquote>\n\n

Brian Krebs<\/a>:<\/p>\n

\n

The current scourge of fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for privileged subscriber data. In July 2021, Sen. Wyden and others introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.<\/p>\n

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.<\/p>\n<\/blockquote>\n\n

However, hackers could still get unauthorized access to the digital signing key instead of the e-mail account.<\/p>\n\n

Thomas Clement<\/a>:<\/p>\n

\n

This is exactly why end-to-end encryption exists, which iCloud is still not doing.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n