Senator concerned about hackers stealing user data using police email accounts
AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.
The Senate is beginning to take notice of reports that hackers are forging “emergency data requests” to obtain data from tech companies such as Apple, with one beginning to investigate the issue of confidentiality.
On March 29, a report revealed that hackers were taking advantage of compromised government and police email accounts, allowing them to impersonate law enforcement officials. Using email accounts and connected services, hackers were able, in some cases, to request data from tech companies.
Specifically, hackers have abused “emergency data requests” (EDRs), demanding data on the allegation that there is a threat of imminent harm or death. EDRs can provide law enforcement with data on an urgent basis, without requiring a warrant or subpoena.
However, since it is not possible to quickly verify the legitimacy of an EDR, hackers are finding success with the technique.
Following the initial report and follow-up confirmation by Bloomberg with March 30 confirming that Apple had complied with some requests, the issue caught the attention of lawmakers.
In a statement to KrebsOnSecurity On Thursday, Sen. Ron Wyden said the issue was “a huge threat to the safety and national security of Americans.” Wyden was further concerned that some EDRs “came from compromised foreign lawn enforcement agencies and then used to target vulnerable people.”
Wyden said he was seeking information from tech companies and federal agencies to learn more about the issue. “No one wants tech companies to deny legitimate emergency requests when someone’s safety is at stake, but the current system has obvious weaknesses that need to be addressed,” the senator said.
This isn’t the first time Wyden has tackled the issue of authentication when it comes to court orders. In July 2021, Wyden and other senators introduced the Digital Authenticity of Court Orders Act, which would call for a fund to be provided to state and tribal courts, to help them adopt digital signature technology to potentially reduce counterfeit court orders.
As today’s EDRs are routed through compromised legitimate email accounts with no real way to confirm an identity, it is plausible that a similar digital signature system could be used by law enforcement to similar effect.