Senator concerned by hackers stealing user data using police email accounts

By Malcolm Owen

The Senate is starting to take notice of reports hackers are forging "emergency data requests" to gain data from tech companies such as Apple, with one starting to investigate the privacy issue.

On March 29, a report surfaced revealing hackers were taking advantage of compromised government and police email accounts, enabling them to pretend to be law enforcement officials. By using the email accounts and connected services, the hackers were able to demand data from tech companies in some instances.

Specifically, the hackers abused "emergency data requests" (EDRs), demanding data on the claim there is the threat of imminent harm or death. EDRs can provide law enforcement with data urgently, without requiring a court order warrant or subpoena.

However, since it is not possible to verify the legitimacy of an EDR quickly, hackers are seeing success with the technique.

Following the initial report, and a follow-up confirmation by Bloomberg on March 30 confirming Apple complied with some requests, the problem has caught the attention of lawmakers.

In a statement to KrebsOnSecurity on Thursday, Senator Ron Wyden said the problem was "an enormous threat to Americans' safety and national security." Wyden was further concerned by the prospect some EDRs "may be coming from compromised foreign lawn enforcement agencies and then used to target vulnerable individuals."

Wyden said he was requesting information from tech companies and federal agencies to learn more about the problem. "No-one wants tech companies to refuse legitimate emergency requests when someone's safety is at stake, but the current system has clear weaknesses that need to be addressed," the senator said.

This is not the first time Wyden has looked into the problem of authentication when it comes to court orders. In July 2021, Wyden and other senators introduced the Digital Authenticity for Court Orders Act, which would call for a fund to be provided to state and tribal courts, to help them adopt digital signature technology to potentially cut down counterfeit court orders.

As current EDRs are funneled through compromised legitimate email accounts with no real way to confirm an identity, it is plausible that a similar digital signature system could be employed by law enforcement for a similar effect.