Hackers masquerading as law enforcement officials allegedly hoodwinked Apple and Meta, goading the two tech giants to surrender user data. Citing “three people close to the matter,” a Wednesday Bloomberg News report revealed the malicious actors used forged legal documents to bamboozle Apple and Meta.
According to Bloomberg, Apple and Meta surrendered “basic subscriber details,” including customers’ phone numbers and IP addresses.
In mid-2021, hackers reportedly used forged Emergency Data Requests (EDRs) to obtain Apple and Meta’s user data. Typically, requests for user data require a search warrant or a judge-signed subpoena, however, EDRs don’t require court-ordered documents. As such, malicious hackers can bypass hawk-eyed vetting and gain access to ill-gotten data.
Cybersecurity journalist Brian Krebs called this hacking method “terrifying,” but “highly effective.”
“It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death,” Krebs said in a recent blog post.
Just as Krebs described it, Bloomberg revealed the hackers likely breached law enforcement email systems, stole templates for legitimate legal requests, forged signatures, and used them to deceive Apple and Meta.
According to the three people cited in the Bloomberg report, a cybercriminal group called “Recursion Team” is allegedly behind the mid-2021 hack. Some cybersecurity experts believe that some of the malicious actors are also a part of Lapsus$, the cybercrime group that breached Samsung, Nvidia, Microsoft and other companies.
“Recursion Team is no longer active, but many of its members continue to carry out hacks under different names, including as part of Lapsus$,” Bloomberg said.
You may be wondering, “What is ‘Recursion Team’ doing with the data they obtained with Apple and Meta?” Well, the hackers allegedly used the ill-gotten information to carry out harassment campaigns and financial fraud.
The question is, how do we mitigate this issue? Security specialist Nicholas Weaver told Krebs that the only way to combat counterfeit EDRs is to have the FBI serve as the sole identity provider for all state and local enforcement, but even that has drawbacks.
“How does the FBI vet in real-time that some request is really from some podunk police department?” Weave pondered.
If the FBI isn’t up for the task, we hope Apple and Meta come up with stricter security protocols to handle incoming law enforcement requests. It won’t be easy, but the consumers’ trust depends on it.