When law enforcement agencies want to obtain user data from big tech platforms without a court order, they can submit “emergency data requests” in cases that involve imminent risk of serious physical injury or death. This widely criticized practice (some might call it a “loophole”) is likely to face greater public scrutiny with the revelation that hackers were able to forge these data requests and make off with protected user data from Apple and Meta in mid-2021.
It is unclear who was behind the forgery campaign, but some inside sources believe that the user data was taken for use in either financial crimes or harassment campaigns.
Emergency data requests system successfully exploited by hackers
Anonymous inside sources told Bloomberg reporters that an attack campaign conducted in the middle of 2021 netted sensitive user data from Apple and Meta, with the hackers posing as legitimate law enforcement agencies and claiming that it was needed for investigations involving imminent risk of death. The amount of data turned over was not revealed, but the sources indicated that it included IP addresses plus the contact information that can generally be found in private account profiles including physical addresses, email addresses and phone numbers. A judge is not required to sign off on these requests, with agencies generally only required to provide contact information for a supervisor that can verify it.
Brian Higgins, security specialist at Comparitech, elaborates on how they usually work: “Emergency data requests from law enforcement are often vital in live ‘crime in action’ and vulnerable missing person cases among others. They come from dedicated units and registered investigators and by their very nature can frequently relate to vulnerable individuals, companies or groups. To describe the success of this methodology as a ‘slip-up’ is fairly accurate as the implementation of some very basic cyber hygiene (in this case a mandatory verification call-back for all emergency requests) on the part of Apple, Meta, or any law enforcement liaison team for that matter, would see attackers looking for other less simple ways to commit their crimes and offer an added layer of much needed protection.”
Apple receives about 2,000 of these emergency data requests every year, while Meta receives about 43,000. Apple provided user data for 93% of these requests in 2021, and Meta provided data 77% of the time. Meta issued a statement to the media indicating that the company reviews every one of these requests for “legal sufficiency” and uses “advanced systems” to validate them and detect abuse. Apple simply pointed reporters to its public guidelines for law enforcement requests.
The sources told Bloomberg that an investigation was underway and there were signs that either the LAPSUS$ or Recursion Team hacking groups were involved. LAPSUS$ has been involved in a string of high-profile attacks on tech companies in the last several months; suspected members of the group are under investigation in the United Kingdom, but there is also apparently at least one member in Brazil that is still at large (and this incident would have taken place well prior to any arrests). Recursion Team is a group that was active but is now thought to be out of business, and was composed of teenagers in the US and UK. Some of the members are thought to have migrated to LAPSUS$, which appears to be composed of UK members age 16 to 21.
There are also reports that Snap received at least one of these forged data requests during the general timeframe, but it is unknown as to what the response to it was.
Platform user data vulnerable to the low barrier of emergency request verification
Apple’s guidelines say that a requesting agency “may be contacted and asked to confirm” the legitimacy of these data requests, indicating that it may not be a mandatory part of the process. That in turn would imply that a suitably authentic-looking forgery could slip through the cracks, which may have been what happened in this case.
A post from KrebsOnSecurity in the wake of this incident highlighted how emergency data requests are open for abuse. Nearly all of the major tech companies hold user data that cyber criminals would be interested in, and all of them are subject to these law enforcement requests and are largely left alone to develop their own verification processes. Krebs notes that this process may be as little as verifying that the requesting email address is one from a legitimate police department or other law enforcement agency.
That opens the door for spoofing, of course, but Krebs also notes that some hackers have been able to obtain access to police systems and can send authentic-looking emails from legitimate accounts. This is often enough to prompt an immediate response with user data as companies do not want to be associated with failure to prevent a crime that results in death. Some organizations reportedly respond to emergency data requests in as little as 30 minutes, clearly not enough time to properly vet requests beyond perhaps checking the validity of the requester’s email address.
Tech companies have been pressured to update their cybersecurity practices due to a general crime wave that has taken place since the Covid-19 pandemic started, but as Jack Chapman (VP of Threat Intelligence for Egress) notes, “old-fashioned” social engineering and bribery approaches may be getting overlooked in the midst of focus on phishing and malware.
“In this case, cybercriminals combined multiple powerful social engineering tools to maximum effect. First, they compromised police email accounts to manipulate their victims into sharing user data out of a sense of duty towards law enforcement. In addition to this, they created a false sense of urgency using fictionalised life-or-death situations to further turn the screws on their victims. Understandably, their victims probably felt they had no choice but to comply … Tech companies have a duty to work with legitimate law enforcement, but as this incident shows, they must put in place more robust authentication processes to ensure they aren’t handing over sensitive user data to cybercriminals. They must also provide dedicated support for the people in their organisations responding to these requests which includes training on how to spot impersonation attempts. Tech companies are under increasing scrutiny to protect their users’ data and incidents like this could undermine user trust even further,” says Chapman.