Using compromised police departments and government agencies’ emails, hackers are forging Emergency Data Requests (EDRs), which they send to online platforms, mobile carriers, and ISPs and get sensitive user data.
Big Tech companies such as Apple and Meta are falling for the hoax and are complying with the fake orders.
Before providing user data, ISPs and tech platforms require a subpoena or a search warrant. However, they can also provide the data if they are sent an EDR, provided the police department or government agency proves the urgency of the requested data.
On Tuesday, KrebsOnSecurity reported about the increase in fraudulent EDRs, noting that there is no way for a company to know if an EDR is fake. Hackers are exploiting that loophole, with some creating fake EDRs and selling them online to other criminals.
Discord confirmed to KrebsOnSecurity that it had recently complied with a fake EDR. Bloomberg also reported that both Meta and Apple had processed fraudulent EDRs.
In response to these stories, Oregon’s Sen. Ron Wyden expressed concern and asked tech companies and government agencies to provide information on the prevalence of fraudulent EDRs.
“Recent news reports have revealed an enormous threat to Americans’ safety and national security,” Wyden said in a statement provided to KrebsOnSecurity. “I’m particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals.”
“I’m requesting information from tech companies and multiple federal agencies to learn more about how emergency data requests are being abused by hackers,” Wyden’s statement continues. “No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed. Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.”
The spike in cases of fake EDRs shows that government agencies should not solely rely on email to request personal data from tech companies.