Protecting yourself from fraudulent EDR requests

Cybercriminals are using fraudulent Emergency Data Requests (EDRs) to convince tech companies to give them sensitive user data. Read on for more information about the problem and some tips to help you stay safe.

What is an Emergency Data Request?

An EDR allows law enforcement to request user data from an internet service provider (ISP), mobile carrier, or other tech company. Normally, a request like that would involve a court order. But EDRs bypass the standard constitutional safeguards, because they’re used when law enforcement believes someone is in imminent danger.

EDRs can save lives. But they create a dilemma for tech companies. The cybersecurity news site KrebsOnSecurity sums it up very well: Any company that receives an EDR

…finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

Unfortunately, this is exactly why hackers recently managed to trick major tech companies — including Discord, Meta, and Apple — into giving up their users’ personal data. 

Why do companies fall for fraudulent EDRs?

The reason that hackers were able to send fraudulent EDRs that companies believed is simple: They hacked law enforcement agencies.

As the KrebsOnSecurity piece explains, the bad actors involved in the recent rash of fraudulent EDRs first compromised the email accounts of law enforcement personnel. They then used those accounts to send bogus EDRs to companies. In terms of how the hacking actually happens, there are a variety of possibilities: exploiting a security vulnerability in a police department’s website, an insider selling account access on the dark web, or good old-fashioned social engineering.

What is the impact?

It’s scary to think that bad guys can impersonate the police and get companies to give them our personal data. But what’s the real-world impact of this sort of criminal activity?

It’s difficult to say. In the case of Meta and Apple, the hackers asked for basic subscriber details. These included IP addresses, home addresses, and phone numbers. That may sound fairly innocuous, but as we noted in the aftermath of the 2021 Facebook data breach, bad guys can easily use such information for social engineering, identity theft, account takeovers, and phone phishing. 

Bloomberg reporters spoke with officials investigating the incident. They were told that the stolen data “has been used to enable harassment campaigns” and that it may be “used to facilitate financial fraud schemes” by helping hackers “bypass account security”.

And that’s just one incident. The trouble is, at the moment companies have no way to know if an email from law enforcement is from a compromised account or not. In other words, it could happen again. 

And next time, the hackers may be after more than “basic” details. Apple’s EDR form is open-ended when it comes to the information that an officer can request. KrebsOnSecurity discovered a sales thread on a hacker forum promising access to a government email account for the express purpose of sending fraudulent EDRs. The seller mentioned the possibility of using an EDR to obtain explicit photos of users.

How to stay safe

As an individual, there’s not much you can do to stop cybercriminals from hacking police departments. And you can’t really help tech companies validate their EDRs.

However, there’s a basic cybersecurity principle that can keep you safe here. It applies to fraudulent EDRs and other security and privacy threats as well. The principle is this:

If a company never has access to your data in the first place, they can’t lose it — or give it away.

Here are some ways to apply this important concept on a day-to-day basis:

1. Limit the personal data you give out

   Many people hand over their data to anyone who asks. It’s a bad habit, because it increases your potential exposure in the event of a data breach or a phony EDR.

   Facebook, for example, asks for your phone number when you sign up for an account. But they don’t require it. So…why give it to them? If a bad guy sends a fraudulent EDR to Facebook asking for your phone number, but you never provided one, then all Facebook can tell the requester is: “Sorry, we don’t have a number on record for this user”.

   As a general rule: If you’re not required to give a company your personal information, then don’t! That goes for phone numbers, home addresses, full legal names, and just about anything else you can think of.

2. Don’t provide location access

   Whenever possible, restrict access to your location data. The same basic principle applies here: If a company doesn’t have a record of where you’ve been, they can’t leak it or hand it over to a bad actor.

   That’s not to say you should turn off Location Services altogether. There are some important and helpful features, such as Apple’s Find My, that require it. In such cases, providing access to your location data is probably worth the risk — especially considering what could happen if you lose an iPhone without Find My enabled. And besides, Apple only retains Find My location data for 24 hours before deleting it, so your exposure is minimized.

   But there are loads of apps and services that have no business knowing your location — and yet collect as much user location data as they can, retaining it for far longer than Apple does. The big-name culprits here are Google and Facebook, but lots of smaller companies do this as well.

   In iOS, you can go to Settings > Privacy > Location Services and scroll down to allow or deny location access on an app-by-app basis. Err on the side of caution!

3. Use end-to-end encryption whenever possible

   All communications apps encrypt your messages as they’re routed through the company’s servers. But there’s encryption, and then there’s encryption!

   It’s best to avoid messaging tools where the tech companies hold the encryption keys that can decrypt your messages. Instead, use an end-to-end encrypted (E2EE) messaging app. In end-to-end encryption, the data in your message can only be read by you and the receiver — the system is designed so that no third party (including the tech company behind the app) can read your messages. If a bad actor asks an E2EE service for your messages, all they can say is: “Sorry, what you’re asking for is cryptographically impossible!”

   When it comes to E2EE messaging apps, Signal is the gold standard. If you’re messaging another Apple user, the native Messages app is end-to-end encrypted by default as well. If you want to make sure that your emails are encrypted end to end, then you can use a service like ProtonMail or Tutanota.

4. Store highly sensitive data securely

   If you need to “write down” a sensitive piece of information digitally, don’t use a standard Notes note or rely on the old trick of sending yourself an email. These methods store data in a form that’s safe from prying eyes, but still accessible to a company.

   Instead, use E2EE to protect your most sensitive data. On a Mac, you can use Secure Notes in Keychain Access to create an end-to-end encrypted note — in other words, a note that even Apple can’t decrypt. You can also turn an ordinary Notes note into an end-to-end encrypted, password-protected Secure Note: Apple’s website has instructions for how to do this.

   If you’re not using an Apple platform, or if you’re a cross-platform user, not to worry. Many password manager apps also offer an E2EE secure notes feature.

5. Know the encryption status of your backups

   Many things that you back-up to iCloud — including Photos and standard Notes — are not protected by end-to-end encryption. This means that Apple can, if necessary, access them. As one group of criminals discovered, this even applies to backups of your Messages conversations: Even though the Messages app itself is E2EE, the message backups you store in iCloud aren’t!

   If you’re not sure what’s end-to-end encrypted in iCloud and what isn’t, Apple provides that information on its website. For complete privacy, back up your files to an external drive, or locally on a FileVault protected Mac.

   It’s a trade-off, however, since this may not be convenient or as reliable as you’d like. There is an alternative, but it requires some conscious effort: Make sure that nothing truly sensitive is being backed up to iCloud. If you have confidential messages or “highly personal” photos, store those separately

6. Use a VPN

   ISPs are known to log all kinds of information about your IP address, the sites you visit, and more. The best way to ensure that these companies can never reveal your web history to a third party is to make sure that they don’t have it.

   VPNs work by encrypting your network traffic and routing it through a VPN server. That means that the only thing an ISP can really see is that you’re connecting to an IP address associated with a VPN. The details of your web activity, including the sites you’re visiting, remain private. For better privacy, use a reputable, no-logs VPN whenever you go online.

More best practices for strong security

There’s one other cybersecurity concept that’s relevant here: mitigating the impact of a breach. 

You may not be able to stop bad actors using fraudulent EDRs from getting hold of your personal data. But you can take steps to limit the damage if it happens. Here are three essential tips:

1. Use burner emails for sign-ups

   Sometimes you have to give some information to a company or service in order to sign up. That’s fine, but you can still retain some control over the information you give — and how connected it is to the rest of your digital life.

   If you’re an iCloud+ user, Apple lets you create unique “burner” email addresses with the Hide My Email feature. Whenever you sign up for a new app or website, you can give them a throwaway email that forwards to your iCloud email.

   This places a bit of distance between the email on record with a company and your actual email address: the address that’s associated with your real name and other important accounts. If someone sends a fake EDR to company X, they may get your account’s burner email address. But it will be a throwaway account that isn’t linked to anything else.

2. Use app-based 2FA

   One of the dangers of a hacker knowing your name and phone number is that they can use it to facilitate account takeovers or SIM-swapping attacks.

   To harden your account security, use app-based two-factor authentication (2FA) whenever possible. Popular options include Authy and Google Authenticator.

   App-based 2FA provides the added protection of a second authentication factor, but isn’t linked to your SIM card, and doesn’t rely on insecure SMS messages.

3. Use virtual phone numbers for key accounts

   Certain accounts don’t allow you to use app-based 2FA (banks are notoriously old-fashioned in this way), and there are also other risks associated with someone knowing the phone number on a sensitive account.

   For better security, you can get a secret virtual phone number that you use for your most important accounts (e.g., your bank). If your virtual phone number is only linked to a handful of accounts, and isn’t tied to you publicly in any other way, that lessens the impact of someone obtaining your day-to-day phone number from another company.

How to weigh risks vs benefits

In general, cybersecurity is a matter of balance, and of trade-offs.

Many people in the security community use tools like iCloud Photos backups. They understand the risk of someone compromising their Photos. But they believe that the risk of losing cherished photographs outweighs the security benefits of a local encrypted backup.

Because everyone’s situation is different, individuals have to decide what risks they’re willing to take, and what trade-offs they’re willing to accept. We hope the information here will help you understand your options, and make more informed choices.