Fake law enforcement with encryption backdoors


Brian Krebs reported a growing trend of fake law enforcement requests to hand over user data, which companies are falling for:

[…] some hackers have figured out there is no quick and easy way for a company that receives one of these [Emergency Data Requests] to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

Bruce Schnier connects the logical dots with a related issue we’ve been warning about ever since former prime minister Malcolm Turnbull said the “laws of maths don’t trump the laws of Australia”:

The “credentials” are even more insecure than we could have imagined: access to an email address. And the data, of course, isn’t very secure. But imagine how this kind of thing could be abused with a law enforcement encryption backdoor.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.