Thread
Back in '94, @BillClinton signed #CALEA , mandating that all voice-capable switches include a "lawful interception" backdoor that would let cops listen in on phone calls without having to actually physically access the switch itself.
en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act 1/
en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act 1/
If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
pluralistic.net/2022/03/30/lawful-interception/ 2/
pluralistic.net/2022/03/30/lawful-interception/ 2/
CALEA came with three promises:
I. The backdoor would only be used by cops;
II. They would get a warrant first;
III. It would only apply to voice traffic, not the internet.
All of these promises were lies. 3/
I. The backdoor would only be used by cops;
II. They would get a warrant first;
III. It would only apply to voice traffic, not the internet.
All of these promises were lies. 3/
Anyone who's ever watched a detective show where a PI says, "I have a cop who can run that license plate" knows that if you give cops oversight-free, unaudited access to a database, you're also giving access to anyone any cop owes (or sells) a favor to. 4/
When CALEA passed, its opponents warned that a "voice capable" switch would soon be indistinguishable from an "internet" switch. 5/
Less than a decade later, the FBI successfully argued that all internet switches were now capable of carrying voice traffic, so they, too, must have CALEA backdoors. 6/
That didn't just expose Americans to surveillance by cops, their friends, and anyone who gained access by pressuring or impersonating a cop. Vendors installed CALEA backdoors in all their switches, to ensure that they could access the US market. 7/
These backdoors made their way into countries *without* CALEA mandates, where they were abused. 8/
Most notoriously: the Greek government and prime minister were wiretapped in 2004 in order to sabotage the Greek Olympics bid. Greece doesn't have CALEA on its law-books, but it *did* have CALEA-compliant switches in its telephone network.
www.schneier.com/blog/archives/2007/07/story_of_the_gr_1.html 9/
www.schneier.com/blog/archives/2007/07/story_of_the_gr_1.html 9/
Any time you mandate "extraordinary access" to an otherwise secure system, you create an opportunity for exploitation by criminals, spies, and snoops. 10/
Take the "Emergency Data Request" (#EDR), a US system that allows cops to demand warrantless access to your online account data. 11/
This is supposed to be used in white-hot emergencies, like kidnappings or Jack Bauer-style hypotheticals where there's a ticking bomb and only warrantless access will let you defuse it. 12/
By their nature, EDRs are meant to be obeyed without a sanity-check or other verification. When a provider gets an EDR from a cop, they're supposed to hop to, because the alternative might abet a murder or other grave crime. 13/
If a provider thinks an EDR is legit, they'll honor it. But with 18,000 US police agencies, there's no way to validate and EDR *a priori*, and if just one of those police agencies suffers a breach, anyone who can exploit it can issue their own EDRs. 14/
Ever hear of LAPSUS$? That's the notorious hacker gang (apparently helmed and operated by teens) that has been on a planetary rampage, stealing and dumping sensitive data and blackmailing governments, corporations and individuals.
www.wired.com/story/lapsus-okta-hack-sitel-leak/ 15/
www.wired.com/story/lapsus-okta-hack-sitel-leak/ 15/
LAPUS$'s methods were a mystery, but now @briankrebs sheds light on how the gang pulled it off: they impersonated cops, issuing EDRs to service providers, who *just handed over data* they used to break into agencies, companies, and personal accounts.
krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/ 16/
krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/ 16/
In 2021, a criminal connected to LAPUS$ - a 14 year old who used the handle Everlynn - advertised tEDRs from a real law-enforcement agency, and sold this capability to would-be hackers for $150.
Everlynn understood something that the creators of EDRs did not. 17/
Everlynn understood something that the creators of EDRs did not. 17/
In their sales pitch, they wrote, "This is very illegal and you will get raided if you don’t use a vpn. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more." 18/
Everlynn's identity was revealed by a dox attack allegedly launched by "White," a founder of LAPUS$; they were colleagues in an earlier hacking group called Recursion Team. 19/
White, in turn, was allegedly outed by the staff who worked under him at a site called Doxbin, who were upset that White's mismanagement exposed the site's user database. 20/
These children aren't criminal mastermind prodigies, in other words: they're normal, fallible people, who nevertheless gained access to LDR facilities that compromised governments, corporations and individuals around the world. 21/
Everlynn isn't the only bad actor using EDRs to compromise accounts. One of Krebs's sources, who goes by KT, reports that this is a common tactic, and the go-to pretense is "Terroristic threats with a valid reason to believe somebody’s life is in danger." 22/
Among the targets successfully compromised with this tactic is Discord, which was induced to reveal sensitive user information in less than 30 minutes. 23/
Discord admitted to Krebs that it had been fooled: "we later learned that [the law enforcement account that sent the EDR] had been compromised by a malicious actor." 24/
How do bad actors gain access to police emails? The same way they gain access to any service: compromising the website and installing a reverse shell; guessing passwords; or recycling passwords breached from other services. 25/
Krebs's expert sources are pessimistic about the possibility of fixing the EDR system. Former DoJ prosecutor @mdrasch told him that "spotting unauthorized EDRs would require these companies to somehow know and validate the names of every police officer in the United States." 26/
UC Berkeley's @ncweaver told Krebs that securing EDRs is "a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale." 27/
This is a lesson as old as CALEA - if you create a backdoor that tens of thousands of people can access, then you create a backdoor that anyone can access, because it's impossible to prevent the impersonation, subordination, or corruption of that many people. 28/
Image:
Paulo Valdivieso (modified)
www.flickr.com/photos/p_valdivieso/42906748201/
CC BY-SA 2.0:
creativecommons.org/licenses/by-sa/2.0/ 29/
Paulo Valdivieso (modified)
www.flickr.com/photos/p_valdivieso/42906748201/
CC BY-SA 2.0:
creativecommons.org/licenses/by-sa/2.0/ 29/