After blocking Meta* in Russia, the company keeps getting into stupid situations. True, this time with Apple itself. It became known that companies were irresponsible for user data and leaked it to hackers. But it was not intentional: the companies were duped. If everything has been clear for a long time with Meta*, then it’s a shame for Apple: we’re starting to think about this notorious privacy that the company regularly reminds us of. However, let’s try to understand how it happened, what data apple gave to hackers and is it worth caring about.
❗️ ПОДПИСЫВАЙТЕСЬ НА НАШ КАНАЛ В ЯНДЕКС.ДЗЕНЕ, ЧТОБЫ ПЕРВЫМИ УЗНАТЬ ВСЕ НОВОСТИ ОБ APPLE!
Apple leaks data
According to Bloomberg, it was learned that Apple and Meta* were providing user data to hackers posing as law enforcement agents. They received addresses, phone numbers and IP addresses in the middle of last year in response to bogus requests from authorities. Typically, these requests are granted when a search warrant or subpoena is needed, but these urgent requests do not require a court order. Companies no possibility refuse these requests.
Snap, which owns Snapchat and Zenly, is also known to be suspected of leaking data, but it’s unclear whether the company provided data for bogus claims. Cybersecurity experts believe that some of the requests were made by minors from the US and UK, and one of the participants is a member of the Lapsus$ group. I remind you that it is this group which is accused of having hacked Microsoft, Samsung and Nvidia. The police are already investigating the perpetrators.
Пользоваться ворованным Айфоном станет сложнее. Вот что придумала Apple
Apple hacked by hackers
The fact is, law enforcement around the world routinely requests data from IT companies as part of investigations. In the United States, these requests are accompanied by an order from a judge. The emergency requests discussed above are intended as a last resort in situations involving imminent threat to life or danger. Such demands may be part of a campaign against tech giants.
According to people familiar with the situation, the hackers used the information they received to harass users and create more fraudulent schemes. Thus, knowing the information about the victim, attackers could use it to hack and bypass account protection. Krebs on Security reported that hackers forged an emergency request to get data from Discord. The social network has already confirmed that the employee approved the fake request, and even managed to find excuses:
Although our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been hacked by an attacker. We have since investigated this illegal activity and notified law enforcement of the compromised email account.
The requests were sent from hacked email addresses belonging to law enforcement agencies in different countries. They contained fake signatures of real and fictitious departmental employees, and applications were created based on existing sample templates. It is known that in any case, in the company, a person responded to these requests, trying to act according to the rules.
Давайте оставаться на связи! Подписывайтесь на наш Telegram-чат!
Apple Security Policy
Meanwhile, from the Apple and Meta* documents, the approximate emergency request volumes become clear. The Cupertino-based company notes that it received 1,162 requests from 29 countries between July and December, and the data was approved 93% of the time. At the same time, Meta* received around 22,000 emergency requests in 6 months, the company gave the green light to 77% of them. Just imagine how much Apple transferred data per year? Meta* said they transfer data depending on the circumstances. About how applications are checked, the company did not respond.
It should be noted that Apple accepts legal requests to its e-mail address, provided that they are transmitted from the official address of the department. True, it is not difficult to hack it. It is even easier to buy data on the dark web. And they don’t cost that much. This is confirmed by Jin Yu, director of cybersecurity firm Resecurity:
Underground dark online stores contain stolen email accounts for law enforcement that can be sold with cookies and metadata attached for between $10 and $50.
There is no solution to this problem yet. Turns out it’s not that hard to fool Apple. Experts say it’s impossible to fully protect departmental email addresses from hacking. At the moment there is only one solution – it is to check incoming requests as carefully as possible. True, this can lead to sad consequences and a threat to people’s lives. Otherwise Apple will continue to disclose data right and left.
*Meta, as well as Instagram and Facebook are extremist organizations banned in the territory of the Russian Federation.