US military biometric capture devices loaded with data were sold on eBay

Old US military equipment being sold on eBay contained what appears to be biometric data from troops, known terrorists and people who may have worked with US forces in Afghanistan and other countries in the Middle East, according to a report by New York Times. The devices were bought by a group of hackers, who found fingerprints, iris scans, people’s photos and descriptions, all unencrypted and protected by a “well documented” default password. In a blog post, the hackers called getting hold of the sensitive data “downright boring”, given how easy it was to read, copy and analyze.

However, Matthias Marx, who is leading the group’s efforts to investigate the devices, doesn’t think the data itself is boring, calling the fact that they had been able to obtain it “incredible.” Although he plans to delete the data after the club finishes its research, what they have already found raises concerns about how closely the military guarded this information.

This is especially true given reports from last year that the Taliban obtained biometric devices when the US withdrew from Afghanistan. As several commentators have pointed out, the data that may or may not remain on the devices could help identify individuals who had aided US forces. The US also built biometric databases of Iraqi citizens. Talking to The cable in 2007, a US official said of the database: “What it essentially becomes is a hit list if it gets into the wrong hands.” (It is worth noting that the units would not necessarily allow anyone to use the master database of Afghanistan’s population unless they had access to additional equipment, according to The intercept — little comfort for those whose data was stored locally on the device.)

In all, members of the Chaos Computer Club purchased six units, which Times says the military used about a decade ago to collect biometric information at checkpoints and during patrols, screenings and other operations. Two of the devices – both Secure Electronic Enrollment Kits, or SEEK IIs – had information left on the memory cards. According to the hackers, one of the devices contained 2,632 people’s names and “highly sensitive biometric data” that appeared to have been collected around 2012.

The device cost them just $68, according to Times. The outlet also says the company that sold it on eBay after buying it from an auction was unaware it contained sensitive data, according to one of the employees it spoke to. Another company would not comment on how it had obtained the devices it sold to the club. In theory, the devices should have been destroyed after they ceased to be used.

It’s not a surprise that they are available for sale online — decommissioned military equipment often ends up in private hands. The disturbing part is that the data was left on at least some of them, and no one caught it until the devices were sold on eBay (which technically violates the platform’s policy against selling computers with personally identifiable information). The response from the US and device suppliers is also not reassuring; when they are contacted by Times, the Ministry of Defense just asked for the device to be sent back. The Chaos Computer Club says it also contacted the DoD, and was asked to get in touch with SEEK’s manufacturer, HID Global. The hackers say they have received no response.

Leave a Reply

Your email address will not be published. Required fields are marked *