Old US military equipment sold on eBay contained biometrics of troops, known terrorists and people who may have worked with US troops in Afghanistan and other Middle Eastern countries, according to a report of The New York Times. The devices were purchased by a group of hackers, who found fingerprints, iris scans, photos of people and descriptions, all unencrypted and protected by a “well-documented” default password. In a blog postthe hackers called it “downright boring” to get to the sensitive data given the ease with which it could be read, copied and analyzed.
However, Matthias Marx, who led the group’s efforts in researching the devices, doesn’t find the data itself boring, calling the fact that they got their hands on it “incredible.” While he plans to delete the data after the club finishes its investigation, what they’ve already found raises concerns about how closely the military was guarding this information.
That’s especially true given last year’s reports that the Taliban acquired biometric devices as the US pulled out of Afghanistan. As several commentators have pointed out, the data that may or may not remain on the devices could help identify people who helped US troops. The US also built biometric databases of Iraqi citizens. To talk with Wired in 2007, a US official said of the database: “What it essentially becomes is a hit list if it gets into the wrong hands.” (It’s worth noting that the devices wouldn’t necessarily let someone use the main Afghan population database unless they had access to additional equipment, according to The interception – small consolation for those whose data is stored locally on the device.)
In total, members of the Chaos Computer Club bought six devices, with which the Time says the military used it about a decade ago to collect biometric information at checkpoints and during patrols, screenings and other operations. Two of the devices – both Secure Electronic Enrollment Kits or SEEK IIs – contain information on their memory cards. According to the hackers, one of the devices contained 2,632 people’s names and “highly sensitive biometric data” that appeared to have been collected around 2012.
The device cost them just $68, according to the Time. The outlet also says the company that sold it on eBay after buying it at auction didn’t know it contained sensitive data, according to one of the employees it spoke to. Another company declined to comment on how it obtained the devices it sold to the club. In theory, the devices should have been destroyed after they ceased to be used.
It’s no surprise that they’re for sale online – decommissioned military equipment often ends up in private hands. The worrying thing is that the data was left on at least some of them and no one caught it before the devices were sold on eBay (which is technically a violation of the platform’s policy against selling computers with personally identifiable information ). The reaction from the US and device vendors is not reassuring either; upon contact with the Time, the Department of Defense has just requested that the device be returned. The Chaos Computer Club says it has also contacted the DoD and was told to contact the SEEK manufacturer, HID Global. The hackers say they have not received a response.