According to The New York Times, the old US military equipment that was being sold on eBay had biometric data from soldiers, known terrorists, as well as people who may have worked in Afghanistan or other Middle East countries.
A group of hackers purchased the devices and found fingerprints, iris scans, photos, and descriptions. All this was unencrypted, protected by a default password, and all without a documented process.
The hackers wrote that it was “downright boring” to get at sensitive data, given the ease with which they could read, copy and analyze.
Matthias Marx, the leader of the group’s research into the devices, said that the data is not boring. However, he called the fact that they could access it “unbelievable” and that he would delete the data once the club had finished its research. What they have found raises questions about how tightly the military protected this information.
This is especially true considering reports last year that the Taliban obtained biometric devices while the US withdrew from Afghanistan. Many commentators have noted that the data on the devices may contain information that could be used to identify those who helped the US forces. Also, the US created biometric databases of Iraqi citizens.
Wired spoke to a US official about the database in 2007. (The devices would not allow anyone to access the master database of Afghanistan’s citizens unless they had additional equipment. This is little comfort for those storing their data locally on the device.
The Chaos Computer Club bought six devices in total. According to the Times, the military used the devices around a decade ago for biometric information during screenings, patrols, and other operations.
Two devices, both Secure Electronic Enrollment Kits (or SEEK IIs), had data left on their memory cards. Hackers claim that one device contained information about 2,632 people’s names and “highly sensitive biometric” data. This data appeared to have been taken around 2012.
According to the Times, the device cost them just $68; the company that purchased the device from an auction and sold it on eBay didn’t know it contained sensitive data. Another company declined to comment on how it obtained the devices it sold to the club. The devices should have been destroyed when they were no longer being used.
It shouldn’t be a surprise that these items are available online. Many decommissioned military equipment ends up in private hands. It is disconcerting that data was left on at most some of them and that nobody caught it before they were sold on eBay. This technically violates the platform’s policies against selling computers with personally identifiable info.
The US and the vendors of the devices have not responded to our inquiries. When we contacted the Times, the Department of Defense requested that the device be returned by mail. According to the Chaos Computer Club, it also reached out to the DoD. It was instructed to contact HID Global, the manufacturer of the SEEK. According to hackers, they did not receive any response.