eBay has sold data-loaded US military biometric capture device devices

According to eBay, an old US military equipment sold on eBay contained biometric data from troops, known terrorists, and people who may be related to US forces in Afghanistan or other Middle East countries. report from New York times. The devices were bought by hackers who discovered fingerprints, iris scans as well as pictures of people and descriptions. All of this was unencrypted, and protected with a default, “well-documented”, password. in a blog postHackers describe obtaining sensitive data to be “downright tedious” due to the ease with which it is to read and copy, and then parse.

Matthias Marks, who was the leader of the group’s efforts in finding the devices, said that the data isn’t boring. However, he called the fact that they were able to access it “preposterous”. He plans to delete the data when the club is done with its research. However, what they have found raises concerns about the military’s security.

This is especially true when you consider that reports from last year suggest that the Taliban acquired biometric devices during the United States’ withdrawal from Afghanistan. Many commenters have pointed this out: data that may or not be stored on devices can be used to identify individuals who have aided US forces. The United States has also created biometric databases for Iraqi citizens. Talking to Wired in 2007One US official from the database stated that “what would essentially become an hit list if they fell into the wrong hand” (It’s worth noting, however, that the hardware will not allow anyone to access the main population database for Afghanistan unless they have access other equipment. to me The objection– A small convenience to those whose data is kept locally on their device.

Chaos Computer Club members bought six machines in total. TimesThe military claims that it was used to collect biometric data at checkpoints during patrols, screenings, or other operations about a decade back. Two of the devices, both Secure Electronic Enrollment kits or SEEK IIs, have information left on their memory cards. The hacker claims that one of the devices contained 2,632 individuals’ names and “highly confidential biometric data” that was apparently collected around 2012.

The device is only $68, according to Times. According to an employee I spoke with, the outlet claims that the company that purchased it from an auction and sold it on eBay didn’t know it contained sensitive information. Another company has yet to comment on how it acquired the equipment it sold the club. In theory, the devices should not have been used again.

It is not surprising that these items are available for sale online – often, decommissioned military equipment ends up in private hands. The problem is that the data was not properly removed from at least some of them before they were sold on eBay. This technically violates the platform’s policies against selling computers containing personally identifiable information. The US and the hardware vendors’ responses are not encouraging. TimesThe Department of Defense requested that this device be returned to it by mail. Chaos Computer Club claims it has also contacted Department of Defense and been instructed to contact HID Global, the manufacturer of the SEEK. According to hackers, they have not received any response.