Old US military equipment being sold on eBay contained what appeared to be biometric data from troops, known terrorists and people who may have worked with US forces in Afghanistan and other countries in the Middle East, according to a report by New York Times. The devices were purchased by a group of hackers who found fingerprints, iris scans, photos of people and descriptions, all unencrypted and protected by a “well-documented” default password. In a blog post, the hackers called obtaining the sensitive data “downright boring” given how easy it was to read, copy and analyze.
Mathias Marks, who led the group’s efforts to research the devices, doesn’t think the data itself is boring, however, calling the fact that they were able to get their hands on it “incredible.” Although it plans to delete the data after the club completes its investigation, what they have already discovered raises concerns about how closely the military guarded this information.
This is especially true given reports last year that the Taliban had acquired biometric devices as the US withdrew from Afghanistan. As several commentators have pointed out, the data that may or may not remain on the devices could help identify people who have aided US forces. The US also built biometric databases of Iraqi citizens. I’m talking to With cable in 2007, a US official said of the database: “essentially what it becomes is a hit list if it falls into the wrong hands.” (It’s worth noting that the devices wouldn’t necessarily allow someone to use Afghanistan’s main population database unless they had access to additional equipment, according to The interception — small comfort for those whose data was stored locally on the device.)
In total, members of the Chaos Computer Club purchased six devices which times says the military used about a decade ago to collect biometric information at checkpoints and during patrols, checks and other operations. Two of the devices — both Secure Electronic Enrollment Kits, or SEEK IIs — had information left on their memory cards. According to the hackers, one of the devices contained 2,632 people’s names and “highly sensitive biometric data” that appeared to have been collected around 2012.
Their device costs just $68, according to times. The store also says the company that sold it on eBay after acquiring it at auction didn’t know it contained sensitive data, according to one of the employees it spoke to. Another company would not comment on how it obtained the devices it sold to the club. In theory, the devices were supposed to be destroyed once they stopped being used.
It’s no surprise that they are available for sale online – decommissioned military equipment often ends up in private hands. The disturbing part is that the data was left on at least some of them, and that no one caught it before the devices were sold on eBay (which is technically a violation of the platform’s policies against selling computers with personal information). The response from the US and device vendors is also not reassuring; when you contact times, the Department of Defense has just requested that the device be sent back. Chaos Computer Club says it also contacted the Department of Defense and was told to contact SEEK’s manufacturer, HID Global. The hackers say they have not received a response.