Iris scans, fingerprints, and photos of over 2,600 people were found unencrypted and protected by a default password.
Old US military equipment being sold on eBay contained what appears to be biometric data from troops, known terrorists, and people who may have worked with American forces in Afghanistan and other countries in the Middle East, according to a report from The New York Times. The devices were purchased by a group of hackers, who found fingerprints, iris scans, peoples’ pictures, and descriptions, all unencrypted and protected by a “well-documented” default password. In a blog post, the hackers called getting at the sensitive data “downright boring,” given how easy it was to read, copy, and analyze.
Matthias Marx, who lead the group’s efforts in researching the devices, doesn’t think that the data itself is boring, though, calling the fact that they had been able to get their hands on it “unbelievable.” Though he plans on deleting the data after the club finishes its research, what they’ve already found raises concerns about how closely the military guarded this information.
That’s especially true given reports from last year that the Taliban obtained biometric devices as the US was withdrawing from Afghanistan. As several commentators have pointed out, the data that may or may not remain on the devices could help identify people who had helped American forces. The US also built biometric databases of Iraqi citizens. Talking to Wired in 2007, one US official said of the database: “essentially what it becomes is a hit list if it gets in the wrong hands.” (It’s worth noting that the devices wouldn’t necessarily let someone use the master database of Afghanistan’s population, unless they had access to additional equipment, according to The Intercept — small comfort for those whose data was stored locally on the device.)
In all, members of the Chaos Computer Club purchased six devices, which the Times says the military used around a decade ago to gather biometric info at checkpoints and during patrols, screenings, and other operations. Two of the devices — both Secure Electronic Enrollment Kits, or SEEK IIs — had information left on their memory cards. According to the hackers, one of the devices contained 2,632 peoples’ names and “highly sensitive biometric data” that appeared to have been collected around 2012.
The device only cost them $68, according to the Times. The outlet also says the company that sold it on eBay after acquiring it from an auction wasn’t aware it contained sensitive data, according to one of the employees it spoke to. Another company wouldn’t comment on how it had gotten the devices that it sold to the club. In theory, the devices should’ve been destroyed after they stopped being used.
It’s not a surprise that they’re available for sale online — decommissioned military equipment often ends up in private hands. The disconcerting part is that the data was left on at least some of them and that nobody caught it before the devices were sold on eBay (which technically constitutes a violation of the platform’s policies against selling computers with personally identifiable information). The response from the US and device vendors is also not reassuring; when contacted by the Times, the Department of Defense just requested the device be mailed back. The Chaos Computer Club says it also contacted the DoD, and was told to get in touch with the SEEK’s manufacturer, HID Global. The hackers say they didn’t receive a response.