According to a story from The New York Times, outdated US military equipment being sold on eBay contains what seems to be biometric data from soldiers, known terrorists, and individuals who may have cooperated with American forces in Afghanistan and other Middle Eastern nations.
The devices were bought by a team of hackers, who discovered unencrypted data, including fingerprints, iris scans, users’ photos, and descriptions, secured by a “well-documented” default password. Given how simple it was to read, copy, and analyze the sensitive material, the hackers described acquiring access to it in a blog post as “downright boring.”
Matthias Marx, who oversaw the team’s investigation into the gadgets, does not, however, find the information to be monotonous and finds it “unbelievable” that they were able to obtain it. After the team’s investigation is complete, he intends to delete the data, but what they’ve already discovered raises questions about how strictly the military kept this material.
This is particularly important in light of information from the previous year that the Taliban acquired biometric equipment as the US was leaving Afghanistan. The information that may or may not stay on the devices may be used to identify individuals who had assisted American soldiers, as many observers have noted.
The Devices Contained Data of Several People Involved in the Afghanistan-US Wars
Six devices total, which the Times reports the military employed around ten years ago to collect biometric data at checkpoints and during patrols, inspections, and other activities, were acquired by members of the Chaos Computer Club. Information was still present on the memory cards of two of the gadgets, both Secure Electronic Enrollment Kits II. One of the devices, according to the hackers, included “susceptible biometric data” and the names of 2,632 persons. This data looked to have been gathered around 2012.
The Times claims that the gadget only cost them $68. The site also claims that according to one of the workers it talked to, the firm that bought it from an auction and sold it on eBay didn’t know it held critical data. Another business refused to discuss where it obtained the gadgets it supplied to the group. The devices should have been destroyed when they are no longer in use, according to theory.
It’s hardly surprising that they are offered for sale online, given how often private individuals acquire retired military hardware. The unsettling aspect is that nobody discovered that at least some of them had the data on them before the gadgets were auctioned on eBay.
When contacted by the Times, the Department of Defense asked that the gadget be returned back, which is not a very encouraging reaction from the US or the equipment makers. According to the Chaos Computer Club, the DoD advised them to get in touch with the SEEK’s maker, HID Global. The hackers claim they didn’t hear back.