WTF?! Stories about people selling electronic goods on eBay without clearing their storage are not unusual. However, no one expects that by buying a military device at an auction, you will find that it contains confidential biometric data about thousands of people. Nevertheless, this is exactly what a German security researcher discovered, paying only $68 for one of the cars.
The New York Times reports that Mathias Marx, head of a group of European researchers called Chaos Computer Club, bought six biometric data collection devices on eBay, most of which cost less than $200. The group intended to analyze the machines to search for vulnerabilities after The Intercept’s 2021 report on the Taliban’s seizure of similar equipment. One of the items, a hand-held device designed to take fingerprints and scan the iris of the eye, Marx managed to get for only $ 68, which is much less than the stated price of $ 149.95.
The researchers were shocked to discover that the device, called the Secure Electronic Enrollment Kit, or SEEK II, contained a memory card that stored the names, nationalities, photos, fingerprints and iris scans of 2,632 people, most of whom were from Afghanistan and other countries. Iraq. Many of them were known terrorists and wanted persons, as well as information about people who collaborated with the US government and ordinary citizens who were simply stopped at checkpoints.
Matthias Marx and his @ccc partners bought six biometric capture devices on eBay. One of them, a SEEK II, had fingerprints and iris scans of 2,632 people from Afghanistan and Iraq. When Marx used it to capture his own biometric info, it asked to upload it to a @USSOCOM server. pic.twitter.com/9RSKOfdKaz
— Kashmir Hill (@kashhill) December 27, 2022
Another device contained fingerprints and scans of the iris of American servicemen. It was last used in Jordan in 2013.
The data also included detailed descriptions of individuals along with their photographs and biometric information, which could expose the military and those who helped them to the risk of being identified and tracked down by the Taliban.
Exactly how the device ended up on eBay is unclear, as is the number of times it has passed from one owner to another since its last use in 2012 near Kandahar, Afghanistan. Why the military did not remove/destroy the memory card is also a mystery. One of the sellers said they didn’t know it contained confidential information, adding that they had purchased SEEK II at a government equipment auction. Another declined to say where they got the device.
“The irresponsible handling of this high—risk technology is just unbelievable,” the researcher told the Times. “It is not clear to us that the manufacturer and former military users do not care that used devices with confidential data are sold on the Internet,” he added.
Press Secretary of the Ministry of Defense Brig. General Patrick S. Ryder told the Times: “Because we have not verified the information contained on the devices, the department cannot confirm the authenticity of the alleged data or otherwise comment on it. contain personal information to be returned for further analysis.”
