Product reviews, deals and the latest tech news

Data-loaded US military biometric capture devices were sold on eBay

There was what seems to be biometric data from US soldiers, known terrorists, and persons who may have collaborated with American forces in Afghanistan and other countries in the Middle East on some obsolete military equipment that was being sold on eBay. Hackers bought the devices and discovered fingerprints, iris scans, photos, and descriptions of persons stored in plaintext and secured only by a “well-documented” default password. Due to its simplicity in readability, duplication, and analysis, the hackers described accessing the sensitive material as “downright boring” in a blog post.

However, the group’s leader in their investigation of the gadgets, Matthias Marx, does not find the information to be dull, and finds it “unbelievable” that they were able to get it. The club’s findings raise questions about the degree to which the military guarded this information, and he wants to delete the data once the investigation is complete.

That’s particularly true considering that the Taliban reportedly acquired biometric equipment when the US was pulling out of Afghanistan last year. Data that may or may not have been deleted from the devices might be used to track down anyone who assisted American troops, as has been pointed out by a number of observers. The United States also created biometric databases on Iraqi people. One US source told Wired in 2007 that, “basically what it becomes is a kill list if it falls in the wrong hands” about the database. Small solace for people whose data was kept locally on the device, but it’s worth remembering that the devices wouldn’t necessarily enable someone utilise the master database of Afghanistan’s population, unless they had access to other equipment, as reported by The Intercept.

Six devices were bought by the Chaos Computer Club, all of which the Times claims the military employed around ten years ago to collect biometric information at checkpoints, patrols, inspections, and other activities. The memory cards of two of the SEEK IIs (Secure Electronic Enrollment Kits) were still usable. In one of the devices, the hackers claim to have found 2,632 unique names along with “very sensitive biometric data” that was gathered around the year 2012.

According to the Times, the gadget only set them just $68. The news organisation also quotes one of the business’s workers as saying that the company that purchased the hard drive at auction and then sold it on eBay did not know that the drive included any private information. When asked where it had received the equipment it sold to the club, another firm remained mum. After their use had ended, the gadgets were supposed to be destroyed.

It’s hardly surprising that you may buy them online; retired military hardware routinely finds its way into civilian hands. Worse still, at least some of them were sold on eBay with the data still intact, in apparent contravention of eBay’s policy prohibiting the sale of computers containing personally identifiable information. When contacted by the Times, the Department of Defense just asked the gadget be returned back, which is not a comforting reaction. The Chaos Computer Club also claims to have contacted the DoD, who referred the organisation to SEEK maker HID Global. The hackers claim they made contact but heard nothing back.