Sensitive US military data has been found on the memory cards within biometric devices sold on eBay, researchers find
Security researchers have exposed an embarrassing security lapse by the US military, that could potentially endanger lives.
German researchers who purchased biometric capture devices on eBay, were surprised to discover sensitive US military data stored on their memory cards.
The data reportedly included fingerprints, iris scans, photographs, names and descriptions of people, mostly from Afghanistan and Iraq. To make matters worse, many of these people worked with the US army and could thus be potentially targetted if the data fell into the wrong hands.
Chaos Computer Club
It explained that the US military used biometric devices en masse to capture people in Afghanistan. Unfortunately, some devices were left behind during the hasty withdrawal of NATO troops.
“CCC researchers found large amounts of biometric and other personal data when analysing such devices,” the researchers stated. “In the wrong hands, this data is life-threatening for people in Afghanistan and Iraq.”
The biometric devices were used to identify individuals, and “on used US military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis,” the researchers noted.
It should be remembered that the entire population of Afghanistan was biometrically catalogued, to help coalition forces identify and track down Taliban and their supporters.
“Allegedly, access to the biometrics database should not be possible without further technology,” said CCC. “But even if that were the case, of course, the Taliban could still simply use the devices. Unfortunately, our research shows that all data on the mobile biometric devices is completely unprotected. We were able to read, copy and analyze them without any difficulty.”
So how did CCC researchers get these biometric devices?
“Alarmed by news reports about biometric devices in the Taliban’s hands, Matthias Marx, snoopy, starbug, md and other CCC members started to gather information about these devices,” the researchers stated. “While doing so, they came across several offers at an online auction house.”
The researchers acquire a total of:
- four devices of type SEEK II (Secure Electronic Enrollment Kit) and
- two devices of type HIIDE 5 (Handheld Interagency Identity Detection Equipment).
The devices were examined forensically, and they found that “all storage mediums were unencrypted. A well-documented standard password was the only thing needed to gain access. Also, the database was a standard database with standard data formats. It was fully exported with little effort.”
The devices CCC acquired “contained names and biometric data of two US military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos of 2,632 people. The device containing this database had last been used somewhere between Kabul and Kandahar in mid-2012.”
The researchers notified the device manufacturers, and two known users of the devices – the US Department of Defense and the German Bundeswehr.
“However, no one seems to care about the data leak,” said CCC. “We received an acknowledgement of receipt from the Bundeswehr, the Department of Defense kindly referred us to the manufacturer, and the manufacturer did nothing.”
Two and a half months after its report, the researchers were able to order another biometric device online.
“The irresponsible handling of this high-risk technology is unbelievable,” said Matthias Marx, who led the CCC research group. The consequences are life-threatening for the many people in Afghanistan who were abandoned by the western forces.
“It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online,” Marx continued.
This is not the first time that security concerns have been raised about biometric databases.
In 2019 a database used by banks, police, and defence contractors was found to have a major security flaw that exposed more than a million fingerprints and other sensitive biometric data.
The biometric data was located on a publicly accessible database for a South Korean company called Suprema, which is responsible for the web-based Biostar 2 biometrics lock system.
At the time Suprema downplayed the severity of the breach, “saying the scope of potentially affected users was significantly less than recent public speculation,” – a position challenged by Israeli security researchers Noam Rotem and Ran Locar who had uncovered the problem.