After the Biden administration's chaotic withdrawal from transfer of power to the Taliban in Afghanistan, abandoned US military equipment which contain biometric data have been popping up on Ebay.
Over the past year, German security researcher Matthias Marx and a small group of researchers at Chaos Computer Lab, a European hacker association, have bought six SEEK II (Secure Electronic Enrollment Kit) on the popular auction website, according to the NY Times.
The device, built as part of the Pentagon's vast biometric collection expansion following the Sept. 11, 2011 attacks, has a tiny screen, a little keyboard, and a mouse pad. It also contains a thumbprint reader under a hinged plastic lid, an iris scanner, and a camera. They contained biometric data at detainment facilities, on patrols, during screenings of local hires, and after the explosion of an IED. Officials at the time were concerned over a rash of shooting in which Afghan police and soldiers fired on American troops, and were hoping that biometric data could help identify any possible Taliban agents within their bases.
The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing.
The device’s memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people.
Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints. Metadata on the device, called a Secure Electronic Enrollment Kit, or SEEK II, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan. -NY Times
In response to the story, Defense Department spox Brig. Gen. Patrick S. Ryder said: "Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it," adding "The department requests that any devices thought to contain personally identifiable information be returned for further analysis."
"It was disturbing that they didn’t even try to protect the data," said Marx. "They didn’t care about the risk, or they ignored the risk."
DC lawyer Stewart Baker, a former national security official, said that the biometric devices were useful tools in war zones, but that the data collected needed to be kept under control. He suggested that a data breach would "make a lot of people who helped the U.S. and are still in Afghanistan really uncomfortable."
"This should not have happened," Baker added. "It is a disaster for the people whose data is exposed. In the worst cases, the consequences could be fatal."
Of the six devices the researchers bought on eBay — four SEEKs and two HIIDEs, for Handheld Interagency Identity Detection Equipment — two of the SEEK II devices had sensitive data on them. The second SEEK II, with location metadata showing it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of U.S. service members. -NY Times
In one case, an American's biometric data was found in one of the databases. He was formerly a Marine intelligence specialist who still works in intelligence, and said that his data was most likely collected during a military training course. He asked that his biometric file be deleted.
According to the Defense Logistics Agency, which is tasked with equipment disposal, the SEEK II and HIIDE devices never should have made it to the open market. Gear such as this is supposed to be destroyed on-site when no longer needed by the military.
One of the Ebay sellers, surplus equipment reseller Rhino Trade, said they bought the SEEK II at a military auction of government equipment and did not realize it had sensitive data on it.
"I hope we didn't do anything wrong," said David Mendez, the company's treasurer.
"The irresponsible handling of this high-risk technology is unbelievable," said Marx. "It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online."
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.