US military biometric scanner sold online for $68

Berlin [Germany], December 28: German security researchers specializing in biometric scanning devices used by the US militarygot more than they expected when they bought a device for $68 on eBay.
A shoebox-shaped device designed to record fingerprints and scan irises has been listed for sale on eBay for $149.95. German security researcher Matthias Marx successfully bought it for $68. When the machine was sent to Mr. Marx's house in Hamburg (Germany) in August, it carried a surprising amount of information.
Inside the device is a memory card containing the names, nationality, photos, fingerprints and iris scans of 2,632 people.
The New York Times reported that most of the people in the database were from Afghanistan and Iraq . Many of them are terrorists and wanted people. However, others appear to have worked with the US government or were simply stopped at checkpoints. The metadata on the device, known as the Secure Electronic Enrollment Toolkit (SEEK II) shows it was last used in the summer of 2012 near Kandahar, Afghanistan.
The device is a remnant of the extensive biometric collection system the Pentagon built in the years following the September 11, 2001 attacks. This is a reminder that even though the US has pulled out of the wars in Afghanistan and Iraq, the tools made and the information they hold persist in ways that were not intended by their creators.
It remains unclear how the device made its way from the battlefield in Asia to an online auction site. However, the data it contains, which provides detailed descriptions of individuals, their photos and biometric data, could be enough to target people who have never worked with the US military before. information falls into the wrong hands.
"As we have not seen the information contained on the devices, we cannot confirm the authenticity of the data or comment on it. The Department of Defense is requesting the return of any equipment believed to contain personally identifiable information for further analysis," Brigadier General Patrick S. Ryder, press secretary for the US Department of Defense, said in a statement. dad.
Biometric data on SEEK II is collected at detention facilities, during patrols, during screening of local hires, and after a bomb blast. By the time the equipment was last used in Afghanistan, the US presence there was dwindling. Osama bin Laden had been killed in Pakistan a year earlier - his identity was confirmed by facial recognition technology.
At the time, one of the concerns of military leaders was a series of shootings in which Afghan soldiers and policemen pointed guns at US troops. They hope that the biometric registration program will help identify any Taliban fighters who infiltrate their own base.
"Irresponsible"
Over the past year, Marx and a small group of researchers at Chaos Computer Club, a European hacker association , have purchased six biometric scanning devices on eBay. Most of them cost less than $213.
They plan to analyze these devices to find flaws or flaws in the design. The operation comes after concerns arose last year that the Taliban had seized the equipment after the US left Afghanistan. The researchers wanted to see if the Taliban could get biometric data about people who had aided the US from the devices, putting them at risk.
Finding so much unencrypted and easily accessible information shocked researchers.
"It is disturbing that the US military is not even trying to protect the data. They don't care about the risk, or they ignore the risk," Marx said.
Stewart Baker, a Washington attorney and former national security official, says biometric scanning is a valuable tool in war zones, but the data collected needs to be controlled. He speculated that the data leak would "make a lot of people who have helped the US and are still in Afghanistan really upset".
"This shouldn't have happened. This is a disaster for those whose data is exposed. In the worst-case scenario, the consequences can be death," Baker said.
Of the six devices the researchers purchased on eBay - 4 SEEK and 2 HIIDE (or Handheld Interdisciplinary Identity Detection Device) - 2 SEEK II devices carried sensitive data. The second SEEK II device, with location metadata showing it was last used in Jordan in 2013, appears to contain the fingerprints and iris scans of a small group of US military members.
Military officials said the only reason the devices contained data on Americans was because they were used during training sessions, a common practice in preparation for their use in the field. .
According to the Defense Logistics Agency, which handles millions of dollars of Pentagon surplus equipment each year, devices like the SEEK II and HIIDE should never have made it to the market, and much less should. appear on an online auction site like eBay. Instead, all biometric-collecting devices must be destroyed on-site when military personnel no longer need them, as should other electronic devices that once contained sensitive operational information.
An eBay spokesperson said it is company policy to prohibit the sale of electronic devices that contain personally identifiable information. "Products that violate this policy will be removed and users may face actions up to and including the permanent suspension of their accounts," the spokesperson said.
Sensitive data on the device is stored on the memory card. If these tags are deleted and destroyed, the above data will not be exposed.
"Unbelievable they irresponsibly handle this high-risk technology. We cannot understand that manufacturers and former military users do not care that used devices containing sensitive data are being sold online," Marx said.
The New York Times looked at online documentation and manuals for the HIIDE, SEEK II devices and found that they were created to search for biometric information stored on government servers. However, they can store thousands of biometric records for use in environments with limited internet connectivity. This could help explain why the above biometric information remains on these devices.
Mr. Marx warned the Department of Defense and the equipment manufacturer, HID Global, about unprotected data. When asked for comment, HID Global said in a statement that it does not "share details about our customers or specific product implementations".
"The regular configuration, management, protection, storage and erasure of data is the responsibility of the organization using the HID-manufactured devices," the company said.
BelkisWille, a researcher at Human Rights Watch who has written about the use of biometrics in Afghanistan, told German public broadcaster BayerischerRundfunk that people who have worked with the US government and affected by the above information leak should have the opportunity to leave Afghanistan and apply for asylum.
Mr. Marx presented his findings at a hacker event in Berlin on December 27. Once the biometric device analysis is complete, he and his colleagues will delete personally identifiable data from the device.
Source: ThanhNien Newspaper