Alarmed researcher finds heaps of biometric data on US military device on eBay

He probably didn’t expect to win, since he offered less than half the seller’s asking price, $149.95. But win he did, and after that, he had an even bigger surprise coming, The New York Times reported. When the device arrived with a memory card still inside, Marx was shocked to realize he had unwittingly purchased the names, nationalities, photographs, fingerprints, and iris scans of 2,632 people whose biometric data had allegedly been scanned by US military.

The device allegedly stored not just personal identifiable information (PII) of seemingly suspicious persons, but also of US military members, people in Afghanistan who worked with the government, and ordinary people temporarily detained at military checkpoints. Most of the data came from residents of Afghanistan and Iraq.

All of this data was supposed to be destroyed onsite, but that seemingly never happened. The failure to wipe device is consistent with the US military's occasional failures over the past decade, which have put people who helped the US military and US military members at risk of being identified and targeted by the Taliban, The Times reported.

Currently, no one’s sure how many times the device has traded hands since it was last used in 2012 near Kandahar, Afghanistan.

Marx has shown abundant caution with the data, declining to share the database electronically with The Times. Instead, The Times sent a reporter in Germany to Marx’s location to see the data, then got in touch with at least one American who confirmed the data was likely his.

The Department of Defense (DOD) press secretary, Brigadier General Patrick S. Ryder, told The Times that they would need to review the data before confirming its authenticity.

“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” Ryder told The Times. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”

Experts told The Times that if the data is authentic, this particular breach could have fatal consequences. They recommend that the US government review the data, inform everyone impacted by the breach, and then provide asylum for anyone still based in Afghanistan.

When Marx discovered the data, he said that he contacted the DOD, but Marx told Ars that he was “alarmed” when the DOD allegedly failed to investigate or take action to protect those affected by the leak.

“We also imagined the data would be useful to investigate how the devices ended up online and to derive who else is potentially endangered,” Marx told Ars.

Marx told The Times that he found the military’s failure to delete this highly sensitive data “disturbing,” alleging that “they didn’t even try to protect the data,” and suggesting this was because “they didn’t care about the risk, or they ignored the risk.”

Marx belongs to a European hacker association called the Chaos Computer Club (CCC). He told The Times that CCC was alarmed by reports documenting the Taliban's seizure of US military devices after the US evacuated Afghanistan. Last year, The Intercept reported that the Taliban’s goal was to identify Afghans who assisted enemy forces.

Wanting to learn more about these security risks, CCC turned to eBay, where they purchased six devices, The Times reported. Of the four Secure Electronic Enrollment Kit (SEEK II) and two Handheld Interagency Identity Detection Equipment (HIIDE) devices they bought, CCC found sensitive data on two of the SEEK IIs. CCC's most recent purchase contained data on thousands of people, while the other SEEK II—last used in 2013—allegedly contained “fingerprints and iris scans of a small group of US service members.”

The Times described the SEEK II as "a relic of the vast biometric collection system the Pentagon built in the years after the Sept. 11, 2001, attacks." One government document touting its advanced technology for the time described it as a "self-contained handheld biometrics collection device with a built-in fingerprint collection surface, iris scanner, and camera."

It has a keyboard so that military members can add biographic information. After it became a popular tool used mostly in special operations, it evolved into the biometrics collection device of choice for the US Army and Marine Corps by 2012, credited in a 2011 military handbook as helping military identify wanted individuals within 15 minutes of scanning.

An eBay spokesperson told The Times that it’s against company policy to sell devices containing such PII. One eBay seller told The Times that the most recent SEEK II sold to CCC was purchased at a government auction. Another seller declined to source the other SEEK II device sold to CCC.

Any eBay seller found to be violating that policy risks their listing being removed and potentially permanent account suspension. Ars could not immediately reach eBay to comment further on whether it will be more closely reviewing sales of devices like the SEEK II, and Ars found at least one SEEK II listing—described as Border Patrol surplus with “no operating system installed”—with a current asking price of $299.98.

Marx told Ars that CCC currently has one encrypted copy of the SEEK II databases it found, but without a direct response from DOD, his group’s plan is to delete the data. Once the data is deleted, there's a reduced risk of future leaks from this particular device, but deleting the data also would potentially eliminate any chance of DOD quickly tracking down who may have intercepted the data before CCC did. For that reason, there remains a risk of future leaks, as well as potential risks to people whose data may have already been intercepted by the Taliban. That includes some people who worked with the US government and may already be in hiding—because while names can change, fingerprints and iris scans do not.

DOD did not immediately respond to Ars’ request to clarify if there’s any plan to directly reach out to Marx to retrieve the data for analysis before CCC deletes it.

“Sadly, nobody seems to assume any responsibility, let alone make any effort to protect those affected,” Marx told Ars. “We will hence delete the data—which is already more safe than it was before—shortly.”

Source