After a story by The New York Timesobsolete US military equipment is resold eBay Apparently contains biometric data of soldiers, known terrorists and people who may have been cooperated with American powers on Afghanistan and other Middle East nations.
The devices were purchased by a hacking team that uncovered unencrypted data, including fingerprints, iris scans, user photos and descriptions, encoded by a “well documented” default password. Given how easy it was to read, copy and analyze the sensitive material, the hackers described accessing it in a blog post as “downright boring.”
Matthew Marxwho oversaw the team’s investigation into the gadgets, however, does not find the information monotonous and finds it “unbelievable‘ that they could get it. After the team’s investigation is complete, they intend to delete the data, but what they have already discovered raises questions about how strictly the military has kept this material.
This is particularly important given the information from the previous year that the Taliban acquired biometric equipment when US left Afghanistan. The information, which may or may not remain on the devices, can be used to identify people who helped American soldiers, many observers have noted.
The devices contained data from several people involved in the Afghan-US wars
A total of six devices, which the Times reports were used by the military about a decade ago to collect biometric data at checkpoints and during patrols, inspections and other activities, were used by members of the Chaos Computer Club. Information was still present on the memory cards of two of the devices, both of them Secure Electronic Registration Kits II. One of the devices, the hackers said, contained “sensitive biometric data‘ and the names of 2,632 people. This data seemed to have been collected around 2012.
The Times claims the gadget only cost her $68. The site also claims that according to one of the employees she spoke to, the company that bought it at auction and sold it on eBay was unaware that it contained critical data. Another company refused to talk about where it sourced the equipment it supplied to the group. In theory, the devices should have been destroyed when they were no longer used.
No wonder they are for sale online, considering how often private individuals purchase discarded military equipment. The worrying thing is that no one discovered that at least some of them had the data with them before the gadgets were auctioned off on eBay.
When contacted by the Times, the Department of Defense asked to return the device, which is not a very encouraging response from the US or device manufacturers. According to the Chaos Computer Club, the Department of Defense advised them to contact the maker of SEEK, HID Global. The hackers claim they didn’t hear anything.