WTF?! Stories of people selling electronic items on eBay without first wiping their storage aren't unusual. However, one would not expect to buy a military device from the auction site and find it contains sensitive biometric data on thousands of individuals. Yet that's what a German security researcher discovered after he paid just $68 for one of the machines.
The New York Times reports that Matthias Marx, head of a group of European researchers called the Chaos Computer Club, bought six biometric capture devices on eBay, most of them for under $200. The group intended to analyze the machines to search for vulnerabilities following a 2021 report from The Intercept on the Taliban seizing similar equipment. One of the items, a hand-held machine designed to capture fingerprints and perform iris scans, Marx managed to secure for just $68, much less than the listed $149.95 price.
The researchers were shocked to find the device, called a Secure Electronic Enrollment Kit, or SEEK II, contained a memory card that stored the names, nationalities, photographs, fingerprints, and iris scans of 2,632 people, most of whom were individuals from Afghanistan and Iraq. Many were known terrorists and wanted individuals, and there were also details of people who had worked with the US government and everyday citizens who had simply been stopped at checkpoints.
Matthias Marx and his @ccc partners bought six biometric capture devices on eBay. One of them, a SEEK II, had fingerprints and iris scans of 2,632 people from Afghanistan and Iraq. When Marx used it to capture his own biometric info, it asked to upload it to a @USSOCOM server. pic.twitter.com/9RSKOfdKaz— Kashmir Hill (@kashhill) December 27, 2022
Another device contained the fingerprints and iris scans of US military personnel. It had last been used in Jordan in 2013.
The data also included detailed descriptions of individuals alongside their photographs and biometric information, which could have placed members of the military and those who aided them at risk of being identified and tracked down by the Taliban.
Exactly how the device ended up on eBay is unclear, as is the number of times it had passed between owners since last being used in 2012 near Kandahar, Afghanistan. Why the military never removed/destroyed the memory card is also a mystery. One of the sellers said they were not aware it contained sensitive information, adding that they acquired the SEEK II at an auction of government equipment. Another refused to say where they obtained the device.
"The irresponsible handling of this high-risk technology is unbelievable," the researcher told the Times. "It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online," he added.
Defense Department press secretary Brig. Gen. Patrick S. Ryder told the Times, "Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it. The department requests that any devices thought to contain personally identifiable information be returned for further analysis."
Masthead: Marine Corps photo by Cpl. Briauna Birl