A German security researcher inadvertently purchased the fingerprints and iris scans of some 2,632 people after successfully bidding for a hand-held biometric capture device on eBay, The New York Times reports(Opens in a new window).
Matthias Marx, from Hamburg, Germany, discovered that the device, which cost him just $68, is actually a Pentagon-built biometric machine that was deployed in Afghanistan and Iraq. It contains more than 2,000 fingerprint and iris scans, as well as people’s names and nationalities, in its memory card.
Marx, who allowed a Times reporter to review the information contained on the device, found the majority of the fingerprints and iris scans belong to people from Afghanistan and Iraq, with many being known terrorists and wanted individuals. Some, however, appear to be people who worked with the US government or who were stopped at US-manned checkpoints in the countries.
The device formed part of a Pentagon-led biometric enrollment program that was reportedly designed to help stop and identify possible Taliban agents inside Afghan army bases, after a spate of shootings(Opens in a new window) against American soldiers by Afghan troops and police.
The machine, called a Secure Electronic Enrollment Kit (SEEK II), was reportedly last used in the summer of 2012 near Kandahar, Afghanistan. It features a tiny screen and keyboard, a small mouse pad, as well as a thumbprint reader. For iris scans, the machine unfolds to take photos. Marx tells the Times that when he used the device on himself, a message popped up, asking to connect to a US Special Operations Command server to upload the new “collected biometrics.”
In a statement to the Times, Brig. Gen. Patrick S. Ryder, the Defense Department’s press secretary, said: “Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it. The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”
Marx belongs to a small group of researchers at the Chaos Computer Club, a European hacker association, who bought six biometric capture devices on eBay, in order to spot any vulnerabilities or design flaws. The project was initiated after reports(Opens in a new window) that the Taliban had seized such devices after the US evacuated Afghanistan last year. They had sought to understand whether the Taliban could have come into possession of biometric data about people who had helped the US. The researchers bought six devices—four of the aforementioned SEEKs and two Handheld Interagency Identity Detection Equipment (HIIDE).
Recommended by Our Editors
Two of the SEEKs were found to contain sensitive data on them, with the second reportedly containing the fingerprints and iris scans of a “small group of US service members.” It had last been used in Jordan in 2013, the Times reports.
The device containing the 2,632 fingerprint and iris scans was sold to Marx by a Texas equipment company called Rhino Trade. The company’s treasurer, David Mendez, told the Times that they had bought it at a government equipment auction, and said he did not realize a military device that was decommissioned would have sensitive data on it.
The second SEEK II device containing the American troops’ fingerprints, came from an eBay seller in Ohio called Tech-Mart, who declined to say how the device, and the two other devices sold to the researchers, had been acquired. An eBay spokesman tells the Times that company policy bans the sale and listing of electronic devices that contain sensitive personal data.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Visits: 0