Security researchers have exposed an embarrassing security lapse by the US military, that could potentially endanger lives.

German researchers who purchased biometric capture devices on eBay, were surprised to discover sensitive US military data stored on their memory cards.

The data reportedly included fingerprints, iris scans, photographs, names and descriptions of people, mostly from Afghanistan and Iraq. To make matters worse, many of these people worked with the US army and could thus be potentially targetted if the data fell into the wrong hands.

Chaos Computer Club

The German security researchers are the Chaos Computer Club (CCC), which has previously made a name for itself exposing security flaws with other systems and devices.

It explained that the US military used biometric devices en masse to capture people in Afghanistan. Unfortunately, some devices were left behind during the hasty withdrawal of NATO troops.

“CCC researchers found large amounts of biometric and other personal data when analysing such devices,” the researchers stated. “In the wrong hands, this data is life-threatening for people in Afghanistan and Iraq.”

The biometric devices were used to identify individuals, and “on used US military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis,” the researchers noted.

It should be remembered that the entire population of Afghanistan was biometrically catalogued, to help coalition forces identify and track down Taliban and their supporters.

“Allegedly, access to the biometrics database should not be possible without further technology,” said CCC. “But even if that were the case, of course, the Taliban could still simply use the devices. Unfortunately, our research shows that all data on the mobile biometric devices is completely unprotected. We were able to read, copy and analyze them without any difficulty.”

Online auction

So how did CCC researchers get these biometric devices?

“Alarmed by news reports about biometric devices in the Taliban’s hands, Matthias Marx, snoopy, starbug, md and other CCC members started to gather information about these devices,” the researchers stated. “While doing so, they came across several offers at an online auction house.”

The researchers acquire a total of:

  • four devices of type SEEK II (Secure Electronic Enrollment Kit) and
  • two devices of type HIIDE 5 (Handheld Interagency Identity Detection Equipment).

The devices were examined forensically, and they found that “all storage mediums were unencrypted. A well-documented standard password was the only thing needed to gain access. Also, the database was a standard database with standard data formats. It was fully exported with little effort.”

The devices CCC acquired “contained names and biometric data of two US military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos of 2,632 people. The device containing this database had last been used somewhere between Kabul and Kandahar in mid-2012.”

Shoddy response

The researchers notified the device manufacturers, and two known users of the devices – the US Department of Defense and the German Bundeswehr.

“However, no one seems to care about the data leak,” said CCC. “We received an acknowledgement of receipt from the Bundeswehr, the Department of Defense kindly referred us to the manufacturer, and the manufacturer did nothing.”

Two and a half months after its report, the researchers were able to order another biometric device online.

“The irresponsible handling of this high-risk technology is unbelievable,” said Matthias Marx, who led the CCC research group. The consequences are life-threatening for the many people in Afghanistan who were abandoned by the western forces.

“It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online,” Marx continued.

Biometric security

This is not the first time that security concerns have been raised about biometric databases.

In 2019 a database used by banks, police, and defence contractors was found to have a major security flaw that exposed more than a million fingerprints and other sensitive biometric data.

The biometric data was located on a publicly accessible database for a South Korean company called Suprema, which is responsible for the web-based Biostar 2 biometrics lock system.

At the time Suprema downplayed the severity of the breach, “saying the scope of potentially affected users was significantly less than recent public speculation,” – a position challenged by Israeli security researchers Noam Rotem and Ran Locar who had uncovered the problem.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago