Matthias Marx, a German security researcher, has bought some devices for detecting biometric data on eBay and inside he found thousands of files containing sensitive data. Above all of Afghan and Iraqi citizens, collected in the field over the years by US troops. In many cases terrorists known to the security services, in other cases ordinary people stopped at checkpoints, in still others collaborators of the army.

Fingerprints, iris scans, pictures and of course individual names and annotations: all finished up for sale on the popular online trading platform and sold for 68 dollars, against the 149.95 requested by the advertiser. A scandalous lightness reported by the New York Times and that he would have riskedif those devices had ended up in the wrong hands, to create many problems for the individuals surveyed.

August 18, 2022



The data of 2632 people, from Kandahar to eBay

The memory card of the main device protagonist of the incredible story, as big as a shoebox and known as Secure Electronic Enrollment Kit (in sigla, Seek II) it contained the information of 2632 people. Its last use was detected from stored metadata: summer of 2012 in Kandahar, Afghanistan’s second largest city. This sort of contemporary war surplus comes from the vast assortment of devices built by the Pentagon in the years since the September 11, 2001 attacks. How it ended up on eBay, starting from the streets of the Afghan town, and what routes it took, is not fully known. A NYT reporter was authorized by the researcher to consult the database in person, also because the data will obviously not be made public in other ways precisely to avoid consequences or retaliation against old collaborators in the United States.

“Because we have not reviewed the information contained on the devices, the department is unable to confirm the authenticity of the purported data or otherwise comment on it,” he explained. Brigadier General Patrick S. RyderDepartment of Defense Press Officer – The department requests that all devices believed to contain personally identifiable information be returned for further analysis. ” In short, the German researcher should return the briefcase to Fort Belvoirin the State of Virginia, to the department in charge of the biometric program.



The contents of the briefcase in the photo shown by the New York Times

In what situations was that data collected

As mentioned, the biometric data on the Seek II was collected in various situations: in detention facilities, during patrols or during recruitment controls premises in the public administration or after the explosion of bombs. On the other hand, the Times recalled that in the period in which the device was last used in Afghanistan, the American war effort was on its last legs: Osama bin Laden was killed in Pakistan a year earlier and his identity then confirmed using facial recognition technology. At the time, devices like the one that ended up on eBay were used in particular to identify possible Taliban moles within the bases and personnel of the police and the now dissolved Afghan army.

How the Seek II is made

The Seek II sports a tiny display, an equally tiny keyboard, and a tiny mouse pad. Then there is a fingerprint reader and, once opened, it allows you to scan the iris or take simple photos. When switched on by the new owner, the device requested the collegamento a un server dell’US Special Operations Command to upload “the newly collected biometric data”. Everything as if it were still 2012, in short.

The search for the Chaos Computer Club

But why was Marx looking for such equipment? To study them, understand their vulnerabilities or intrinsic problems, all within a project conducted with a group of researchers from the famous Chaos Computer Club in Berlin. They bought 6 of them (also including two Hiide models, i.e. Handheld Interagency Identity Detection Equipment) also in the wake of a concern linked to Afghanistan: many of these devices, as indeed means and objects of various types, they remained in the country and in the hands of the restored Taliban regime after the disastrous withdrawal of what remained of the US contingent during August 2021.

The goal of the group of researchers was precisely to understand if the Taliban can obtain biometric data from the devices people who have helped the United States over time, putting them at risk. And ironically that data, without any kind of cryptographic protection, found them on the desk at home. In particular in two Seek IIs, the second used last time in 2013 in Jordan and containing only a small database of scans and fingerprints of a group of US soldiers, probably collected during an exercise (such as that visible in this video), as confirmed by an intelligence officer contacted by the newspaper.

The Pentagon: “Devices that should be destroyed on the spot”

In short, these gadgets should never have ended up on the market, much less the second-hand one in which eBay specializes. According to the Defense Logistics Agency, which it deals (evidently with many flaws) with the management of expensive devices in excess that are decommissioned by the Pentagon every year, these devices should be destroyed on the spot when they are no longer needed, like other electronic devices. Instead, the Seek II full of information ended up in the hands of Rhino Trade, a Texan company which in turn explained that it had obtained it at a government auction, obviously without being aware that it could contain sensitive data. The other Seek II came from Tech-Mart, an eBay seller in Ohio who did not provide explanations on how he came into possession of that and two other similar scanners.

“The irresponsible handling of this high-risk technology is incredible – commented the involuntary discoverer – and it is incomprehensible to us than to the producer [HID Global, ndr] and the military who used it don’t care that devices containing sensitive data are sold online”. The researcher, who explained the surreal story at a Berlin event and then will delete all data, promptly alerted the Department of Defense and HID, who has clearly washed his hands of it: “Responsibility of those who use the devices”. Some similar devices, which appeared to be for sale a few days ago, have been removed from eBay.