German white hat hackers buys US military biometrics equipment with Afghanistan biometric database at auction

Sicherheit (Pexels, allgemeine Nutzung)[German]German white hacker organization purchased several used U.S. military biometrics devices at auction through an online auction platform (presumably eBay). During the forensic investigation, it became obvious that the military and the manufacturer used irresponsible handling. Data located on the devices was unencrypted. The CCC gained access to a biometrics database containing the data of 2,632 people from Afghanistan.


Advertising

Some history

The U.S. military has used devices to biometrically enroll individuals in Afghanistan. The goal was to capture the entire Afghan population's biometric data (fingerprints, iris scans, facial photos, and DNA). The Bundeswehr also used these devices as part of the NATO mission in that country. With the help of programs such as the Automated Biometric Identification System (ABIS), it should be possible to identify known criminals as well as local forces or members of the Afghan security forces at any time, says the CCC.

These devices, which contain a biometric database, are a ticking time bomb for the people stored there. During the hasty withdrawal of NATO troops a year ago, some of these devices also fell into the hands of the Taliban. Anyone who gets their hands on the devices can read the database and then identify, for example, local forces or members of the Afghan security forces. The military was well aware of the risk, as evidenced by warnings issued by a U.S. military official in 2007 for Iraq.

Devices purchased at auction and investigated

Matthias Marx, snoopy, starbug, md and other CCC members were alarmed by these reports and began to obtain information about the biometrics devices. On the auction platform eBay, the members of the CCC came across several offers of such devices and were able to purchase the following:

  • 4 devices of the type SEEK II (Secure Electronic Enrollment Kit) and
  • 2 devices of the type HIIDE 5 (Handheld Interagency Identity Detection Equipment).

These devices were subsequently forensically examined by the CCC. The examined devices show an irresponsible carelessness of the US military and the manufacturers. The data was stored unencrypted on the devices, and access required a password. However, the standard password, which is documented in each case, was sufficient here. A standard database stored on the devices could be exported without any problems.

Am analysis of this exported database turned up names and biometric data of two U.S. military personnel, GPS coordinates of past deployment sites, and a comprehensive biometrics database with names, fingerprints, iris scans, and photos of 2,632 people, as the CCC writes here. The device containing this database had last been deployed somewhere between Kabul and Kandahar in mid-2012..


Advertising

The CCC informed the manufacturer of the SEEK devices, Crossmatch Technologies (now HID Global), and the US Department of Defense as well as the German Bundeswehr about the vulnerability. In particular, the responsible agencies were also informed that used devices with highly sensitive data could easily be ordered on the Internet. However, no one seems to care about the data leak, writes the Chaos Computer Club

"The irresponsible handling of this risk technology is unfathomable," said Matthias Marx, who led the CCC research group. The consequences are life-threatening for the many people in Afghanistan who have been abandoned by the U.S. and federal governments. "It's incomprehensible to us that the manufacturer and military former users don't care that used devices with sensitive data are being hawked online," Marx continued.

This development was predictable, because biometric databases cannot be effectively and permanently secured against illegitimate interests. The current case from Afghanistan is just a foretaste of many future biometrics databases falling into the wrong hands, the CCC said. The CCC has published the findings within this German article on Dec. 27, 2022.

Addendum: Ars Technica also covered the story within this article.


Advertising

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).