A military database of fingerprints and iris scanners

The shoebox-shaped device designed to capture fingerprints and iris scans was listed for sale on eBay for $149.95.

A German security researcher, Matthias Marx, offered $68, and when it arrived at his Hamburg home in August, the rugged portable machine contained more than was advertised.

The device’s memory card contained the names, nationalities, photographs, fingerprints, and iris scans of 2,632 people.

Matthias Marx, a security researcher at the Chaos Computer Club, a European hacker association.  (Andreas Meichsner/The New York Times).

Matthias Marx, a security researcher at the Chaos Computer Club, a European hacker association. (Andreas Meichsner/The New York Times).

Most of the people in the database, reviewed by The New York TimesThey came from Afghanistan and Iraq.

Many were known terrorists and wanted persons, but others appeared to be people who had worked with the US government or simply been stopped at checkpoints.

The device metadata, called Secure Electronic Enrollment Kit, or SEEK IIrevealed that it had been used for the last time in the summer of 2012 about Kandahar (Afghanistan).

The device – a relic of the vast biometric data collection system the Pentagon built in the years after the attacks of September 11, 2001 – is a physical reminder that while the United States has put the wars in Afghanistan and Iraq behind it , the tools built to combat them and the information they contained live on in ways not intended by their creators.

Exactly how the device ended up making its way from the battlefields of Asia to an online auction site is not known.

But the data, which provides detailed descriptions of the people, as well as their photo and biometric data, could be enough to identify people who were previously unknown to have worked with the US military, should the information fall through the cracks. the wrong hands.

For those reasons, Marx did not want to put the information online or share it electronically, but he did allow a reporter for the Times in Germany to view the data in person with him.

German security researchers studying biometric capture devices popular with the US military got more than they bargained for.  $68 on eBay.  (Andreas Meichsner/The New York Times)

German security researchers studying biometric capture devices popular with the US military got more than they bargained for. $68 on eBay. (Andreas Meichsner/The New York Times)

“Because we have not reviewed the information contained on the devices, the Department cannot confirm the authenticity of the purported data or make any other comment on it,” Brigadier General Patrick S. Ryder, the department’s press secretary, said in a statement. defense.

“The department requests that any device believed to contain personally identifiable information be returned for further analysis.”

He provided an address for the director of the military biometrics program at Fort Belvoir, Virginia, where the devices could be shipped.

SEEK II biometric data was collected in detention centers, on patrols, during local recruitment checks, and after an improvised bomb explosion.

At the time the device was last used in Afghanistan, the US war efforts in that country were coming to an end.

Osama bin Laden had been assassinated in Pakistan a year earlier, and his identity had been confirmed using intelligence technology. face recognition.

One of the main concerns of military leaders at the time was a series of shootings in which Afghan soldiers and policemen pointed their weapons at US troops.

They hoped the biometric registration program would help identify potential taliban agents within their own bases.

A 2011 “commander’s guide to biometrics in Afghanistan” described iris, fingerprint and facial scanners as a “relatively new” but “critical capability on the battlefield” that “effectively identifies insurgents, verifies local and third-country nationals who access our bases and facilities, and links people to events.”

The SEEK II has a tiny screena miniature physical keyboard, and an almost comically small mouse pad.

A fingerprint reader is protected by a hinged plastic cover at the bottom of the device.

Like an old Polaroid camera, the machine unfolds to scan the iris and take photos.

Marx used SEEK II on himself; when he turned it off, a message appeared asking to connect to a US Special Operations Command server to upload the newly “collected biometric data.”

Over the past year, Marx and a small group of researchers from the Chaos Computer Club, a European hacker association, have purchased six biometric capture devices on eBay, most for less than €200, with the intention of analyzing them to find any vulnerability or design flaw.

The reason was concerns raised last year that such devices might have been seized by the Taliban following the US evacuation of Afghanistan.

The investigators wanted to know if the Taliban could have obtained biometric data from the devices of people who had helped the United States, putting them in danger.

Finding so much unencrypted and easily accessible information shocked them.

“It was disturbing that they didn’t even try to protect the data,” Marx said, referring to the US military.

they didn’t care the risk, or were unaware of it.

Stewart Baker, a Washington attorney and former homeland security official, said biometric scanning was a valuable tool in war zones, but the data collected had to be kept under control.

He predicted that the data leak would “make a lot of people who helped the United States and are still in Afghanistan very uncomfortable.”

“This should not have happened,” Baker said.

“It’s a disaster for the people whose data is exposed. In the worst case, the consequences could be fatal.”

Of the six devices the researchers bought on eBay—four SEEKs and two HIIDEs, for Handheld Interagency Identity Detection Equipment—two of the SEEK IIs contained sensitive data.

The second SEEK II, whose location metadata showed it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of members of the US military.

Contacted by the Times, one of the Americans whose biometric scanner was found on the device confirmed that the data was likely his.

He had previously worked as a Marine intelligence specialist and said his data, and that of any other Americans found on these devices, was likely collected during a course of military training.

The man, who spoke on condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked that his biometric file be erased.

Military officials said the only reason these devices would have data on Americans would be to use them during training sessions, a common practice to prepare for their use in the field.

According to the Defense Logistics Agency, which manages the disposal of millions of dollars of Pentagon surplus material each year, devices like the SEEK II and HIIDE should never have made it to the open market, let alone an online auction site like eBay. .

Instead, all biometric data collection equipment must be destroyed in situ when military personnel no longer need them, as well as other electronic devices that once contained sensitive operational information.

It is not clear how the eBay sellers obtained these devices.

The device with the 2,632 profiles was sold by Rhino Trade, a Texas surplus equipment company.

Company treasurer David Mendez said he had purchased the SEEK II at a government equipment auction and didn’t realize that a decommissioned military device would have sensitive data on it.

“I hope we haven’t done anything wrong,” he said.

The SEEK II with the US troop information came from Tech-Mart, an eBay seller in Ohio.

Tech-Mart owner Ayman Arafa declined to say how he acquired it, as well as two other devices he sold to investigators.

An eBay spokesman said company policy prohibited advertising electronic devices that contained personally identifiable information.

“Ads that violate this policy will be removed, and users may face actions up to and including permanent account suspension,” the spokesperson said.

The sensitive data on the devices was stored on memory cards.

Had the cards been removed and destroyed, this data would not have been exposed.

“The irresponsible handling of this high-risk technology is unbelievable,” Marx said.

“We find it incomprehensible that the manufacturer and former military users don’t care that used devices with sensitive data are being sold online.”

The Times reviewed manuals and online documentation for the HIIDE and SEEK II devices and found that they were designed to search biometric files stored on government servers.

However, they are capable of storing thousands of biometric records for use in an environment with limited internet connectivity, which may help explain why these biometric records were still on these devices.

Ella Jakubowska, policy adviser on biometric information at European Digital Rights, a privacy advocacy group, said the military should inform everyone whose data has been exposed.

“It doesn’t matter that it’s from a decade ago,” he said.

“One of the key points that we’re always trying to make about biometric data and why it’s so sensitive is because it can identify you forever“.

Jakubowska said it doesn’t matter if some of those in the database have committed crimes or are on watch lists.

“You are still a human being, and it is an indicator of democratic societies that we continue to treat people, including criminals, with dignity and respect for their human rights,” he said.

Marx alerted the Defense Department about the exposed data, as well as the device’s manufacturer, HID Global.

When asked for comment, HID Global said in a statement that it was not “sharing details about our customers or specific product implementations.”

“The configuration, management, protection, storage and regular deletion of data is the responsibility of the organization using HID-manufactured devices,” the company said.

Belkis Wille, a researcher at Human Rights Watch who has written about the use of biometrics in Afghanistan, told German public broadcaster Bayerischer Rundfunk that people who had worked with the US government and were affected by the leak should be given the chance to leave Afghanistan and apply for asylum.

“Even an ex-policeman who is in hiding, who has changed his name, because he doesn’t want to be captured by the Taliban, is no longer safe,” he told Bayerischer Rundfunk.

“This system means they really have no way to protect themselves.”

Marx was scheduled to present his findings at a hacker event in Berlin on Tuesday.

Once analysis of the biometric devices is complete, he and his fellow researchers plan to wipe personally identifiable data.

c.2022 The New York Times Company

look also

Source link

About Admin

Check Also

The US sanctions an Iranian aviation company for supplying Russia with drones to attack Ukraine

Updated Friday, January 6, 2023 – 20:18 Treasury Department Designates Six Executives and Board Members …

Leave a Reply

Your email address will not be published. Required fields are marked *