Security researchers have exposed an embarrassing security lapse by the US military, which could put lives at risk.
German researchers who bought biometric capture devices on eBay were shocked to discover sensitive US military data stored on their memory cards.
The data reportedly included fingerprints, iris scans, photographs, names and descriptions of people, mostly from Afghanistan and Iraq. To make matters worse, many of these people worked with the US military and could therefore be a potential target if the data fell into the wrong hands.
Chaos Computer Club
German security researchers are the Chaos Computer Club (CCC), which has previously made a name for itself by exposing security flaws with other systems and devices.
He explained that the US military used biometric devices en masse to capture people in Afghanistan. Unfortunately, some devices were left behind during the hasty withdrawal of NATO troops.
“CCC investigators found large amounts of biometric and other personal data when analyzing these devices,” the researchers stated. “In the wrong hands, this data endangers the lives of people in Afghanistan and Iraq.”
Biometric devices were used to identify individuals and “we discovered, among other things, in used US military equipment, an unsecured biometric database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis.” “, the researchers noted. .
It should be remembered that the entire population of Afghanistan was biometrically scanned to help coalition forces identify and track the Taliban and their supporters.
“Supposedly, access to the biometric database should not be possible without more technology,” CCC said. “But even if that were the case, of course, the Taliban could just use the devices. Unfortunately, our research shows that all data on mobile biometric devices is completely unprotected. We were able to read, copy and analyze them without any difficulty.”
So how did the CCC researchers obtain these biometric devices?
“Alarmed by reports of biometric devices in the hands of the Taliban, Matthias Marx, snoopy, starbug, md, and other members of the CCC began collecting information on these devices,” the researchers stated. “While doing so, they came across several offers on an online auction house.”
Investigators acquire a total of:
- four SEEK II type devices (Secure Electronic Enrollment Kit) and
- two HIIDE 5 type devices (Handheld Interagency Identity Detection Equipment).
The devices were forensically examined and found that “all storage media were not encrypted. A well-documented standard password was all that was needed to gain access. Furthermore, the database was a standard database with standard data formats. It was fully exported with little effort.”
The devices CCC acquired “contained names and biometrics of two US military personnel, GPS coordinates of previous deployment locations, and a massive biometric database of 2,632 names, fingerprints, iris scans, and photos.” people. The device containing this database was last used somewhere between Kabul and Kandahar in mid-2012.”
The researchers notified the manufacturers of the devices and two known users of the devices: the US Department of Defense and the German Bundeswehr.
“However, no one seems to care about the data leak,” CCC said. “We received an acknowledgment from the Bundeswehr, the Defense Department kindly referred us to the manufacturer, and the manufacturer did nothing.”
Two and a half months after their report, the researchers were able to order another biometric device online.
“The irresponsible handling of this high-risk technology is unbelievable,” said Matthias Marx, who led the CCC research group. The consequences endanger the lives of many people in Afghanistan who were abandoned by Western forces.
“It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are sold online,” Marx continued.
This is not the first time security concerns have been raised about biometric databases.
In 2019, a database used by banks, police and defense contractors was found to have a major security flaw exposing more than a million fingerprints and other sensitive biometric data.
The biometric data was located in a publicly accessible database for a South Korean company called Suprema, which is responsible for the Biostar 2 web-based biometric lock system.
At the time, Suprema downplayed the severity of the breach, “saying that the scope of potentially affected users was significantly smaller than recent public speculation,” a position disputed by Israeli security researchers Noam Rotem and Ran Locar, who had discovered the problem.