In “how the heck did that happen” news, German security researchers got more than they bargained for after purchasing a biometric capture device off eBay. The device, which was created to capture fingerprints and perform iris scans, was initially listed on the e-commerce auction website eBay for $149.95. But security researcher Matthias Marx managed to wrangle it for the lower price of $68.
A bargain, especially considering what he found stored on it when it arrived in his Hamburg home — 2,632 people’s names, nationalities, photographs, fingerprints, and iris scans.
The New York Times reviewed the database and found that most people on the device were from Afghanistan and Iraq. While some were terrorists or known criminals, many were individuals believed to have worked with the US government or random people who had simply been stopped at checkpoints. According to metadata, the device was last used near Kandahar, Afghanistan, in the summer of 2012.
The device, known as the SEEK II, is a shoebox-shaped device containing tiny hardware, such as a miniature keyboard, screen, and mousepad. It features a thumbprint reader at the bottom of the device, protected by a hinged plastic lid, while the machine unfolds to take photos and perform Iris scans.
Marx and fellow researchers at a European hacker association known as the Chaos Computer Club have been purchasing biometric capture devices off eBay for the past year to analyze them for design flaws and vulnerabilities. Their interest was motivated by reports that the Taliban sized these devices once the US left Afghanistan. The group bought six devices in total, with two of the SEEK II devices containing sensitive data. The purpose of the research was to find out whether the Taliban could have gleaned information about individuals who helped the US military from these devices, consequently putting them in danger. Judging by the lack of encryption, it’s likely they did.
Marx was shocked to find the information so easily available on the device, telling The New York Times, “It was disturbing that they didn’t even try to protect the data. They didn’t care about the risk, or they ignored the risk.”
According to the Defense Logistics Agency, when military personnel no longer need all biometric collection gear, it’s supposed to be destroyed. The agency says it should never have made it to the open market. The eBay seller, Rhino Trade, a surplus equipment company in Texas, said they bought the SEEK II at an auction of government equipment and did not realize it had sensitive information.
When they complete their analysis of biometric devices, Marx and his fellow researchers plan to delete all information stored on them.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.