Hacks: Govt ID Systems Sold Via Auction Sites

[grarpamp]

Ever notice how the narrative is always "OMG, must protect
it better, moar, moar, moar" instead of "Fuck, end it all as being
evil, was never needed or right approach or freedom in the first place."
Always about Gov Mil Agent Informer lives, never about peoples.


"The Consequences Could Be Fatal": Abandoned US Military Equipment
Found On Ebay Risks Afghan Lives

After the Biden administration's chaotic withdrawal from transfer of
power to the Taliban in Afghanistan, abandoned US military equipment
which contain biometric data have been popping up on Ebay.
A Secure Electronic Enrollment Kit, or SEEK II, purchased by German
researchers on eBay.Credit...Andreas Meichsner for The New York Times

Over the past year, German security researcher Matthias Marx and a
small group of researchers at Chaos Computer Lab, a European hacker
association, have bought six SEEK II (Secure Electronic Enrollment
Kit) on the popular auction website, according to the NY Times.

The device, built as part of the Pentagon's vast biometric collection
expansion following the Sept. 11, 2011 attacks, has a tiny screen, a
little keyboard, and a mouse pad. It also contains a thumbprint reader
under a hinged plastic lid, an iris scanner, and a camera. They
contained biometric data at detainment facilities, on patrols, during
screenings of local hires, and after the explosion of an IED.
Officials at the time were concerned over a rash of shooting in which
Afghan police and soldiers fired on American troops, and were hoping
that biometric data could help identify any possible Taliban agents
within their bases.

    The shoebox-shaped device, designed to capture fingerprints and
perform iris scans, was listed on eBay for $149.95. A German security
researcher, Matthias Marx, successfully offered $68, and when it
arrived at his home in Hamburg in August, the rugged, hand-held
machine contained more than what was promised in the listing.

    The device’s memory card held the names, nationalities,
photographs, fingerprints and iris scans of 2,632 people.

    Most people in the database, which was reviewed by The New York
Times, were from Afghanistan and Iraq. Many were known terrorists and
wanted individuals, but others appeared to be people who had worked
with the U.S. government or simply been stopped at checkpoints.
Metadata on the device, called a Secure Electronic Enrollment Kit, or
SEEK II, revealed that it had last been used in the summer of 2012
near Kandahar, Afghanistan. -NY Times

In response to the story, Defense Department spox Brig. Gen. Patrick
S. Ryder said: "Because we have not reviewed the information contained
on the devices, the department is not able to confirm the authenticity
of the alleged data or otherwise comment on it," adding "The
department requests that any devices thought to contain personally
identifiable information be returned for further analysis."

"It was disturbing that they didn’t even try to protect the data,"
said Marx. "They didn’t care about the risk, or they ignored the
risk."
Mr. Marx used the SEEK II to scan his fingerprint.Credit...Andreas
Meichsner for The New York Times

DC lawyer Stewart Baker, a former national security official, said
that the biometric devices were useful tools in war zones, but that
the data collected needed to be kept under control. He suggested that
a data breach would "make a lot of people who helped the U.S. and are
still in Afghanistan really uncomfortable."

"This should not have happened," Baker added. "It is a disaster for
the people whose data is exposed. In the worst cases, the consequences
could be fatal."

    Of the six devices the researchers bought on eBay — four SEEKs and
two HIIDEs, for Handheld Interagency Identity Detection Equipment —
two of the SEEK II devices had sensitive data on them. The second SEEK
II, with location metadata showing it was last used in Jordan in 2013,
appeared to contain the fingerprints and iris scans of a small group
of U.S. service members. -NY Times

In one case, an American's biometric data was found in one of the
databases. He was formerly a Marine intelligence specialist who still
works in intelligence, and said that his data was most likely
collected during a military training course. He asked that his
biometric file be deleted.

According to the Defense Logistics Agency, which is tasked with
equipment disposal, the SEEK II and HIIDE devices never should have
made it to the open market. Gear such as this is supposed to be
destroyed on-site when no longer needed by the military.

One of the Ebay sellers, surplus equipment reseller Rhino Trade, said
they bought the SEEK II at a military auction of government equipment
and did not realize it had sensitive data on it.

"I hope we didn't do anything wrong," said David Mendez, the company's
treasurer.

"The irresponsible handling of this high-risk technology is
unbelievable," said Marx. "It is incomprehensible to us that the
manufacturer and former military users do not care that used devices
with sensitive data are being hawked online."