US military's biometric capture device is for sale on eBay

Security researchers at the Chaos Computer Club (CCC), a European hacker organization, purchased six biometric capture devices previously used by the U.S. military on eBay. One such device called Secure Electronic Enrollment Kit, or SEEK II, was auctioned for a price of $68 with sensitive personnel information on it still accessible, The New York Times reported.

The shoebox-shaped device equipped to capture and store uniquely identifiable biometric data such as iris scans and fingerprints was listed on the online website for $149.95. Matthias Marx, a member of the CCC, offered a meager $68 for the same, and it was shipped to his hometown of Hamburg, Germany, with names, nationalities, photographs, and biometric data of 2,632 people, accessible without any encryption.

The details of these individuals were verified by The New York Times: They were found to be individuals from Iraq and Afghanistan. While many were wanted individuals or known terrorists, there were also locals who had worked with the U.S. government when American troops were stationed in these areas.

What does the SEEK device do?

The SEEK II device is a component of the biometric data collection system that the U.S. made following the September 2001 attacks. The device has a tiny screen, a physical keyboard as well as a small mouse pad. It is also equipped with a thumbprint reader under a hinged plastic lid and can also record iris scans as well as photographs of individuals.

The device was meant to help the ground troops identify individuals who visited U.S. bases in Afghanistan and Iraq and help identify insurgents. However, following the U.S. withdrawal from this region, this data should have been wiped off from these devices. In August last year, Interesting Engineering reported the risks of these devices falling into the wrong hands following the shift in power to the Taliban regime in the region.

The German researchers were looking to source these devices to determine how easy it would have been for the Taliban to tap into these resources haphazardly left back by the U.S. troops. During their research, they found six such devices which they bought for less than 200 euros (US$ 213) on public sites.

Data on U.S. citizens too

The researchers found another SEEK device which was last used in Jordan in 2013 and also had data belonging to U.S. citizens that were working in the intelligence fields for the U.S. military, and one whom The Times contacted was currently in service. It is likely that the data on the device was collected during the training course.

While these devices are designed to store the data on U.S. government servers, they are also equipped with memory cards to enable functionality in regions with limited internet connectivity. The removal of these memory cards from the devices would have been sufficient to prevent data from being exposed. However, this wasn't done for the two SEEK II devices during the rapid withdrawal of troops.

The manufacturer of the device, HID Global, shrugged off the responsibility arising from the use of the devices post-sale. Human rights advocates told NYT that the U.S. should approach these individuals whose information may have been exposed and offer them the opportunity to leave Afghanistan and seek asylum in the U.S. The consequences of such data exposure for the individuals could be fatal.