During military operations in Afghanistan and Iraq, the American armed forces are building up a biometric database of friend and foe. But security doesn’t seem to be taken very seriously: Six of the biometric devices used end up at the Chaos Computer Club via Ebay.

A German security researcher from the Chaos Computer Club (CCC) has successfully purchased several devices on Ebay, which are said to have contained complete data sets of suspected terrorists and wanted persons, but also local US military personnel. The New York Times reports that most of the people whose biometric data was collected during US military operations after September 11, 2001 are Afghans and Iraqis.

As the newspaper reports, one of these biometric devices was listed at auction on Ebay for US$149.95. CCC researcher Matthias Marx won with a bid of only 68 US dollars. After the auction, the device was sent to him in Hamburg in August. He then discovered fingerprints, iris scans, faces and DNA from a total of 2,632 people on the memory card. According to the report, the device, dubbed SEEK II (Secure Electronic Enrollment Kit), was last deployed near the Afghan city of Kandahar in the summer of 2012.

According to the information, it is not possible to understand how the device ended up on Ebay a decade later after being used in Afghanistan. When asked by the New York Times, the US Department of Defense demanded that it be returned to the US authorities for further investigation.

As the Chaos Computer Club (CCC) itself reports, he and Marx bought a total of six of these biometric devices on Ebay over a period of a year – most for less than $200 each. Accordingly, some of them were simply forgotten in the country when NATO left Afghanistan in the summer of 2021. “Every biometric database is a ticking time bomb,” write the cyber security experts. “Since the Taliban captured the biometric devices, there has been concern that they could be used to identify former local staff.”

Greater computer knowledge is therefore not necessary for the use of the devices. “From a technical point of view, the investigations were downright boring,” says the CCC. “All data carriers were unencrypted. Only a well-documented standard password had to be entered for access protection. The database was also a standard database with standard data formats. It could be completely exported with little effort.”

According to the CCC, the manufacturer of the devices, the Pentagon and the Bundeswehr, which is also said to have used them in Afghanistan to collect data from suspects and local staff, were informed of the security gaps – so far without any result: “We received a confirmation of receipt from the Bundeswehr that The US Department of Defense kindly referred us to the manufacturer, and the manufacturer did nothing,” the experts write. “Two and a half months after our notification, we were able to order another biometric device online.”

According to the “New York Times”, the devices similar to a Polaroid camera are still functional. Accordingly, CCC researcher Marx tested one of them on himself. He was then asked to connect it to a US military server for data transfer.