WHOA! ✓ Any biometric database is a ticking time bomb. When the Taliban captured the biometric devices, concerns were raised that the devices could be used to identify former local collaborators. Human Rights First thus published a guide to evading the misuse of biometric data.
✓✓✓✓✓✓ Life-threatening irresponsibility
"The irresponsible handling of this high-risk technology is unbelievable," said Matthias Marx, who led the CCC research group. The consequences are life-threatening for the many people in Afghanistan who were abandoned by the western forces. "It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online," Marx continued.
And yet all of this was predictable, because biometric databases cannot be effectively or permanently secured against illegitimate interests. What happened in Afghanistan is just a foretaste of the many biometric databases that will fall into the wrong hands in the future.
Backstory: Biometric census of the Afghan population
The entire population of Afghanistan was biometrically catalogued -- supported by the German Bundeswehr. The motivation for this systematic collection of fingerprints, irises, faces and DNA was to enable the distinction between good and bad people. Programs such as the Automated Biometric Identification System (ABIS) were designed to identify known criminals, as well as local collaborators or Afghan security forces, at any time.
✓ Any biometric database is a ticking time bomb. When the Taliban captured the biometric devices, concerns were raised that the devices could be used to identify former local collaborators. Human Rights First thus published a guide to evading the misuse of biometric data.
✓ The risk was well known to all
There is no escape from biometric surveillance. We cannot simply change our biometric data. This danger was well known those in charge. Back in 2007, a member of the U.S. military warned of a similar biometric database in Iraq: "This database... becomes a hit list if it gets in the wrong hands."
✓✓ The data is unprotected
Allegedly, access to the biometrics database should not be possible without further technology. But even if that were the case, of course, the Taliban could still simply use the devices. Unfortunately, our research shows that all data on the mobile biometric devices is completely unprotected. We were able to read, copy and analyze them without any difficulty.
✓ ✓✓ Used devices in online auctions
Alarmed by news reports about biometric devices in the Taliban's hands, Matthias Marx, snoopy, starbug, md and other CCC members started to gather information about these devices. While doing so, they came across several offers at an online auction house. They were able to acquire a total of
- four devices of type SEEK II (Secure Electronic Enrollment Kit) and
- two devices of type HIIDE 5 (Handheld Interagency Identity Detection Equipment).
The devices were examined forensically.
From a technical perspective, the analyses were downright boring: All storage mediums were unencrypted. A well-documented standard password was the only thing needed to gain access. Also, the database was a standard database with standard data formats. It was fully exported with little effort.
✓✓✓✓ sensitive biometric data of 2,632 individuals
The extracted data was all the more impressive: The various devices shopped online contained names and biometric data of two U.S. military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos of 2,632 people. The device containing this database had last been used somewhere between Kabul and Kandahar in mid-2012.
✓✓ ✓✓✓ Lack of risk awareness among manufacturers, US and German military
The CCC then informed the SEEK device's manufacturer, Crossmatch Technologies (now: HID Global), and two known users of the devices, the US Department of Defense and the German Bundeswehr, about the vulnerability. The responsible parties were also informed that used devices with highly sensitive data can easily be ordered on the Internet. However, no one seems to care about the data leak:
We received an acknowledgement of receipt from the Bundeswehr, the Department of Defense kindly referred us to the manufacturer, and the manufacturer did nothing.
Two and a half months after our report, we were able to order another biometric device online.
✓✓✓✓✓✓ Life-threatening irresponsibility
"The irresponsible handling of this high-risk technology is unbelievable," said Matthias Marx, who led the CCC research group. The consequences are life-threatening for the many people in Afghanistan who were abandoned by the western forces. "It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online," Marx continued.
And yet all of this was predictable, because biometric databases cannot be effectively or permanently secured against illegitimate interests. What happened in Afghanistan is just a foretaste of the many biometric databases that will fall into the wrong hands in the future.
It is always a bad idea to centrally collect such data in bulk.
We have a few more questions...
For Sale on eBay: A Military Database of Fingerprints and Iris Scans
German security researchers studying biometric capture devices popular with the U.S. military got more than they expected for $68 on eBay.
"The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing.
The device’s memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people.
Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints. Metadata on the device, called a Secure Electronic Enrollment Kit, or SEEK II, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan.
The device — a relic of the vast biometric collection system the Pentagon built in the years after the Sept. 11, 2001, attacks — is a physical reminder that although the United States has moved on from the wars in Afghanistan and Iraq, the tools built to fight them and the information they held live on in ways unintended by their creators.
Exactly how the device ended up going from the battlefields in Asia to an online auction site is unclear. But the data, which offers detailed descriptions of individuals in addition to their photograph and biometric data, could be enough to target people who were previously unknown to have worked with U.S. military forces should the information fall into the wrong hands.
For those reasons, Mr. Marx would not place the information online or share it in an electronic format, but he did allow a Times reporter in Germany to see the data in person alongside him.
“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” Brig. Gen. Patrick S. Ryder, the Defense Department’s press secretary, said in a statement. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”
He provided an address for the military’s biometrics program manager at Fort Belvoir in Virginia where the devices could be sent.
The biometric data on the SEEK II was collected at detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb. Around the time when the device was last used in Afghanistan, the American war effort there was winding down. Osama bin Laden had been killed in Pakistan a year earlier — his identity reportedly confirmed using facial recognition technology.
One of the main concerns of military leaders at that time was a rash of shootings in which Afghan soldiers and police turned their guns on American troops. They hoped that the biometric enrollment program would help identify any possible Taliban agents inside their own bases.
A 2011 “commander’s guide to biometrics in Afghanistan” described face, fingerprint and iris scans as a “relatively new” but “decisive battlefield capability” that “effectively identifies insurgents, verifies local and third-country nationals accessing our bases and facilities, and links people to events.”
The SEEK II has a tiny screen, a miniature physical keyboard and an almost comically small mouse pad. A thumbprint reader is protected by a hinged plastic lid at the bottom of the device. Like an ancient Polaroid camera, the machine unfolds to allow iris scans and to take photos. Mr. Marx used the SEEK II on himself; when he turned it off, a message popped up, asking to connect to a U.S. Special Operations Command server to upload the new “collected biometrics.”
Over the past year, Mr. Marx and a small group of researchers at the Chaos Computer Club, a European hacker association, bought six biometric capture devices on eBay, most for less than 200 euros, planning to analyze them to find any vulnerabilities or design flaws. They were motivated by concerns raised last year that the Taliban had seized such devices after the U.S. evacuation from Afghanistan. The group of researchers wanted to understand whether the Taliban could have gotten biometric data about people who had assisted the United States from the devices, putting them at risk.
Finding so much information sitting unencrypted and easily accessible shocked them.
“It was disturbing that they didn’t even try to protect the data,” Mr. Marx said, referring to the U.S. military. “They didn’t care about the risk, or they ignored the risk.”
Image
Stewart Baker, a Washington lawyer and former national security official, said that biometric scanning was a valuable tool in war zones but that the collected data needed to be kept under control. He predicted that the data breach would “make a lot of people who helped the U.S. and are still in Afghanistan really uncomfortable.”
“This should not have happened,” Mr. Baker said. “It is a disaster for the people whose data is exposed. In the worst cases, the consequences could be fatal.”
What we consider before using anonymous sources. Do the sources know the information? What’s their motivation for telling us? Have they proved reliable in the past? Can we corroborate the information? Even with these questions satisfied, The Times uses anonymous sources as a last resort. The reporter and at least one editor know the identity of the source.
Of the six devices the researchers bought on eBay — four SEEKs and two HIIDEs, for Handheld Interagency Identity Detection Equipment — two of the SEEK II devices had sensitive data on them. The second SEEK II, with location metadata showing it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of U.S. service members.
When reached by The Times, one American whose biometric scan was found on the device confirmed that the data was likely his. He previously served as a Marine intelligence specialist and said his data, and that of any other American found on these devices, was most likely collected during a military training course. The man, who spoke on the condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked that his biometric file be deleted.
Military officials said the only reason these devices would have data on Americans would be their use during training sessions, a common practice to prepare for employing them in the field.
According to the Defense Logistics Agency, which handles the disposal of millions of dollars of excess Pentagon matériel each year, devices like the SEEK II and the HIIDE never should have made it to the open market — much less an online auction site like eBay. Instead, all biometric collection gear is supposed to be destroyed on site when no longer needed by military personnel, as are other electronic devices that once held sensitive operational information.
How eBay sellers obtained these devices is unclear. The device with the 2,632 profiles was sold by Rhino Trade, a surplus equipment company in Texas. The company’s treasurer, David Mendez, said it had bought the SEEK II at an auction of government equipment and did not realize a decommissioned military device would have sensitive data on it.
“I hope we didn’t do anything wrong,” he said.
The SEEK II with the American troops’ information came from Tech-Mart, an eBay seller in Ohio. Tech-Mart’s owner, Ayman Arafa, declined to say how he had acquired it, or two other devices he sold to the researchers.
An eBay spokesman said company policy prohibited the listing of electronic devices that contained personally identifiable information. “Listings that violate this policy will be removed, and users may face actions up to, and including, a permanent suspension of their account,” the spokesman said.
The sensitive data on the devices was stored on memory cards. If the cards had been removed and destroyed, this data would not have been exposed.
“The irresponsible handling of this high-risk technology is unbelievable,” Mr. Marx said. “It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online.”
The Times reviewed online manuals and documentation for the HIIDE and SEEK II devices and found that they were designed to search biometric files kept on government servers. However, they are able to store thousands of biometric records for use in an environment with limited internet connectivity, which may help explain why these biometric records were still on these devices.
Image
Ella Jakubowska, a policy adviser on biometric information at European Digital Rights, a privacy advocacy group, said the military should inform all the people whose data had been exposed.
“It doesn’t matter that it’s from a decade ago,” she said. “One of the key points that we’re always trying to raise about biometric data and why it’s so sensitive is because it can identify you forever.”
Ms. Jakubowska said it did not matter if some in the database had committed crimes or were on watchlists. “You are still a human, and it’s a marker of democratic societies that we still treat people, even criminals, with dignity, and with respect for their human rights,” she said.
Mr. Marx alerted the Department of Defense about the unprotected data, as well as the manufacturer of the device, HID Global. Asked for comment, HID Global said in a statement that it did not “share details about our customers or specific product implementations.”
“The configuration, management, protection, storage and regularity of deletion of data is the responsibility of the organization using HID-manufactured devices,” the company said.
Belkis Wille, a researcher at Human Rights Watch who has written about the use of biometrics in Afghanistan, told the German public broadcaster Bayerischer Rundfunk that people who had worked with the U.S. government and were affected by the breach should be given the opportunity to leave Afghanistan and apply for asylum.
“Even a former policeman who is in hiding, who has changed their name, because they don’t want the Taliban to capture them isn’t safe anymore,” she told Bayerischer Rundfunk. “This system means that they really have no way to protect themselves.”
Mr. Marx planned to present his findings at an event for hackers in Berlin on Tuesday. After the analysis of the biometric devices is complete, he and his fellow researchers plan to delete the personally identifiable data." READ MORE
29 December 2022
HIIDE HARDWARE: Oops! Thanks for the memories, huh?
No doubt one of those "cautionary tales" . The devices, known as Handheld Interagency Identity Detection Equipment (HIIDE), are designed to guarantee accurate identification of a person, even if their appearance has dramatically changed.
.png)
.jpg)
.png)
JUST HOW EASY Is it to eject/insert a memory card? (Illustration How to insert and eject a memory card)
CCC captures U.S. military biometrics database
The U.S. military used biometric devices en masse to capture people in Afghanistan. Some devices were left behind during the hasty withdrawal of NATO troops. CCC researchers found large amounts of biometric and other personal data when analyzing such devices. In the wrong hands, this data is life-threatening for people in Afghanistan and Iraq.
The biometric devices were used to identify individuals, e. g. at checkpoints when screening for wanted persons, or to control access by local collaborators. On used U.S. military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis.
Backstory: Biometric census of the Afghan population
The entire population of Afghanistan was biometrically catalogued -- supported by the German Bundeswehr. The motivation for this systematic collection of fingerprints, irises, faces and DNA was to enable the distinction between good and bad people. Programs such as the Automated Biometric Identification System (ABIS) were designed to identify known criminals, as well as local collaborators or Afghan security forces, at any time.
✓ Any biometric database is a ticking time bomb. When the Taliban captured the biometric devices, concerns were raised that the devices could be used to identify former local collaborators. Human Rights First thus published a guide to evading the misuse of biometric data.
No comments:
Post a Comment