The U.S. military used biometric devices en masse to capture people in Afghanistan. Some devices were left behind during the hasty withdrawal of NATO troops. CCC researchers found large amounts of biometric and other personal data when analyzing such devices. In the wrong hands, this data is life-threatening for people in Afghanistan and Iraq.
The biometric devices were used to identify individuals, e. g. at checkpoints when screening for wanted persons, or to control access by local collaborators. On used U.S. military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis.
The entire population of Afghanistan was biometrically catalogued -- supported by the German Bundeswehr. The motivation for this systematic collection of fingerprints, irises, faces and DNA was to enable the distinction between good and bad people. Programs such as the Automated Biometric Identification System (ABIS) were designed to identify known criminals, as well as local collaborators or Afghan security forces, at any time.
Any biometric database is a ticking time bomb. When the Taliban captured the biometric devices, concerns were raised that the devices could be used to identify former local collaborators. Human Rights First thus published a guide to evading the misuse of biometric data.
There is no escape from biometric surveillance. We cannot simply change our biometric data. This danger was well known those in charge. Back in 2007, a member of the U.S. military warned of a similar biometric database in Iraq: "This database... becomes a hit list if it gets in the wrong hands."
Allegedly, access to the biometrics database should not be possible without further technology. But even if that were the case, of course, the Taliban could still simply use the devices. Unfortunately, our research shows that all data on the mobile biometric devices is completely unprotected. We were able to read, copy and analyze them without any difficulty.
Alarmed by news reports about biometric devices in the Taliban's hands, Matthias Marx, snoopy, starbug, md and other CCC members started to gather information about these devices. While doing so, they came across several offers at an online auction house. They were able to acquire a total of
The devices were examined forensically.
From a technical perspective, the analyses were downright boring: All storage mediums were unencrypted. A well-documented standard password was the only thing needed to gain access. Also, the database was a standard database with standard data formats. It was fully exported with little effort.
The extracted data was all the more impressive: The various devices shopped online contained names and biometric data of two U.S. military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos of 2,632 people. The device containing this database had last been used somewhere between Kabul and Kandahar in mid-2012.
The CCC then informed the SEEK device's manufacturer, Crossmatch Technologies (now: HID Global), and two known users of the devices, the US Department of Defense and the German Bundeswehr, about the vulnerability. The responsible parties were also informed that used devices with highly sensitive data can easily be ordered on the Internet. However, no one seems to care about the data leak:
We received an acknowledgement of receipt from the Bundeswehr, the Department of Defense kindly referred us to the manufacturer, and the manufacturer did nothing.
Two and a half months after our report, we were able to order another biometric device online.
"The irresponsible handling of this high-risk technology is unbelievable," said Matthias Marx, who led the CCC research group. The consequences are life-threatening for the many people in Afghanistan who were abandoned by the western forces. "It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online," Marx continued.
And yet all of this was predictable, because biometric databases cannot be effectively or permanently secured against illegitimate interests. What happened in Afghanistan is just a foretaste of the many biometric databases that will fall into the wrong hands in the future.
It is always a bad idea to centrally collect such data in bulk.
With regard to a Memorandum of Understanding, we are interested in the German Bundeswehr's role: