Chaos Computer Club (CCC) members have demonstrated that the Taliban could use equipment left behind by NATO forces to identify people they consider their enemies. Since 2011, the US military and its allies had been biometricing masses of people in Afghanistan. Some of the equipment used was left behind by NATO troops during the August 2021 hasty withdrawal, while others are appearing in eBay auctions.
Security researchers around the Hamburg computer scientist and CCC spokesman Matthias Marx have in March 2022 apparently easily bought several of these biometric devices from dealerswho specialize in selling US military legacy stock such as the CCC and Report BR24. According to the CCC, there are four devices of the type SEEK II (Secure Electronic Enrollment Kit) and two devices of the type HIIDE 5 (Handheld Interagency Identity Detection Equipment).
Unprotected Biometrics
Marx and his colleagues then forensically examined the devices and found out, according to their own statements, that they were used to identify people, including at checkpoints when searching for wanted persons, or to control access for local staff. From a technical point of view, “the examinations of the used devices were downright boring”, emphasized the CCC: All data carriers were unencrypted. Only a well-documented standard password had to be entered to protect access. “The Taliban could use these devices immediately,” said CCC spokesman Marx in the BR interview. “There is practically no hurdle.”
What the CCC researchers discovered on the devices is explosive. It contained the names and biometrics of two US military personnel, GPS coordinates of past locations, and a comprehensive biometrics database with names, fingerprints, iris scans, and photos of 2,632 people. According to the information read out, the device with this database was last used somewhere between Kabul and Kandahar in mid-2012.
Routine in Afghanistan 2013: A US Marine scans the iris of a resident in Helmand province.
According to BR, some of the individuals in the data are clearly identified as former members of the police and military. Others would have had access to western military bases. “With such data, the Taliban could very easily understand whether certain people worked for the military,” said IT expert Marx in the BR interview.
No interest in enlightenment
According to the BR report, there was also an entry in the database that could have come from the Bundeswehr. He was provided with the abbreviation “GER”. The Federal Ministry of Defense said on request that there was no information on the facts. Devices used by the Bundeswehr were returned to the NATO mission leadership at the end of the mission.
The CCC emphasizes that after the finds, it informed the manufacturer of the SEEK devices, Crossmatch Technologies, about the vulnerability. In particular, the responsible departments of the US Department of Defense and the German Armed Forces were also informed that the used devices could easily be ordered on the Internet. However, no one seemed to care about the data leak: “We received a confirmation of receipt from the Bundeswehr, the Department of Defense kindly referred us to the manufacturer, and the manufacturer did nothing. Two and a half months after our report, we were able to order another biometric device online.”
CCC spokesman Marx explained that the consequences are life-threatening for the many people in Afghanistan who have been completely abandoned by the US and federal government: “We find it incomprehensible that the manufacturers and the former military users don’t care that used devices with sensitive data being peddled online.”
(raised)
