The biometric devices were used to identify individuals, e. g. at checkpoints when screening for wanted persons, or to control access by local collaborators. On used U.S. military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis.

Backstory: Biometric census of the Afghan population

The entire population of Afghanistan was biometrically catalogued -- supported by the German Bundeswehr. The motivation for this systematic collection of fingerprints, irises, faces and DNA was to enable the distinction between good and bad people. Programs such as the Automated Biometric Identification System (ABIS) were designed to identify known criminals, as well as local collaborators or Afghan security forces, at any time.

Any biometric database is a ticking time bomb. When the Taliban captured the biometric devices, concerns were raised that the devices could be used to identify former local collaborators. Human Rights First thus published a guide to evading the misuse of biometric data.

The risk was well known to all

There is no escape from biometric surveillance. We cannot simply change our biometric data. This danger was well known those in charge. Back in 2007, a member of the U.S. military warned of a similar biometric database in Iraq: "This database... becomes a hit list if it gets in the wrong hands."

The data is unprotected

Allegedly, access to the biometrics database should not be possible without further technology. But even if that were the case, of course, the Taliban could still simply use the devices. Unfortunately, our research shows that all data on the mobile biometric devices is completely unprotected. We were able to read, copy and analyze them without any difficulty.

Used devices in online auctions

Alarmed by news reports about biometric devices in the Taliban's hands, Matthias Marx, snoopy, starbug, md and other CCC members started to gather information about these devices. While doing so, they came across several offers at an online auction house. They were able to acquire a total of

• four devices of type SEEK II (Secure Electronic Enrollment Kit) and
• two devices of type HIIDE 5 (Handheld Interagency Identity Detection Equipment).

The devices were examined forensically.

From a technical perspective, the analyses were downright boring: All storage mediums were unencrypted. A well-documented standard password was the only thing needed to gain access. Also, the database was a standard database with standard data formats. It was fully exported with little effort.

Highly sensitive biometric data of 2,632 individuals

The extracted data was all the more impressive: The various devices shopped online contained names and biometric data of two U.S. military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos of 2,632 people. The device containing this database had last been used somewhere between Kabul and Kandahar in mid-2012.

Lack of risk awareness among manufacturers, US and German military

The CCC then informed the SEEK device's manufacturer, Crossmatch Technologies (now: HID Global), and two known users of the devices, the US Department of Defense and the German Bundeswehr, about the vulnerability. The responsible parties were also informed that used devices with highly sensitive data can easily be ordered on the Internet. However, no one seems to care about the data leak:

We received an acknowledgement of receipt from the Bundeswehr, the Department of Defense kindly referred us to the manufacturer, and the manufacturer did nothing.

Two and a half months after our report, we were able to order another biometric device online.

Life-threatening irresponsibility

"The irresponsible handling of this high-risk technology is unbelievable," said Matthias Marx, who led the CCC research group. The consequences are life-threatening for the many people in Afghanistan who were abandoned by the western forces. "It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online," Marx continued.

And yet all of this was predictable, because biometric databases cannot be effectively or permanently secured against illegitimate interests. What happened in Afghanistan is just a foretaste of the many biometric databases that will fall into the wrong hands in the future.

It is always a bad idea to centrally collect such data in bulk.

We have a few more questions

With regard to a Memorandum of Understanding, we are interested in the German Bundeswehr's role:

• Was the data collected under the ISAF mandate actually deleted?
• How did the Bundeswehr deal with the risk that the Afghan biometrics database could become a hit list?
• How are or were devices and access to biometric databases of the Bundeswehr secured against misuse?
• Were local collaborators informed about the risks of biometric capture?
• Was the Bundeswehr able to secure or destroy its own or externally provided biometric enrollment devices?

Links and further information

• The results of the analysis will be presented today at 13:00 in Berlin. A recording of the presentation will be available at media.ccc.de.
• Overview of various mobile biometric devices
• Memorandum of Understanding
• Commander's Guide to Biometrics in Afghanistan