[BreachExchange] German military laptop with classified data sold on Ebay

Destry Winant destry at riskbasedsecurity.com
Wed Mar 18 10:26:15 EDT 2020


https://www.dw.com/en/german-military-laptop-with-classified-data-sold-on-ebay/a-52791809

German security researchers discovered easily accessible, classified
military information on a laptop sold on eBay.

Security specialists from G Data, based in the western city of Bochum,
bought a used Bundeswehr laptop for €90 ($100).

On the computer were a series of documents, including instructions on
how to destroy the LeFlaSys Ozelot air defence system.

The LeFlaSys Ozelot is a mobile air defense missile system first
deployed in 2001 and still in use today. The surface-to-air system is
used to quickly react against air threats, protecting command centers
and troops on the move.

The files were marked "VS-Nur für den Dienstgebrauch" — the lowest
level of secret classification.

Unsecured system

G Data security expert Tim Berghoff told DW the rugged, splash-proof
computer weighed 5 kilograms (11 pounds) and was designed for field
use. Berghoff said the device was probably made in the early 2000s and
still ran well.

"The notebook PC we acquired contains extensive technical information
on the LeFlaSys system, including step-by-step instructions for
operation as well as maintenance. Information on how to operate the
target acquisition system, as well as the weapons platform itself, can
be found on there, and, of course, instructions on how to destroy the
entire system to prevent its use by enemy forces," Berghoff told DW.

He and Alexandra Stehr, a developer in G Data's threat analysis team,
created a bit-by-bit copy of the hard drive.

"It was easy to access the information. The Windows login required no
password. The login for the program that contained the documentation
of the weapons system was protected with a very easy-to-guess
password. From then on, you could freely browse through the
documentation."

The device was sold by a recycling firm from Bingen.

Read more: German Defense Ministry 'illegally' wiped phone data of
Ursula von der Leyen

BUNDESWEHR STRUGGLES WITH FAULTY DEFENSE EQUIPMENT

Faulty tanks and grounded helicopters — today in the German military

Frustrated soldiers and a defense system struggling to repair its way
into a fully functioning military. And a new defense minister who will
have to regain confidence from army representatives.


Data should have been destroyed

The Defense Ministry told German news magazine Der Spiegel, who first
reported on the case, that the recycling firm was responsible for
destroying the data.

"The old computers used for LeFlaSys have all been decommissioned and
sent for recycling with orders to erase or render existing storage
media unusable," a spokeswoman told the news magazine.

"It can be assumed that an error occurred during the recycling of the
computer in question."

It said the information recovered was not a serious data breach and
did not give potential enemies critical information.

The military is legally obligated to destroy all data before selling
IT equipment.

In 2019, a forest ranger from Upper Bavaria found classified
instructions for the Mars mobile rocket artillery when he bought four
laptops from an auction run by federal authorities.


More information about the BreachExchange mailing list