A new report found that voting machines in Virginia used in three presidential elections were susceptible to hacking. They had passwords as penetrable as ‘abcde’ and ‘admin.’
As The Guardian reported Wednesday, the AVS WinVote machines, in service between 2002 and 2014, would receive an “F-minus,” according to a study prepared by the Virginia Information Technologies Agency.
According to the executive summary of the report entitled “Security Assessment of WInVote Voting Equipment for Department of Elections,” security protocols on the machines “would not be able to prevent a malicious third party from modifying the votes recorded by the WINVote devices.”
The primary contributor to these findings is a combination of weak security controls used by the devices: namely, the use of encryption protocols that are not secure, weak passwords, and insufficient system hardening.
Jeremy Epstein, of Menlo Park, California-based SRI International, served on a commission investigating the machines in 2008. He has been working to have them decertified since then.
“I got to question a guy by the name of Brit Williams, who’d certified them, and I said, ‘How did you do a penetration test?’” he told The Guardian. “And he said, ‘I don’t know how to do something like that’.”
Williams, now retired, referred The Guardian to former colleagues at Kennesaw State University who have taken over the reigns of certification duties since his departure.
“You could have broken into one of these with a very small amount of technical assistance,” Epstein told the publication. “I could teach you how to do it over the phone. It might require an administrator password, but that’s okay, the password is ‘admin’.”
The most recent commission found the software had not been updated since 2004, found that it was possible to “create and execute mallicious code,”and offered the following in conclusion:
- Passwords were less than seven characters and did not meet best practices for complexity (i.e. they consisted of only lowercase letters). Cracking these passwords required minimal effort using freely available toolsets.
- Passwords were consistent across all systems tested and appear to be part of the default configuration. All passwords identified were simple and easily guessed, consisting of either a common pattern (i.e., abcde), a common default password (i.e., admin), or a phrase directly related to the system manufacturer (shoup).
- The scope of testing did not include the impact of changing the default password. But it does not appear possible to change the wireless password directly on the WINVote device. In addition, the impact to the WINVote application once the passwords were changed is unclear. Possible impacts range from lost communication between systems to the inability to record votes properly.
Share this if you think voter fraud is real.
This post originally appeared on Western Journalism – Equipping You With The Truth