While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation's vulnerable election infrastructure[1]. New research, though, shows they haven't done nearly enough, particularly when it comes to voting machines.
The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference's Voting Village event[2]. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections[3], including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades[4].
"We didn't discover a lot of new vulnerabilities," says Matt Blaze, a computer science professor at the University of Pennsylvania and one of the organizers of the Voting Village, who has been analyzing voting machine security for more than 10 years. "What we discovered was vulnerabilities that we know about are easy to find, easy to reengineer, and have not been fixed over the course of more than a decade of knowing about them. And to me that is both the unsurprising and terribly disturbing lesson that came out of the Voting Village."
Many of the weaknesses Voting Village participants found were frustratingly basic, underscoring the need for a reckoning with manufacturers. One device, the "ExpressPoll-5000," has root password of "password." The administrator password is "pasta."
Like many of the vulnerabilities detailed in the report, that knowledge could only be used in an attack if perpetrators had physical access to the machines. And even the remotely exploitable bugs would be difficult—though certainly not impossible—to