Back in 2012, Symantec researcher Bryan Varner bought some used US voting machines on Ebay and found them to be incredibly insecure and full of real, sensitive election data; in 2016, he did it again and things were even worse.
Voting machines are terrible in every way: the companies that make them lie like crazy about their security, insist on insecure designs, and produce machines that are so insecure that it’s easier to hack a voting machine than it is to use it to vote.
Varner paid less than $100 each for two voting machines. Once he unscrewed the nonfunctional “tamper-proof screws,” he found a Windows CE machine with open USB ports, still bearing their “property of” seals from the government entity that had sold them, filled with voter data. He was able to trivially backdoor them and points out that it would be easy for anyone to do this and then put the machines back on Ebay for sale to other voting authorities.
Varner places the blame for the woeful state of voting security with the states’ insistence on autonomously administering their own elections rather than having a national set of security standards.
I recognize that states are fiercely protective of their rights. But there’s an opportunity here to develop nationwide policies and security protocols that would govern how voting machines are secured. This could be accomplished with input from multiple sectors, in a process similar to the development of the NIST framework—now widely recognized as one of the most comprehensive cybersecurity frameworks in use.Many of the rules we believe should be put into place are uncomplicated and inexpensive. For starters, we can institute lifecycle management of the components that make up the election system. By simply regulating and monitoring the sale of used voting machines more closely, we would create a huge barrier to bad actors.
The fact that information is stored unencrypted on hard drives simply makes no sense in the current threat environment. That they can be left on devices, unencrypted, that are then sold on the open market is malpractice.
Finally, we must educate our poll workers and voters to be aware of suspicious behavior. One vulnerability we uncovered in voting machines is the chip card used in electronic voting machines. This inexpensive card can be purchased for $15 and programmed with simple code that allows the user to vote multiple times. This is something that we believe could be avoided with well-trained, alert poll workers.
I Bought Used Voting Machines on eBay for $100 Apiece. What I Found Was Alarming [Brian Varner/Wired]
(Image: Defcon Voting Village)