Touchscreen voting machines used in numerous elections between 2002 and 2014 used “abcde” and “admin” as passwords and could easily have been hacked from the parking lot outside the polling place, according to a state report.
The AVS WinVote machines, used in three presidential elections in Virginia, “would get an F-minus” in security, according to a computer scientist at tech research group SRI International who had pushed for a formal inquiry by the state of Virginia for close to a decade.
In a damning study published Tuesday, the Virginia Information Technology Agency and outside contractor Pro V&V found numerous flaws in the system, which had also been used in Mississippi and Pennsylvania.
Jeremy Epstein, of the Menlo Park, California, nonprofit SRI International, served on a Virginia state legislative commission investigating the voting machines in 2008. He has been trying to get them decertified ever since.
Anyone within a half mile could have modified every vote, undetected, Epstein said in a blog post. “I got to question a guy by the name of Brit Williams, who’d certified them, and I said, ‘How did you do a penetration test?’” Epstein told the Guardian, “and he said, ‘I don’t know how to do something like that’.”
Reached by phone, Williams, who has since retired, said he did not recall the incident and referred the Guardian to former colleagues at Kennesaw State University who have taken over the certification duties he used to perform for Virginia and other states.
“You could have broken into one of these with a very small amount of technical assistance,” Epstein said. “I could teach you how to do it over the phone. It might require an administrator password, but that’s okay, the password is ‘admin’.”
Bypassing the encrypted WEP wireless system also proved easy. The password turned out to be “ABCDE”, according to the state’s security assessment – and getting the password “would take a few minutes and after that you don’t need any tools at all”, said Epstein.
The commission that stripped the machines of certification also found that the version of Windows operating on each of them had not been updated since at least 2004, that it was possible to “create and execute malicious code” on the WINVote and that “the level of sophistication to execute such an attack is low”.