Voting Machines Decertified for Severe Hacking Risks
AVS WinVote machines, which were used in at least three presidential elections since 2002 in several states, have been decertified in Virginia after an investigation found them to be easily hackable because they used simple default passwords like “abcde” and “admin.”
“The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can,” said Jeremy Epstein of the nonprofit research group SRI International.
“Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.”
Epstein had served on a Virginia state legislative commission investigating the voting machines in 2008, and has been trying to get them decertified ever since they uncovered extremely lax security in the devices.
The AVS WinVote is basically just a Windows XP Embedded laptop with a touchscreen, and early versions of the software ran the Windows 2000, while later versions ran a simplified version of the operating system.
Epstein said the WinVote system was certified as meeting the Voting Systems Standards (VSS) of 2002, and subsequently approved for use in Virginia, Pennsylvania, and Mississippi.
“It was decertified a few years ago in Pennsylvania, and Mississippi also stopped using theirs a few years ago after some malfunction that I can’t recall in Hinds County,” Epstein said.
“A later version of the software was submitted for certification to the Election Assistance Commission, but never approved. I don’t know if that version solved any of the problems described here.”
During the November 2014 election, the machines in one precinct repeatedly crashed, and it was suspected that the problems were due to interference from someone trying to download music using their iPhone while in the vicinity of the device, but that was never confirmed.
The Virginia Information Technology Agency (VITA), the agency that provides IT services to the state government, investigated the problem and released a report which identified a variety of problems.
“I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me – as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse,” Epstein said. “And the WinVote system was so fragile that it hardly took any effort.”