Pair of $100 surplus voting machines bought on eBay contained data on voters

[phands]

Unbelievable in this day and age. Disk erase/destruction is mandatory in any company I've worked at this century.

IN 2016, I bought two voting machines online for less than $100 apiece. I didn't even have to search the dark web. I found them on eBay.
Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.

If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still.
The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped.
The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted.
Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.

My aim in purchasing voting machines was not to undermine our democracy. I'm a security researcher at Symantec who started buying the machines as part of an ongoing effort to identify their vulnerabilities and strengthen election security.
In 2016, I was conducting preliminary research for our annual CyberWar Games, a company-wide competition where I design simulations for our employees to hack into. Since it was an election year, I decided to create a scenario incorporating the components of a modern election system. But if I were a malicious actor seeking to disrupt an election, this would be akin to a bank selling its old vault to an aspiring burglar.

I reverse-engineered the machines to understand how they could be manipulated. After removing the internal hard drive, I was able to access the file structure and operating system.
Since the machines were not wiped after they were used in the 2012 presidential election, I got a great deal of insight into how the machines store the votes that were cast on them.
Within hours, I was able to change the candidates' names to be that of anyone I wanted. When the machine printed out the official record for the votes that were cast, it showed that the candidate's name I invented had received the most votes on that particular machine.

My bold.

I'm shocked that this isn't a huge scandal.

https://www.wired.com/story/i-bought-used-voting-machines-on-ebay/

 

[Gun Nut]

Good article. While this is a risk to direct physical attack on these machines, no such attack in the wild has ever occurred, nor does anything here imply the possibility. It is the same deal as getting a slot machine from a casino and figuring out that if you remove the hard drive you can manipulate how it works. OK... good luck taking a hard drive out of a slot machine in the middle of a casino... likewise... good luck mucking with a voting machine in the middle of your town hall with hundreds of people all around you.

A bigger risk is with the vendors and suppliers of the manufacturers of these voting machines. If they can be manipulated in the factory, or at a component's supplier's factory, and then placed into service, that is where there might be risk of knowing how to manipulate them.

This was core to the plot of one of the Oceans movies (Ocean 12, maybe?), where they needed loaded dice in the casino they were robbing. They had to mess with the plastic the dice maker used and keep track of the lot number to make sure they went where they needed them to be.

 

[Underseer]

Good article. While this is a risk to direct physical attack on these machines, no such attack in the wild has ever occurred, nor does anything here imply the possibility. It is the same deal as getting a slot machine from a casino and figuring out that if you remove the hard drive you can manipulate how it works. OK... good luck taking a hard drive out of a slot machine in the middle of a casino... likewise... good luck mucking with a voting machine in the middle of your town hall with hundreds of people all around you.

A bigger risk is with the vendors and suppliers of the manufacturers of these voting machines. If they can be manipulated in the factory, or at a component's supplier's factory, and then placed into service, that is where there might be risk of knowing how to manipulate them.

This was core to the plot of one of the Oceans movies (Ocean 12, maybe?), where they needed loaded dice in the casino they were robbing. They had to mess with the plastic the dice maker used and keep track of the lot number to make sure they went where they needed them to be.

But it does demonstrate that the state government either doesn't understand or doesn't care about the security of its voting data.

 

[steve_bank]

I am shocked.

 

[Worldtraveller]

Good article. While this is a risk to direct physical attack on these machines, no such attack in the wild has ever occurred, nor does anything here imply the possibility. It is the same deal as getting a slot machine from a casino and figuring out that if you remove the hard drive you can manipulate how it works. OK... good luck taking a hard drive out of a slot machine in the middle of a casino... likewise... good luck mucking with a voting machine in the middle of your town hall with hundreds of people all around you.

A bigger risk is with the vendors and suppliers of the manufacturers of these voting machines. If they can be manipulated in the factory, or at a component's supplier's factory, and then placed into service, that is where there might be risk of knowing how to manipulate them.

This was core to the plot of one of the Oceans movies (Ocean 12, maybe?), where they needed loaded dice in the casino they were robbing. They had to mess with the plastic the dice maker used and keep track of the lot number to make sure they went where they needed them to be.

But it does demonstrate that the state government either doesn't understand or doesn't care about the security of its voting data.

More importantly, I think, it demonstrates that once the polls close, the machines are taken in and the votes are counted, it is very easy to change the results. There is no paper trail or any kind of audit process except in a few states.

 

[Tigers!]

That is so careless I am astounded.

Though the paper audit is not as good as we would like.
In western Australia in the 2013 Commonwealth election 1375 paper votes were lost.
https://www.abc.net.au/news/2015-04-15/senate-ballot-boxes-may-have-fallen-off-truck-committee-finds/6395716

Carelessness is the curse of the complacent.