Sometimes hackers go much further than trying to steal financial or business information; this is one of those cases. The Virginia Information Technologies Agency is talking to the board of elections and asking that they immediately stop use of their electronic voting devices. An examination revealed the system is lacking strong credentials and encryption.
The good news is that the Board and Department took immediate action to address the security concerns in Virginia’s electoral system. The machines in question, which have been in use since 2002, have been decertified.
Vulnerabilities in The System
According to the report, the level of sophistication needed to carry out attacks on the WINVote election systems was alarmingly low. Basically, any mildly-knowledgeable hacker could have executed an attack. A hacker wouldn’t have even needed to be in the polling place – attacks could have been carried out from great distances.
The worst part? There are no logs at all keeping track of the systems, meaning if they were hacked during an election, we’d never know.
Beyond easily breakable encryption and weak passwords, the machines were also discovered to have security deficiencies in physical controls, operating system controls, network access and even the vote tallying process. Once again, all of this means it would have been incredibly easy to rig past elections, and we would never have had a clue about it.
VITA claims the systems are supported with Windows until January 12, 2016. Microsoft has validated this claim. Either way, the machines have gone without security updates for a minimum of 11 years.
When VITA conducted tests, they were able to remotely modify the results of a mock election. Wi-Fi and direct access through the machine’s USB ports were also explored.