Did you know 650,000 (yes 650 thousand) US Citizens in Memphis, Tennessee voted and provided their personal information with the hope that their personal information is in safe hands. They had no idea their info would eventually be picked apart at one of the hacker’s conference at Caesars Palace, LA
Per FBI Director James Comey, the forte of US voting system is “Clunky”. Every US district and state has a choice to setup paper or electronic machines for their voting process. There are over a dozen different voting machines manufacturer providing the voting machines to electoral districts. The chunkiness’ might help prevent large scale voter hacking but it provides more opportunities for hackers to access polling user data.
All the storage drives must be destroyed on decommission voting equipment prior to auctioning them to public.
But hackers given access to an ExpressPoll-5000 electronic poll book, the kind of device used to log voters on Election Day have discovered the personal records of 654,517 individuals who voted in Shelby County, Tennessee.
It is unclear how much of the personal information wasn’t yet public. Some of the records, viewed by Gizmodo at the Voting Village, a collection of real, used voting machines that anyone could tinker with at the DEF CON hacker conference in Las Vegas, include not just name, address, and birthday, but also political party, whether they voted absentee, and whether they were asked to provide identification.
Election Systems and Software also known as ES&S, which makes the ExpressPoll-5000, is one of the most popular Epoll book manufacturers in the United State, said Barbara Simons, who sits on the board of Verified Voting, a nonpartisan research group that advocates for voting machine security. There is no formal auditing process for how many of the machines are properly wiped, and thus no way to estimate how many machines have been sold that inadvertently contain voter records.
But the fact that only a handful of such machines were made available at DEF CON and one of them had personal records that were so easily available does not inspire confidence, said Matt Blaze, a renowned security researcher who has authored several studies on voting machine security and who helped organize the village.
“How many other of these machines that also have data left on them have been sold to who knows who? There’s no way of knowing,” Blaze told Gizmodo.
After being sold at government auction, many machines are later resold, often for a few hundred dollars. Harri Hursti, a voting machine expert who famously found a critical flaw in Diebold voting systems, helped coordinate the machines’ purchase for the conference by scouring eBay. The one seller he visited in person before buying had filled an entire warehouse with voting machines bought at auction, he said.
Anyone with access to such a device, whether on Election Day or while playing with an ExpressPoll-5000 at home would need only moderate computer-skills to check for those records. They are stored on a removable memory card. Anyone who pulls out the drive and reads the memory card with their computer will be able to access the drive’s contents, including the giant database of personal records, if it has not been wiped properly.
Josh Palmer, the security researcher who first discovered the database, said that once he held the memory card and a reader that connected to his laptop, it was simply a matter of finding and loading the giant file.
“It’s just on the drive,” Palmer said. “There was no password on it.” ES&S “could have encrypted it,” to at least give a baseline protection for voters, Palmer said. “They chose not to encrypt it.”
ES&S (Election Systems and Software ) didn’t respond to requests for comment.
Soon after Palmer’s discovery, the conference confiscated the card to protect the voters included in the database. “We’re notifying the county and letting them know of a potential data breach,” Blaze said.
A public relations consultant who represents Shelby County Elections Commission, Suzanne Thompson Cozza, said that the commission is “aware of the allegations about the happenings at DEF CON, and we are currently looking into it,” but declined to elaborate.
The privacy breach, however, is n0t the full extent of problems with the ExpressPoll-5000. Even though the device doesn’t tally actual vote results, and instead simply registers voters at a polling place, a compromised machine’s lack of security could be used to disenfranchise tens or hundreds of thousands of voters on voting day.
If someone were to covertly access the memory card before the election, they could mark some or all users as having already voted absentee, preventing them from casting their actual vote. “I could write a script to do that in seconds,” Palmer said.
Electronic poll books are often simply given to election officials for safekeeping. There’s no comprehensive look at how effectively those officials keep their machines, but some store them at home, and it’s clear that they’re not always kept secure. In April, before the runoff vote in Georgia’s special congressional election, a thief stole four Epoll books from the pickup truck of a poll manager while he shopped for groceries.
Source / Credit: Gizmodo