Voting Machine Manual Instructed Election Officials to Use Weak Passwords
A vendor manual for voting machines used in about ten states shows the vendor instructed customers to use trivial, easy to crack passwords and to re-use the passwords when changing log-in credentials.
States and counties have had two years since the 2016 presidential election to educate themselves about security best practices and to fix security vulnerabilities in their election systems and processes. But despite widespread concerns about election interference from state-sponsored hackers in Russia and elsewhere, apparently not everyone received the memo about security, or read it.
An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor's tabulation system. The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor’s name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases—alternating between two of them—and in other cases to simply change a number appended to the end of some passwords to change them.
Harri Hursti, founder of Nordic Innovation Labs and a longtime election security expert, told me he and his colleagues were conducting a risk-assessment in a county when they found the binder containing loose-leaf pages in an election office.
The vendor, California-based Unisyn Voting Solutions, makes an optical-scan system called OpenElect Voting System for use in both precincts and central election offices. The passwords in the manual appear to be for the Open Elect Central Suite, the backend election-management system used to create election definition files for each voting machine before every election—the files that tell the machine how to apportion votes based on the marks voters make on a ballot. The suite also tabulates votes collected from all of a county’s Unisyn optical scan systems. The credentials listed in the manual include usernames and passwords for the initial log-in to the system as well as credentials to log into the client software used to tabulate and store official election results.
The county uses a third-party vendor to help with some of its election-management work, and Hursti initially thought the binder and advice to elections staff might have come from the third-party vendor; but when he discovered a binder with the same information being used by an election office in a different state where the third-party vendor does not assist with elections, he concluded that it came from the voting machine vendor. Motherboard could not verify who created the document. Hursti said an employee with the third-party company told him the passwords are simple ones that get re-used so that he and his colleagues don't have to contact the elections office to obtain the password every time they need to access the system.
Unisyn did not respond to requests for comment.
Guidelines issued by the federal Elections Assistance Commission call for passwords to election systems to be changed periodically, and the EAC 's Voluntary Voting System Guidelines state that voting machine vendors "shall provide a description of recommended policies for effective password management” to customers.
The manual does address this: "You will be periodically asked to change your password per EAC regulations," it notes. But instead of providing customers with sound instructions for changing passwords—such as creating completely new passwords and not re-using them—the manual instructs them to simply alternate between a system administrator and a root password each time they are prompted to change the password. Space is provided below this instruction for election workers to write down which password they are using at any given time.
"So [the manual] recognizes the federal rule," Hursti said, "and then it gives an instruction to circumvent the federal rule. So they are specifically making sure that [customers] understand the password has to be changed" but then provide them with bad security advice for changing it.
According to guidelines from the EAC election officials are encouraged to change passwords after every election. Passwords should also have the following characteristics: they should be at least six characters, preferably eight, and include at least one uppercase letter, a lowercase letter, at least one number and a symbol. It also says, though, that passwords should be easy to remember so that employees won't need to write them down, "yet sufficiently vague that they cannot be easily guessed."
The manual indicates that the username to log into the election-management system is "administrator,” and the sysadmin password is a simple string of five letters with a number appended to it. The root password is the company's name with the same number appended to it.
Once logged into the system the credentials needed to access the tabulation monitor or the system for creating reports of ballots and vote tallies are different. The username is again a simple word to log in. The password is the same word with "1" appended to it. Users are told that to change the password when prompted, they should simply change the number sequentially to 2, 3, 4, etc.
The username for logging into the critical tabulator client where votes are tallied and stored is "supervisor.” According to the manual, the password is "election specific"—meaning officials create a different password for the tabulator client for each election. Given how simple other passwords for the system are, it's not likely this election-specific password is more sophisticated, however.
Unisyn systems are used in 3,629 election jurisdictions in ten states and Puerto Rico, according to Verified Voting, a nonprofit election integrity group that tracks election equipment state by state, though the company's own web site shows it operating in 12 states. Per Verified Voting, four of the ten states that organization identifies—Arizona, Indiana, Kansas and Tennessee—use the company's system in three counties or less; but one state, Iowa, uses them in 58 counties, which amounts to half of the state's counties. Kansas and Virginia use the company's system in about 20 jurisdictions. Puerto Rico uses the system across all of its jurisdictions.
"So this is not insignificant [in its reach]," Hursti told Motherboard.
Although election-management systems should not be connected to the internet and should be only accessible by someone with physical access to the system, Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, said the re-use of simple passwords in multiple jurisdictions means that someone could coordinate an attack across jurisdictions.
“We really need to pay much more attention to insider threats and this is very clear inattention to insider threat," Hall told Motherboard. “If those two passwords are commonly alternated in all of the Unisyn systems, that means anyone with this bit of knowledge of the Unisyn system will know how to direct an insider attack in another jurisdiction. We talk a lot about the diversity of our election systems being a strength, but things like this reduce that diversity so you just need a few facts about a system to have all you need to change a system in [multiple jurisdictions].”