Voting Device Manufacturer Encourages Users To Use (And Re-Use) Easily-Guessed Passwords
from the thanks-for-the-tips,-sparky dept
As Election Day 2K18 rolls on, the good news continues to roll in, he said in his most Professor Farnsworth voice. It’s never good news, not if we’re talking voting machine security. Kim Zetter, writing for Motherboard, has obtained a manual for devices made by Unisyn Voting Solutions, which provides horrendous security advice for users of its products.
There are federal guidelines for voting systems. The Elections Assistance Committee makes the following recommendations for passwords:
[E]lection officials are encouraged to change passwords after every election. Passwords should also have the following characteristics: they should be at least six characters, preferably eight, and include at least one uppercase letter, a lowercase letter, at least one number and a symbol. It also says, though, that passwords should be easy to remember so that employees won’t need to write them down, “yet sufficiently vague that they cannot be easily guessed.”
Unisyn has apparently decided minimal security efforts are badly in need of disruption. To begin with, the device manual suggests users should simply use variations of the default password the devices ship with. That password is the company’s name with a “1” appended to the end of it. This easily-guessed admin password should then be immediately replaced with… an easily-guessed password.
Once logged into the system the credentials needed to access the tabulation monitor or the system for creating reports of ballots and vote tallies are different. The username is again a simple word to log in. The password is the same word with “1” appended to it. Users are told that to change the password when prompted, they should simply change the number sequentially to 2, 3, 4, etc.
The Unisyn manual takes the EAC guidelines and throws them out. It then makes a minimal nod towards compliance before throwing everything out a second time. Remember the part about not writing down passwords? The sort of thing no one should do because it defeats the purpose of password security? Here’s Unisyn’s scorching hot take on EAC compliance:
“You will be periodically asked to change your password per EAC regulations,” [the manual] notes. But instead of providing customers with sound instructions for changing passwords—such as creating completely new passwords and not re-using them—the manual instructs them to simply alternate between a system administrator and a root password each time they are prompted to change the password. Space is provided below this instruction for election workers to write down which password they are using at any given time.
If there’s good news, it’s that these machines aren’t in use everywhere. Just 3,500+ jurisdictions in ten states. They’re also fairly insulated from online attacks, since they’re not supposed to be connected to the internet. This means attackers will most likely need physical access to the devices. Good thing these only get touched by non-election personnel every couple of years or so!