Hackers find voting machines as secure as a car with the key in the ignition

One machine from Tennessee was sold on eBay with 60,000 registration records

Hackers have a reputation for being super-smart, dedicated technoids who will stop at nothing to break through even the strongest cyberdefense to make off with vital information or throw a virtual wrench into the works.

But the truth is, it often doesn't take much effort at all. Case in point: the DefCon hacking conference in Las Vegas. Over the weekend, hackers set out to find and exploit vulnerabilities in five different kinds of voting machines.

Among the initial findings: one of the machines still had 600,000 voter registration records from Shelby County, Tennessee. The machine had been sold on eBay by Shelby County officials at some point, apparently with no one thinking it might be a good idea to scrub it first. 

Cybersecurity blogger Kevin Collier tsk-tsked about it on his blog and readers responded with comments along the lines of "That's messed up." No one seemed very surprised though. Similar dumbness happens daily in both the governmental and private sectors. 

Asleep at the switch

PhotoOnce the shock of the "dirty" machines wore off, the hackers set to work and quickly discovered more subtle vulnerabilities, the first within a mere 90 minutes.

“The first ones were discovered within an hour and 30 minutes. And none of these vulnerabilities has ever been found before, they’re all new,” said Harri Hursti, co- coordinator of the event, USA Today reported

The goal of the hacking fiesta was to alert computer security experts and government officials to the potential weaknesses of the machines used in U.S. elections. 

“This software just isn’t up to modern standards. It’s not even as strongly protected as a PC,” Brandon Pfeifer, a security expert who works on embedded aviation systems in Kansas City, told USA Today.

Like the Shelby County machine, most of the specimens were obtained through eBay, where they had been offered for sale by local governments.

Dumped as scrap

While there were no known instances of other machines containing voter registration records, the security in evidence was slim. One machine, the WinVote model, came equipped with "abcde" as its password, according to CNET. The WinVote was used in Virginia through 2015 until the state finally dumped them as scrap metal. Other states including Pennsylvania and Mississippi also used them until recently.

What it all means is that all the hubbub about Russian interference in the most recent election, hanging shads in the Bush-Gore race, personal email servers and so forth, the most basic rules of computer security are routinely ignored by the public employees who are paid to know and heed those rules. 

Maybe more geeks need to run for public office?

Take an Identity Theft Quiz. Get matched with an Authorized Partner.