Thousands of voting machine vendor employees' work emails and plaintext passwords appear in freely available third-party data breach dumps reviewed by CSO, raising questions about the security of voting machines and the integrity of past election results.
While breached sites, like LinkedIn after the 2012 breach, force users to change their passwords, a significant number of people reuse passwords on other platforms, making third-party data breaches a gold mine for criminals and spies.
For many years voting machine vendors have claimed that voting machines were air gapped — not connected to the internet — and were thus unhackable. Kim Zetter debunked that idea in The New York Times in February.
An attacker who managed to break into a voting machine vendor employee's work email, because the employee used the same password as on a breached site, could leverage that to gain access to the voting machines themselves. And if voting machine vendors install remote access software on voting machines, factory backdoors that vendor employees use to remotely access the machines for maintenance, troubleshooting or election setup purposes, this turns voting machine vendor employees into targets.
Hack the vendor, hack the voting machine.
"The threat is real"
Third-party data breach credentials are likely "very useful" to an attacker, Maurice Turner, senior technologist at the Center for Democracy and Technology in Washington, told CSO. "The likelihood of every user whose information in that third-party data breach changing their password is zero," he said. "Some people are going to keep their passwords no matter what, or some iteration of that password."
Password reuse is also common within organizations. Penetration testers, hired to hack an organization to test its security, frequently report that IT admins reuse passwords across the enterprise. Hack the weakest link, and you own the network.
"If I were an attacker," Douglas W. Jones, a professor of computer science at the University of Iowa and an expert on voting machine security, said, "I'd immediately do my best to insinuate myself into their corporate machinery and ferret out the backdoors that they have a record of in their filesystems. I suspect, given the current state of affairs, I could nose around pretty effectively."
"The threat is real," he adds, "and should be taken very seriously."
Nor is the threat limited to hijacking factory backdoors to hack voting machines. Breaking into someone's email account provides a wealth of information about their contacts, how they talk, their life. This makes genuine-looking spearphishing campaigns possible, with potentially devastating results.
"Someone could quite easily pose as a legitimate agent of the vendor and contact the jurisdiction and conduct a phishing campaign against them, try to get them to install unauthorized patches, etc.," Turner says.
For his part, Jones is skeptical of voting machine vendors' ability to defend themselves. "I suspect that they don't have the tools to identify an attack."
"By and large, people don't understand the workings of big data, the idea that something that's lost in one data breach can be correlated with public information and information from other completely unrelated sources to find new things that ought never to be known," he added in an email. "They may not get you in particular, but they'll get a significant fraction of the people in your position across the industry, and they'll probably get someone who works in your firm."
The vendors respond
The other four are ES&S, Dominion Voting, MicroVote and Unisyn Voting Solutions. ES&S has the most credential pairs exposed (more than one hundred). The rest range from a handful to several dozen.
The breached credentials include key members of management, engineering, and operations teams for these companies. One case of password reuse over the last ten years would have been enough for an attacker to gain a foothold in a voting machine vendor's network and potentially compromise the integrity of voting machines — and election results.
CSO shared copies of the third-party breach credentials, including work emails and passwords, via encrypted channels with ES&S, Dominion Voting and MicroVote.
ES&S and Dominion Voting both told CSO that the data didn't come from their systems and was likely from third-party breaches. "In recognition of these breaches and as part of our own security protocols," ES&S wrote in an email statement, "we require our associates to regularly reset end-user passwords. Finally, it is important to note that none of the passwords contained in the text file meet our password requirements."
Dominion Voting said much the same, writing in an email, "The data appears to be related to a third-party breach from some time ago that was not a company-managed system or platform. No Dominion system was compromised as a result. However, as a precaution, we regularly require our employees to change their email-related passwords and take other steps as part of a mandated policy for company-related email security."
MicroVote's director of software development, Bernie Hirsch, also responded by email "I've taken a look at the data," he wrote. "[I] wanted to validate what you sent. Two of the records were valid and the rest were not, but the information appears to be three or four years old."
CSO asked if "valid" means valid for current employees. "No," Hirsch says, "the passwords are not valid for any of the listed employees."
"The user names and passwords were for our third-party email system and not tied to our corporate or development networks, and had no impact on our election systems or any votes cast," he added.
CSO reached out to Unisyn Voting Solutions, but we were unable to set up a secure channel to share the exposed credentials and the company did not respond to requests for comment.
Voting machine test labs Pro V&V and SLI Compliance also appear in the third-party breaches, but did not respond to requests for comment.
The risk of remote access
At least two of these companies offered remote access options: ES&S and Dominion Voting.
Voting machine vendor ES&S offered a remote access option in 2006 and in 2011, according to The New York Times.
Following the reporting in The Times, Senator Ron Wyden criticized ES&S, writing in a press release, "Allowing remote access significantly weakens the security of voting machines, and could be exploited by hackers to sabotage machines or interfere with vote tallies."
In a statement to The New York Times, ES&S said, "None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software."
ES&S offered remote access to voting equipment as recently as last year, according to this ten-year contract between ES&S and the state of Michigan — with a start date of March 1, 2017. The contract offers election officials the choice of an on-site technician at $1,575/day or a "remote access" option at "$250 per election set-up."
In an email to CSO, the company explained that "The section of the Michigan contract...refers to remote access software that is used in conjunction with ballot on demand printers – NOT vote tabulation products. ...The use of BOD Printers is the equivalent of jurisdictions sending ballot files directly to a local print shop to produce blank ballots. A BOD printer simply prints these ballots “on demand,” rather than requiring an election jurisdiction to wait for the ballots to be produced and shipped by a print shop. BOD printers are NOT part of the end to end certified voting system configuration and are never connected to or have any communication with a certified voting system."
Attacking BOD printers could result in a denial of service attack that would interfere with the smooth running of an election, but would not in itself enable an attacker to modify vote totals — if, that is, the BOD printing system is indeed not connected to any other parts of their voting system.
"You could mess with an election by forcing selective ballot printing failures or deliberate misprints," Jones wrote in an email. "This doesn't sound like a subtle attack, it would be likely to be noticed, and the paper ballots would be evidence. So an outside hacker attacking this system would create chaos, but you'd only be able to do it once."
According to this 2013 report for the Florida Department of State recommending use of Dominion's products, Dominion's Democracy Suite voting system included "an optional remote access service (RAS)". [CORRECTION: This article has been updated due to a reporting error. Dominion notes that the RAS feature does not have anything to do with providing access for a Dominion technician to remotely access a voting machine for maintenance, troubleshooting, or setup purposes.]
When asked about the Florida test report, Dominion wrote in an email statement, "Dominion does not remote into any Florida customer site, nor is this a method by which we provide customer service." In a follow-up conversation, Dominion further clarified that the company “has never offered or utilized remote access capabilities from a company technician to voting equipment.”
In an earlier email statement Dominion noted that “The EAC’s Voluntary Voting System Guidelines (VVSG) do not allow for voting systems to be tested or approved if they utilize remote access software.”
The EAC did not respond to CSO's requests for clarification.
Backdoors in voting machines are a bad idea
The same principle is at stake here as in the debate over encryption backdoors. The FBI wants to catch criminals, sure, but backdoors will always be discovered, and they will always be misused by malicious actors, given enough time and effort. This is a fundamental principle of cybersecurity.
Nation-state adversaries have the time, effort and resources to target voting machine vendors in order to gain access to voting machines and affect vote counts, or otherwise disrupt an election. If voting machine vendors offer remote access software, that turns the voting machine vendors themselves into targets. Third-party breach data make attacks on those vendors all the easier.