An 11-year-old voting scanner still unaddressed



[ad_1]

An uncorrected security flaw in a voice-counting machine used in 23 US states makes it vulnerable to hacking 11 years after the manufacturer was alerted, say security researchers.

The M650 high-speed scanner is manufactured by Election Systems & Software, the country's leading provider of election equipment. Vulnerability was most serious in voting equipment in a report released Thursday that summarized the findings of security researchers at the September DefCon hacking convention in Las Vegas.

"That counts the ballots for an entire county," said Jake Braun, one of the organizers and a cybersecurity expert at the University of Chicago. If it's successfully hacked by someone who wants to change the total votes in a burgeoning county, "it could tip the electoral college," he said.

"An infected disk can support the entire electoral system," said Harri Hursti, another organizer of the "voting village" and a researcher who had detected the flaw in a report published in 2007 for the state secretary. l & # 39; Ohio.

Braun said that it is both surprising and reflecting the state of the country's voting equipment industry that ES & S has continued to support and serve the M650 – and that many election officials have not removed it.

The cybersecurity experts have long complained that the country's antiquated electoral infrastructure is very vulnerable to forgery – now a critical concern given Russia's documented attempts to influence the presidential election of These activities included polling electoral systems in at least 21 states, hacking the Illinois voter registration database, and attempts to hack an electronic voting book manufacturer in Florida.

In September, a report by the National Academy of Sciences called for essential reforms by 2020, including sustained federal funding, as elections are administered by states and security is generally inadequate. Other recommendations include the removal of electronic devices without a "human-readable" paper trail and the requirement for reliable post-election audits. The GOP leadership in Congress has recently stalled efforts to enact electoral reform legislation.

The M650 scans paper ballots – it can handle more than 300 per minute. ES & S said in a statement Thursday that it had stopped manufacturing machines in 2008, but that 270 of them are currently used. He said the machine had "solid and proven experience when used in a real electoral environment with appropriate physical controls", even though it has been replaced by more secure models.

"We believe that the security protections on the M650 are strong enough to make piracy extremely difficult in a real and therefore safe and secure environment during elections," the company said.

Appropriate physical controls would prevent unauthorized third-party access to the machines that could introduce a vote counting virus. Hursti, however, said he spoke to election officials who program the M650 program with removable Zip drive disks that could transmit malware. It is also possible to infect the machine via an integrated network port.

ES & S did not answer the Associated Press's question about why it did not fix the vulnerability of the Zip drive when it knew it for over a decade. He also did not say he was still selling the M650, which appeared on his product offerings for the website as recently as last month.

DefCon Village, now in its second year, brought together more than 100 election officials from across the country. Senior officials from the National Security Agency and the Department of Homeland Security have approved its organizers' assertion that the best way to secure election materials is to allow friendly hackers to attack it.

ES & S was not in agreement. He complained in an August 24 letter to a group of US senators that "exposing technology in this type of environment makes elections easier and less difficult, and we suspect our opponents are very attentive" .

Voting village organizers obtained more than 30 voting equipment and other machines for security testing, but were severely limited in their tests, mainly because the suppliers refused to make proprietary equipment available. The researchers have not tested any election management system or voter registration.

[ad_2]
Source link