As Jeremy Epstein notes on his Freedom to Tinker blog, in great detail:
"If your States election was held in 2014 using the AVS WinVote touchscreen Direct Recording Electronic (DRE) voting machine, and it wasn't hacked, it was only because no one tried.
The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn't need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know."
After receiving this
report On Apr 14 2015, the Virginia State Board of Elections immediately decertified use of the AVS WinVote touchscreen Direct Recording Electronic (DRE) voting machine.
So how did Virginia get to decertification? It seems that in the November 2014 election, voting machines in one precinct were repeatedly crashing, so they invited the agency charged with providing IT services to the state government) to investigate the problem.
This part of the story caught my attention because the North Carolina 2014 and mid term elections had these same AVS voting machine crash issues reported as well.
I also found it curious that North Carolina just proposed a a bill in April 2015, that would delay voting machine upgrades in the state until 2020.
35 counties use direct record electronic voting machines, which create a paper receipt of a voter’s choices.
The idea of the bill is to give those counties more time to save money to purchase new equipment, Blackwell said. The bill delays the purchase of new equipment until 2020. It is up to counties to pay for voting equipment.
State officials have said direct record electronic voting equipment will need to be replaced because the machines are due for decertification in January 2018, here in north carolina. The decertification is due to a change in state law that will require a paper ballot for all certified voting systems.
How convenient that the decertification won't happen in my state of North Carolina until 2018, two years after the critical 2016 presidential race. Also, it is curious that those changes could end up being delayed to span over our next midterm as well.
So how bad was the machine vulnerability? and how concerned should you be if your state is using these voting machines?
Epstein when on in his blog to point out just how incredibly easy hacking the AVS voting machine is:
1.Take your laptop to a polling place, and sit outside in the parking lot.
2.Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
3.Connect to the voting machine over WiFi.
4.If asked for a password, the administrator password is “admin” (VITA provided that).
Download the Microsoft Access database using Windows Explorer.
5.Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
6'Use Microsoft Access to add, delete, or change any of the votes in the database.
7.Upload the modified copy of the Microsoft Access database back to the voting machine.
8.Wait for the election results to be published.
Having worked in the computer industry for the last thirty years, this report took my breath away. A teen script kitty with a smart-phone could hack these machines and throw the entire election process into chaos.
In light the Virginia report, if your state is using these machines, I would recommend that you begin demanding a 2016 paper ballot vote right now. I believe this because, if a state used these flawed machines in the 2016 presidential election, there will be no way that they can guarantee the integrity of the vote count.
Some of the hard-wired simple passwords were published in the articles linked above, just to make sure that the hacking was fair and Non-partisan in the 2016 elections ;)