❝ To prove their claim the machine was vulnerable to real-world hacks, the auditors were able to use the remote desktop protocol to gain remote access to the voting machines. They also used readily available hacking and diagnostic software to map, access, and transfer data from default shared network locations including C$, D$, ADMIN$, and IPC$. After downloading the database that stores the results of each vote, the auditors required just 10 seconds to figure out its password was "shoup" (named after the company name that preceded Advanced Voting Solutions). The auditors were then able to copy the database, modify its contents to tamper with recorded votes, and copy it back to the voting machine.
It's hard to find plain words that convey just how bad the security of this machine is. It's even harder to fathom so many critical defects resided in a line of machines that has played a crucial role in the US' democratic system for so many years. Jeremy Epstein, a security expert specializing in e-voting, summarized the threat brilliantly in a post published Wednesday morning to the Freedom to Tinker blog. He wrote:
As one of my colleagues taught me, BLUF—Bottom Line Up Front. If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place—within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know. ❞