States and counties have had two years since the 2016 presidential election to educate themselves about security best practices and to fix security vulnerabilities in their election systems and processes. But despite widespread concerns about election interference from state-sponsored hackers in Russia and elsewhere, apparently not everyone received the memo about security, or read it.

An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor’s tabulation system. The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor’s name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases—alternating between two of them—and in other cases to simply change a number appended to the end of some passwords to change them.

1541461030039-Election-System-Manual1

Harri Hursti, founder of Nordic Innovation Labs and a longtime election security expert, told me he and his colleagues were conducting a risk-assessment in a county when they found the binder containing loose-leaf pages in an election office.

The vendor, California-based Unisyn Voting Solutions, makes an optical-scan system called OpenElect Voting System for use in both precincts and central election offices. The passwords in the manual appear to be for the Open Elect Central Suite, the backend election-management system used to create election definition files for each voting machine before every election—the files that tell the machine how to apportion votes based on the marks voters make on a ballot. The suite also tabulates votes collected from all of a county’s Unisyn optical scan systems. The credentials listed in the manual include usernames and passwords for the initial log-in to the system as well as credentials to log into the client software used to tabulate and store official election results.

The county uses a third-party vendor to help with some of its election-management work, and Hursti initially thought the binder and advice to elections staff might have come from the third-party vendor; but when he discovered a binder with the same information being used by an election office in a different state where the third-party vendor does not assist with elections, he concluded that it came from the voting machine vendor. Motherboard could not verify who created the document. Hursti said an employee with the third-party company told him the passwords are simple ones that get re-used so that he and his colleagues don’t have to contact the elections office to obtain the password every time they need to access the system.

Unisyn did not respond to requests for comment.

Guidelines issued by the federal Elections Assistance Commission call for passwords to election systems to be changed periodically, and the EAC ‘s Voluntary Voting System Guidelines state that voting machine vendors “shall provide a description of recommended policies for effective password management” to customers.

The manual does address this: “You will be periodically asked to change your password per EAC regulations,” it notes. But instead of providing customers with sound instructions for changing passwords—such as creating completely new passwords and not re-using them—the manual instructs them to simply alternate between a system administrator and a root password each time they are prompted to change the password. Space is provided below this instruction for election workers to write down which password they are using at any given time.

“So [the manual] recognizes the federal rule,” Hursti said, “and then it gives an instruction to circumvent the federal rule. So they are specifically making sure that [customers] understand the password has to be changed” but then provide them with bad security advice for changing it.

__

Read the complete article at motherboard.com

__

Kim Zetter is a cybersecurity contributor for Motherboard.