Thousands of voting machine vendor employees’ work emails and plaintext passwords appear in freely available third-party data breach dumps reviewed by CSO, raising questions about the security of voting machines and the integrity of past election results. While breached sites, like LinkedIn after the 2012 breach, force users to change their passwords, a significant number of people reuse passwords on other platforms, making third-party data breaches a gold mine for criminals and spies. For many years voting machine vendors have claimed that voting machines were air gapped — not connected to the internet — and were thus unhackable. Kim Zetter debunked that idea in The New York Times in February. An attacker who managed to break into a voting machine vendor employee’s work email, because the employee used the same password as on a breached site, could leverage that to gain access to the voting machines themselves. And if voting machine vendors install remote access software on voting machines, factory backdoors that vendor employees use to remotely access the machines for maintenance, troubleshooting or election setup purposes, this turns voting machine vendor employees into targets. Hack the vendor, hack the voting machine.
… “If I were an attacker,” Douglas W. Jones, a professor of computer science at the University of Iowa and an expert on voting machine security, said, “I’d immediately do my best to insinuate myself into their corporate machinery and ferret out the backdoors that they have a record of in their filesystems. I suspect, given the current state of affairs, I could nose around pretty effectively.”
“The threat is real,” he adds, “and should be taken very seriously.”
… Jones is skeptical of voting machine vendors’ ability to defend themselves. “I suspect that they don’t have the tools to identify an attack.”
“By and large, people don’t understand the workings of big data, the idea that something that’s lost in one data breach can be correlated with public information and information from other completely unrelated sources to find new things that ought never to be known,” he added in an email. “They may not get you in particular, but they’ll get a significant fraction of the people in your position across the industry, and they’ll probably get someone who works in your firm.”