Leaked voting machine passwords add to North Carolina's growing tally of election security concerns
When it comes to election irregularities, North Carolina is the new Florida.
First there was the mini-disaster on Election Day 2016, in North Carolina’s bluest county by far, Durham. E-pollbook computers used by poll workers to check voters’ status as they arrive at the polls mysteriously malfunctioned in five Durham precincts, wrongly indicating either that they had already voted or that they were not registered. The story gained national attention when The Intercept later broke news of top-secret NSA documents suggesting that the e-pollbooks’ vendor, Florida’s VR Systems, had been hacked by Russian military operatives earlier that year. The story grew shadier still, early last week, with Politico’s revelation that just days before the election VR Systems technicians used remote-access software to log into Durham County election computers, potentially opening a digital barn door wide enough for a herd of those same Russian hackers to gallop into the county’s election system.
Then, of course, there’s the now famed story of Republican-funded election fraud(absentee ballot harvesting) in the state’s 9th Congressional district in 2018, requiring a costly do-over election to be held later this summer.
Now comes the state’s latest in a dizzying series of electoral embarrassments. Yesterday cybersecurity investigator Chris Vickery revealed on Twitter his discovery of an unsecured (that is, publicly accessible) online file in an Amazon Web Services S3 bucket belonging to the North Carolina State Board of Elections, containing what seemed to be election-related administrative passwords.
Putting this out there because it is now a matter of undeniable public interest as well as relevant to the recently… https://t.co/5M8zX6XtV7— Chris Vickery (@Chris Vickery)1559928335.0
Redacted screenshot from the North Carolina publicly accessible data exposure. (which was discovered prior to 2018… https://t.co/tXxeGuYKUl— Chris Vickery (@Chris Vickery)1559941820.0
Curious to understand exactly what these passwords granted access to, my own team at EQV Analytics did a bit of quick sleuthing yesterday and soon found another NC State Board of Elections document — also publicly available on the internet — citing several of these same distinctively named passwords (Service Menu Password, Override Password, and Election Central Menu Password) and providing election supervisors with detailed instructions on how to use them to test, clear, and reset the ES&S iVotronic touchscreen voting machine:
[caption id="attachment_1118903" align="alignnone" width="550"] Snippet from the NC State Board of Elections document, NC Elections Uniformity Project Report. Chapter 1: Voting Equipment Testing[/caption]
The ES&S iVotronic is a popular touchscreen voting machine currently used in 24 of North Carolina’s 100 counties, including the state’s largest, Mecklenburg (the rest use hand-marked paper ballots).
To be entirely fair, it isn’t at all clear that the exposed passwords would have provided malign hackers with any ability to interfere in the 2018 election. First, as the instructions above make clear, one needs to physically insert a properly programmed “master PEB” and “supervisor PEB” (essentially programmable card-keys) into an iVotronic unit in order to access the administrative menus these passwords unlock. Second, Vickery’s tweets seem to suggest that the password file he found was a backup file. We don’t know how old that backup was, or whether the passwords it exposed were still current during the 2018 election. And finally, 2018’s midterm election was North Carolina Democrats’ best showing in nearly a decade, with Dems winning every statewide race and breaking the state House of Representatives’ GOP supermajority. If GOP-sympathizing Russians meddled in that election they certainly didn’t do a very good job.
Still, this leak reveals a disturbingly lax cybersecurity culture at the State Board. Any IT professional careless enough to expose highly sensitive election-related passwords in plaintext on the internet is probably careless enough to make other, even more consequential, mistakes. This affair also reveals important weaknesses in the Department of Homeland Security’s election cybersecurity assessments, since it seems that DHS didn’t spot this tyro snafu hiding in plain sight.
The good news is that there’s a new sheriff in town at the North Carolina State Board of Elections. A highly experienced elections staffer, Karen Brinson Bell, has just been chosen by the new majority-Democrat Board of Elections to replace its recently fired executive director, Kim Strach, on whose watch all of these fusterclucks and many more occurred. Strach’s spouse, Phil Strach, is the GOP-controlled state legislature’s go-to attorney in lawsuits defending the state’s voter suppression laws.
“Our top priorities will be promoting voter confidence in elections and assisting the 100 county boards, the boots on the ground in every election,” Brinson Bell has stated. How she manages the Board’s response to this latest election scandal will be her first trial by fire in this new role. North Carolina voting rights activists will be watching hopefully.