Pointed out that it was instructed to use passwords and password reuse which are easily broken in the election voting machine maker's manual

by Element 5 Digital

Voting machines to be used in the United States of election easily that it is possible hacking pointed out , we have raised more than ever. And, newly, in the manual of the voting machine used in the election of 10 states in the United States, I instruct "use of a password easily broken" and "to reuse a password when changing login authentication information" It turned out that it was.

Voting Machine Manual Instructed Election Officials to Use Weak Passwords - Motherboard

Harri Hursti, founder and security expert for security firm Nordic Innovation Labs , is a person who conducts risk assessment in several states in the United States since 2016. According to Mr. Hursti, a voting machine maker wrote a password or user name such as "use manufacturer name" which is easily broken into a manual describing important user name and password of the totalization system. Also, manual recommends users to change their passwords periodically, but at that time you may be asked to reuse the password or just change the number at the end. It is said that.

According to what Mr. Hursti revealed to overseas media Motherboard, the voting machine manufacturer whose problem is pointed out is a company called Unisyn Voting Solutions based in California. Unisyn Voting Solutions is developing an optical scanning system called "OpenElect voting system" that is used by both constituencies and the central election committee . The problem password is the back end of the election management system and it was described in the "Open Elect Central Suite" manual for creating the election definition file of each voting machine before the election. The Open Elect Central Suite also aggregates votes collected from the optical scanning system in the United States. The authentication information described in the manual was about user name & password for first login, and authentication information to log in to client software to compile and save election results.

Although it is not clear about the author of the document, Mr. Hursti said from Unisyn employee who interacts with a third party organization, "I do not have to contact the election office to obtain a password each time I access the system It says that it describes a simple user name and password so that it is OK. At the time of article creation, Unisyn has not responded to Motherboard comment request.

(PDF file) According to the Election Committee of the United States Election Committee (EAC) , the election office is recommended to change the password for each election. This password must be at least 6 letters, 8 characters recommended, including at least 1 uppercase and lowercase letters, and it should be noted that you should use at least one number and one symbol. On the other hand, the guideline states that "Passwords should be easy to remember so that employees do not have to write down" and "that ambiguity is difficult to guess".

by Element 5 Digital

You can also log in to the system with the username & password in question, but you will need additional authentication information to access the summary monitor and create a report on the number of votes. Because each election office creates a password for each election, the easy-to-break password indication is "not that important," Mr. Hursti said.

in Security, Posted by darkhorse_log