AVS WinVote machines used in three presidential elections in state ‘would get an F-minus’ in security, said computer scientist who pushed for decertification

Touchscreen voting machines used in numerous elections between 2002 and 2014 used “abcde” and “admin” as passwords and could easily have been hacked from the parking lot outside the polling place, according to a state report.

The AVS WinVote machines, used in three presidential elections in Virginia, “would get an F-minus” in security, according to a computer scientist at tech research group SRI International who had pushed for a formal inquiry by the state of Virginia for close to a decade.



In a damning study published Tuesday, the Virginia Information Technology Agency and outside contractor Pro V&V found numerous flaws in the system, which had also been used in Mississippi and Pennsylvania.



Jeremy Epstein, of the Menlo Park, California, nonprofit SRI International, served on a Virginia state legislative commission investigating the voting machines in 2008. He has been trying to get them decertified ever since.



Anyone within a half mile could have modified every vote, undetected, Epstein said in a blog post. “I got to question a guy by the name of Brit Williams, who’d certified them, and I said, ‘How did you do a penetration test?’” Epstein told the Guardian, “and he said, ‘I don’t know how to do something like that’.”

Reached by phone, Williams, who has since retired, said he did not recall the incident and referred the Guardian to former colleagues at Kennesaw State University who have taken over the certification duties he used to perform for Virginia and other states.



“You could have broken into one of these with a very small amount of technical assistance,” Epstein said. “I could teach you how to do it over the phone. It might require an administrator password, but that’s okay, the password is ‘admin’.”



Bypassing the encrypted WEP wireless system also proved easy. The password turned out to be “ABCDE”, according to the state’s security assessment – and getting the password “would take a few minutes and after that you don’t need any tools at all”, said Epstein.



The commission that stripped the machines of certification also found that the version of Windows operating on each of them had not been updated since at least 2004, that it was possible to “create and execute malicious code” on the WINVote and that “the level of sophistication to execute such an attack is low”.



The WINVote machine, manufactured by Advanced Voting Solutions, a now-defunct Texas company, has been under siege by Epstein and others for years; the units have been used in at least two dozen elections across the state. Mississippi and Pennsylvania stopped using them several years ago. Epstein said it is likely no one will ever know whether or not they were tampered with.



“There are no logs kept in the systems,” Epstein said. “I’ve examined them.” In order to determine anything about the machines’ histories, in fact, a very high level of technical sophistication would be required, on a level with the FBI looking at images of deleted files on a suspect’s hard drive.



“Bottom line is that if no Virginia elections were ever hacked (and we have no way of knowing if it happened), it’s because no one with even a modicum of skill tried,” Epstein wrote on his blog.