650,000 Tennesseans from the Memphis area had their personal information dug up from voting machines at a hacker conference in Las Vegas.
As FBI director James Comey says, the US voting system is strong because of how “clunky” it is. What the means by that is that every state or even district chooses the voting setup and if they want it to be electronic or on paper. And the districts that choose electronic voting have to choose from a dozen different voting machines manufacturers. This clunkiness makes it harder for hackers to hack on the larger scale, but it still gives them enough opportunity to get their hands on the polling data.
The plan is simple enough – when a voting machine is no longer in use by the government, before they sell it off to the public, all information on it should be erased.
But hackers at DEF CON in Las Vegas had access to one of these, an ExpressPoll-5000 electronic poll book, and they managed to dig out information on 654,517 voters in Shelby County, Tennessee.
While it’s unclear how much of this found information wasn’t yet public, some of these records included not just names, addresses, and birthdates – but also political parties, if they voted absentee, and if they had been asked to identify themselves.
The company that made the voting machine in question, Election Systems and Software (ES&S) is one of the most popular manufacturers of voting machines, according to Barbara Simons. Because there is no formal way established to check if the machines have been properly wiped, the number of machines still containing personal info on the voters in unknown.
But the fact that with just a few of them being available at DEF CON hackers managed to find the one with data still in it, it seems likely the number is higher than we’d want it to be.
After being sold off to the public, the machines often get resold for a much lower price. Harri Hursti, an expert on the voting machines tracked some of the machines through eBay. He visited one seller who showed him an entire warehouse full of voting machines.
For digging up the records still left on the machines, a person would only need moderate computer skills. the records are kept on a removable memory card, so anyone who takes the memory card and reads it on their computer can see the contents of the data previously stored on the voting machines.
Josh Palmer, the security researcher who discovered the database, explained how easy it was to access the files. He said that there was no password and though ES&S could have at least encrypted the drive, they chose not to.
The manufacturer didn’t respond when asked for a comment.
Not long after Palmer found the data, the conference took the drive in order to protect the voters whose information was on it and notified the county about the potential breach.