A Researcher Found a Bunch of Voting Machine Passwords Online

“There is no way they could have been used to affect any election.”

Kelly Owen/Zuma

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

A little more than a week ago, the Department of Homeland Security confirmed that it was going to forensically analyze computer equipment associated with part of the 2016 elections in North Carolina in association with questions about Russian hacking. The news prompted an information security researcher to announce that he’d found evidence of other election security issues in North Carolina last fall, which he’d kept quiet until now.

Chris Vickery, the director of cyber-risk research at UpGuard, a cybersecurity services firm, tweeted June 7 that he had found an unlocked online repository that contained what he said were passwords for touchscreen voting machines. The repository, he said, also contained other information, including serial numbers for machines that had modems, which theoretically could have allowed them to connect to the internet.

Vickery said that after he found the open repository in September 2018, he immediately told state officials, who locked the file. State officials have told Mother Jones that the passwords were nearly 10 years old and encrypted—a claim disputed by Vickery and a Democratic technology consultant in North Carolina—but admitted that the file shouldn’t have been publicly available online.

In a statement provided to Mother Jones, State Board of Elections spokesperson Patrick Gannon said the passwords were encrypted and only applied to machines from one county that used them in 2010. Any suggestion that the passwords’ discovery in an open online repository posed a danger to elections was “false and irresponsible,” he said. Even if an attacker could have decrypted the passwords, the passwords would’ve been changed before the 2011 elections and every subsequent election, and “there is no way they could have been used to affect any election.”

But others disagree. Matt Bernhard, an election security expert at the University of Michigan, acknowledged that the passwords would have had limited use for anyone wanting them for ill purposes, given that they seem to apply to individual voting machines. But, he said, the fact that they were publicly accessible reflects a lack of election security protocols that has plagued election officials over the years.

“I think, really, it’s catastrophically dumb…profoundly stupid that they were online at all,” Bernhard told Mother Jones. “In the space of problems with North Carolina’s elections, this is fairly far down on the totem pole.” He noted that what’s important about the suspected breach was that “this is not a North Carolina-specific problem. It’s generally reflective of just a lack of security posture of election officials at all levels. Hopefully this is a good teachable moment for all of them.”

Vickery said last week that he shared what he had found in light of the Department of Homeland Security telling the Washington Post June 5 that it was conducting a forensic analysis of laptops used in Durham County, North Carolina, during the 2016 election. The laptops in that case are associated with what are known as poll books, which are devices used by local election workers to check voters in when they show up to cast their ballots. Problems with the poll books manufactured by Florida-based VR Systems led to significant delays in Durham County, and forced some voters to leave without casting a ballot.

In 2016, VR Systems believes it was targeted by the Russians (but denies it was hacked), and senators Ron Wyden (D-Ore.) and Amy Klobuchar (D-Minn.) have asked the FBI to respond to questions about what happened at that time. Wyden, who serves on the Senate Intelligence Committee, and Klobuchar, who is the ranking member of the Senate Rules Committee, which has oversight of federal elections, have both taken an interest in election security.

Vickery’s find relates to an entirely different kind of voting technology. The passwords he found were for iVotronic touchscreen voting machines manufactured by Omaha-based Election Systems & Software, one of the country’s largest voting equipment vendors. Vickery said he found the passwords in an open State Board of Elections folder on an Amazon server, accessible to anyone who came across it.

“Immediately I understood the importance of it,” he told Mother Jones. He then confidentially got in touch with state election officials who closed access to the file and took it offline. The officials told him the passwords were old and had been changed years ago. Vickery said the most recent file in the folder had been uploaded in 2016.

State elections officials “immediately removed the outdated and encrypted password information” when Vickery notified them, Gannon wrote to Mother Jones in response to questions. The board has “taken steps to try to prevent similar information—even if it is harmless—from being posted to the website in the future.” Gannon added that “legitimate concerns about cybersecurity must be addressed,” even while “erroneous, misleading and politically charged attacks on the State Board and its employees unnecessarily decrease voters’ confidence in elections, which may decrease voter turnout, while taking resources away from important issues.”

Charlie Collicutt, director of the Board of Elections in Guilford County, North Carolina, explained that the passwords applied to a subset of iVotronic voting machines in Guilford County. He’s not sure why the file was uploaded to a publicly accessible folder, but reiterated that the passwords were changed after 2010. The passwords were “ciphered” somehowwith letters or symbols systematically changed to other letters and symbols—and there there might be confusion around referring to them as encrypted. Either way, he said, “This file was a one-off that was posted years” after the passwords within it applied to the machines.

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate