Voting Device Manufacturer Encourages Users To Use (And Re-Use) Easily-Guessed Passwords

from the thanks-for-the-tips,-sparky dept

As Election Day 2K18 rolls on, the good news continues to roll in, he said in his most Professor Farnsworth voice. It's never good news, not if we're talking voting machine security. Kim Zetter, writing for Motherboard, has obtained a manual for devices made by Unisyn Voting Solutions, which provides horrendous security advice for users of its products.

There are federal guidelines for voting systems. The Elections Assistance Committee makes the following recommendations for passwords:

[E]lection officials are encouraged to change passwords after every election. Passwords should also have the following characteristics: they should be at least six characters, preferably eight, and include at least one uppercase letter, a lowercase letter, at least one number and a symbol. It also says, though, that passwords should be easy to remember so that employees won't need to write them down, "yet sufficiently vague that they cannot be easily guessed."

Unisyn has apparently decided minimal security efforts are badly in need of disruption. To begin with, the device manual suggests users should simply use variations of the default password the devices ship with. That password is the company's name with a "1" appended to the end of it. This easily-guessed admin password should then be immediately replaced with… an easily-guessed password.

Once logged into the system the credentials needed to access the tabulation monitor or the system for creating reports of ballots and vote tallies are different. The username is again a simple word to log in. The password is the same word with "1" appended to it. Users are told that to change the password when prompted, they should simply change the number sequentially to 2, 3, 4, etc.

The Unisyn manual takes the EAC guidelines and throws them out. It then makes a minimal nod towards compliance before throwing everything out a second time. Remember the part about not writing down passwords? The sort of thing no one should do because it defeats the purpose of password security? Here's Unisyn's scorching hot take on EAC compliance:

"You will be periodically asked to change your password per EAC regulations," [the manual] notes. But instead of providing customers with sound instructions for changing passwords—such as creating completely new passwords and not re-using them—the manual instructs them to simply alternate between a system administrator and a root password each time they are prompted to change the password. Space is provided below this instruction for election workers to write down which password they are using at any given time.

If there's good news, it's that these machines aren't in use everywhere. Just 3,500+ jurisdictions in ten states. They're also fairly insulated from online attacks, since they're not supposed to be connected to the internet. This means attackers will most likely need physical access to the devices. Good thing these only get touched by non-election personnel every couple of years or so!

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: election security, passwords, voting, voting machines
Companies: unisyn voting solutions


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 6 Nov 2018 @ 12:08pm

    President Trump's twitter account was just hacked. More at 11.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 6 Nov 2018 @ 12:12pm

    Re:

    His password was, No Collusion

    link to this | view in thread ]

  3. icon
    Bamboo Harvester (profile), 6 Nov 2018 @ 12:13pm

    Well....

    ...It's what most people do anyway. Something on the order of 85% of routers that do not still have the factory default Admin password use ... Password1

    Verizon uses that for new DSL accounts on installation. Most people never change it.

    I remember when you could get su access on most mainframes with the password "god" or "sex" as well.

    We're creatures of habit.

    link to this | view in thread ]

  4. identicon
    David, 6 Nov 2018 @ 12:15pm

    Re:

    This is an outrage! Actually, I consider the first 4 words to already constitute an outrage. Come to think of it, the first two.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 6 Nov 2018 @ 12:29pm

    Re: Re:

    It used to be "imawesome". When did he change it?

    link to this | view in thread ]

  6. icon
    ShadowNinja (profile), 6 Nov 2018 @ 12:37pm

    Re: Well....

    Well it's also been beaten into our heads for 2 decades to follow bad password policies.

    Many of the official recommendations Tim posted encourage bad password hygiene that will make you more vulnerable to getting hacked.

    • Forcing a mix of upper/lower case letters, a number, and a symbol? Check.

    • Telling people 8 characters is good enough (even worse, they say 6 is allowed!)

    • Frequent password changes (yes if someone leaves who was working it this can be necessary, but otherwise no it's not)

    • No mention of avoiding commonly used passwords.

    This XKCD comic explains a lot of why these those recommendations are bad

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 6 Nov 2018 @ 12:39pm

    Re: Re: Re:

    Wait I though it was witchhunt?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 6 Nov 2018 @ 12:40pm

    Re: Re: Re:

    that's his second password. his first was changed after he found out Mel Brooks used it for luggage.

    link to this | view in thread ]

  9. identicon
    Lawrence D’Oliveiro, 6 Nov 2018 @ 12:45pm

    Can They Manage Confidential Documents?

    There’s nothing wrong with passwords that are too hard to remember -- just write them down.

    Surely Government employees have some experience with managing confidential documents and keeping them safe. Lists of passwords would come under that category, would they not?

    link to this | view in thread ]

  10. icon
    Bamboo Harvester (profile), 6 Nov 2018 @ 12:52pm

    Re: Re: Well....

    Agreed on all points.

    Especially the number and symbol usage. Not things most people can type "normally", forcing hand movements easily visible to everyone else in an office.

    And usually hunt & pecked, so anyone behind you now knows your password.

    The ONE thing that would help generate long, difficult to crack passwords is forbidden in most cases - using SPACES.

    Passphrases are much more difficult to crack.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 6 Nov 2018 @ 1:24pm

    Re: Re: Re: Well....

    Or just write a sentence with all of the spaces taken out.

    Its hard to read but easy to remember.

    link to this | view in thread ]

  12. icon
    Thad (profile), 6 Nov 2018 @ 1:57pm

    I used to work as a temp on GoDaddy's web design team.

    Our first day, we had to go through a "security" tutorial that, among other things, advised that we satisfy the "mixed-case and at least one symbol" requirement by using an initial capital letter and putting an exclamation point at the end.

    I e-mailed the security team to explain to them why this is bad advice ("a six-character password that begins with a capital letter and ends with an exclamation point is exactly as secure as a five-character all-lowercase password"). Unsurprisingly, I never heard back.

    link to this | view in thread ]

  13. identicon
    Tu Shay, 6 Nov 2018 @ 2:47pm

    Re: Re: Re: Re: Well....

    Orjustwriteasentencewithallofthespacestakenout.It'shardtoreadbuteasytoremember.

    link to this | view in thread ]

  14. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 6 Nov 2018 @ 2:50pm

    Godad! ODadd! Daddy! ????

    link to this | view in thread ]

  15. icon
    Bamboo Harvester (profile), 6 Nov 2018 @ 5:26pm

    Re: Re: Re: Re: Well....

    ...and fail about 3 times on average if you're a touch typist because hitting the space bar is on autopilot.

    If you use "any moose cow word" as your passphrase, you'll find yourself hitting the space bar trying to type anymoosecowword in a non-display box.

    Like I said, we're creatures of habit.

    link to this | view in thread ]

  16. icon
    Coyne Tibbets (profile), 6 Nov 2018 @ 10:25pm

    Hmmmm I wonder...

    ...if any entry that starts with "Unisyn" will sign you on. For example, you set the password to "Unisyn14" but you can sign on with "Unisyn1" or "Unisyn42" or "UnisynMT".

    I heard of a (non-voting) system one time that did that, it really cuts down on service calls arising from "forgotten" passwords.

    link to this | view in thread ]

  17. icon
    Ninja (profile), 7 Nov 2018 @ 8:22am

    Then they wonder why kids can hack electronic voting devices in seconds.

    link to this | view in thread ]

  18. identicon
    carlb, 7 Nov 2018 @ 11:28am

    the super-secret 31337 p@ssw0rd

    username: DJT
    password: Росси́я

    Have fun! ;)

    link to this | view in thread ]

  19. identicon
    Annonymouse, 7 Nov 2018 @ 12:10pm

    Passwords

    SysremID: IamInfected
    Password: H1N1.... to be replaced by the influenza of the day

    Gesundheit

    link to this | view in thread ]

  20. icon
    compageautomation (profile), 25 Feb 2019 @ 10:49pm

    Servo motor manufacturers in India

    http://www.compageautomation.com/bldc-motors.html BLDC MOTOR READILY AVAILABLE IN INDIA WITH EUROPEAN TECHNOLOGY FOR E-RICKSHAW & E- VEHICLES

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.