The voting machine is an ExpressPoll-5000 electronic poll book from Election Systems and Software (ESS), a company based in Omaha, Nebraska, that makes and sells voting machine equipment and services. The machine was purchased by hackers via auction on eBay to be used at the Black Hat hacker conference in Las Vegas in July to test the security of election equipment.
The US government frequently sells off retired voting equipment, with the assumption that standard guidelines are being followed and voter information is being wiped off the machines before they are sold.
The failure to remove the voters' personal information from the ExpressPoll-5000 is a blunt reminder of the US' faulty security practices regarding elections. Although the details of what personal information the machines contained has not been revealed, electronic poll books usually store voters' names, addresses, birthdays, political parties, whether they voted inside the country or out and whether they were asked to show identification.
The voter information was stored on a removable memory card that can inserted into a card reader and then easily retrieved from any computer. Josh Palmer, the security researcher who discovered the memory card and easily accessed the file with a card reader and a laptop, verified that the information could be obtained without a password. Even if the voter data had been wiped off of the machine, any person with access to the memory card could still have committed a serious data breach.
"It's just on the drive," Palmer said. "There was no password on it. ESS could have encrypted it. They chose not to encrypt it."
ESS has not commented on the subject.
The card was quickly confiscated at the Black Hat convention and Shelby County officials were informed. "We're notifying the country and letting them know of a potential data breach," said Matt Blaze, a security researcher and author of multiple studies on e-poll book security.
Findings at the Black Hat convention did not inculcate trust in other voting machines, either. Hackers were able to successfully compromise voter privacy and security in every machine at the convention within anywhere from minutes to just a couple of hours.