In many cases, physical ports were unprotected, passwords were either left unset or in their default configuration and security features went unused or in some cases, were disabled, the report added.
Attendees were given access to over 100 machines at the event, including direct-recording electronic voting machines, electronic poll books, Ballot Marking Devices, Optical scanners and hybrid systems.
One machine, based on an old PC hardware, had no BIOS password set on the machine. The BIOS (Basic Input Out System) controls the basic functions of a PC.
“Consequently, participants were able to boot an arbitrary operating system off a live CD… Ultimately, the device was used as an entertainment device, amusing visitors with Nyan Cat,” the full version of the report said.
On another system, a keyboard and Ethernet connection could be plugged in by simply removing the top of the machine’s case. The casing is secured by only by 3 screws and does not have any tamper-evident seals. “Immediate root access to the device was available simply by hitting the Windows key on the keyboard,” the report continued.
Another device, one that combines an optical paper ballot scanner and ballot marking device and allows for access by the blind and visually impaired, has a single locking mechanism for the entire ballot box. “If picked, ballots could easily be stolen using common items such as a standard trash picker,” the report stated.
Participants were able to access common computer ports on the device such as USB, RJ45, and CompactFlash slots on this machine “without using destructive force…[and] boot settings also allow for the system to be booted from an external USB on startup.”
The report recommended the use of paper ballots, as well as rigorous post-election audits.