Not necessarily connected to the internet at large (private net is entirely possible), but almost certainly so. There should be an airgap (logical if not physical isolation of this network from any other lower security network) but I have no reason whatsoever to believe there was one given the general incompetence or malice on display here.

The workstation could be compromised, but as far as remote exploitation, honestly I'd be more concerned with the tabulator itself. Unless explicitly designed with security in mind, embedded systems are usually really good targets because they often run core software (networking/parsing/whatever) libraries that are out of date and have not just security flaws, but security flaws that have been in the wild for years. Embedded systems can be a yuge pain in the ass for corporate infosec, printers have led to major compromises.

What most concerns me about this system is not so much external actors attacking, but that nothing about any of it indicates security was in mind when it was either designed or configured/deployed. Even trivial UI stuff like it doesn't even ask for a password (or better, a user AND supervisor password), when changing a vote is deebly goncerning. There's not even anything in the voting machine software stopping the office janitor from sitting down at the workstation and changing votes while the election manager was taking a shit, and if the election manager herself is the bad actor, she can just do anything she wants. There might be an audit trail, but without confirming and logging the identity of the operator when the change is made there's no way to prove who made a change or why. Just the fact that it lets the user change a vote at all is insane - that should be a formal process where the questionable ballot is shunted into an entirely different queue for manual review, or just rejected outright. It's not an election staffer's place to be interpreting who some idiot that marked both boxes intended to vote for.

This system, or at least this system as configured, is shockingly permissive.

(My background is information security, held multiple senior titles in that field, and I do embedded systems for fun.)

The more I think about this the more I could add to it, but it's already a wall of text. As a security guy this is absolutely horrifying on so many levels.

Not necessarily connected to the internet at large (private net is entirely possible), but almost certainly so. There should be an airgap (logical if not physical isolation of this network from any other lower security network) but I have no reason whatsoever to believe there was one given the general incompetence or malice on display here.

The workstation could be compromised, but as far as remote exploitation, honestly I'd be more concerned with the tabulator itself. Unless explicitly designed with security in mind, embedded systems are usually really good targets because they often run core software (networking/parsing/whatever) libraries that are out of date and have not just security flaws, but security flaws that have been in the wild for years. Embedded systems can be a yuge pain in the ass for corporate infosec, printers have led to major compromises.

What most concerns me about this system is not so much external actors attacking, but that nothing about any of it indicates security was in mind when it was either designed or configured/deployed. Even trivial UI stuff like it doesn't even ask for a password (or better, a user AND supervisor password), when changing a vote is deebly goncerning. There's not even anything in the voting machine software stopping the office janitor from sitting down at the workstation and changing votes while the election manager was taking a shit, and if the election manager herself is the bad actor, she can just do anything she wants. There might be an audit trail, but without confirming and logging the identity of the operator when the change is made there's no way to prove who made a change or why. Just the fact that it lets the user change a vote at all is insane - that should be a formal process where the questionable ballot is shunted into an entirely different queue for manual review, or just rejected outright. It's not an election staffer's place to be interpreting who some idiot that marked both boxes intended to vote for.

This system, or at least this system as configured, is shockingly permissive.

(My background is information security, held multiple senior titles in that field, and I do embedded systems for fun.)

Not necessarily connected to the internet at large (private net is entirely possible), but almost certainly so. There should be an airgap (logical if not physical isolation of this network from any other lower security network) but I have no reason whatsoever to believe there was one given the general incompetence or malice on display here.

The workstation could be compromised, but as far as remote exploitation, honestly I'd be more concerned with the tabulator itself. Unless explicitly designed with security in mind, embedded systems are usually really good targets because they often run core software (networking/parsing/whatever) libraries that are out of date and have not just security flaws, but security flaws that have been in the wild for years. Embedded systems can be a yuge pain in the ass for corporate infosec, printers have led to major compromises.

What most concerns me about this system is not so much external actors attacking, but that nothing about any of it indicates security was in mind when it was either designed or configured/deployed. Even trivial UI stuff like it doesn't even ask for a password (or better, a user AND supervisor password), when changing a vote is deebly goncerning. There's not even anything in the voting machine software stopping the office janitor from sitting down at the workstation and changing votes while the election manager was taking a shit, and if the election manager herself is the bad actor, she can just do anything she wants. There might be an audit trail, but without confirming and logging the identity of the operator when the change is made there's no way to prove who made a change or why.

This system, or at least this system as configured, is shockingly permissive.

(My background is information security, held multiple senior titles in that field, and I do embedded systems for fun.)