Why Your "Fortress" Voting Machine Is Just a $3 Padlock Away From Compromise

TLDR: Physical security on voting machines is often treated as an afterthought, relying on easily bypassed keyed locks and improperly applied tamper-evident seals. Research presented at DEF CON 2025 reveals that a vast majority of these systems use standard, commercially available keys that can be identified via public training materials or purchased online. For security researchers, this highlights a critical failure in the "Fortress Island" security model where physical access is assumed to be impossible.

Security professionals often operate under the assumption that physical access is a binary state: either you have it, or you don't. When we talk about critical infrastructure like voting systems, the assumption is that the hardware is a "Fortress Island"—impregnable, isolated, and guarded by layers of physical controls. The reality, as demonstrated by recent research, is that these layers are often made of paper and cheap brass. If you are a researcher or a pentester, you need to stop treating physical security as a "given" and start treating it as a massive, unpatched vulnerability.

The Myth of the Impregnable Lock

The core of the problem is the industry's reliance on "security through obscurity" regarding physical keys. Vendors and election officials frequently claim that their equipment is secure because it is locked. However, the research shows that these locks are rarely unique. They are standard, off-the-shelf components from manufacturers like SouthCo.

The research team performed a massive, systematic audit of publicly available election documentation—training manuals, YouTube videos, and vendor slide decks. They found that in many cases, the very people tasked with securing the machines were inadvertently publishing the keys to the kingdom. By cataloging these images, the researchers built a repository of key codes and physical profiles.

If you can identify the key code from a high-resolution photo in a training manual, you don't need to be a master locksmith to gain access. You just need to know where to look. A quick search on eBay or a specialized locksmith site often yields the exact key required to open the ballot box or the machine's internal compartment. This isn't a sophisticated exploit; it is basic reconnaissance.

When Tamper-Evident Means Nothing

Beyond the locks, the research highlights the failure of tamper-evident seals. These are supposed to be the "detective" layer of security—if someone breaks the seal, the election official should know. But the implementation is consistently flawed.

The most common failure is the "pull-tight" seal. These are designed to be threaded through a latch and pulled until they lock. The researchers found that poll workers, often under pressure or lacking proper training, frequently cut the excess "tail" off these seals to keep them from getting in the way. Once the tail is cut, the seal can be manipulated or even removed and re-inserted without leaving obvious signs of tampering.

Furthermore, the placement of tamper-evident tape is often performative. Applying tape to a flat, non-moving piece of plastic provides zero security. It creates a false sense of confidence that can be easily exploited by anyone who understands how to lift and re-apply adhesive materials. For a pentester, this is a gift. If you are conducting a physical assessment of a facility, you aren't looking for a way to break the seal; you are looking for the seal that was already applied incorrectly.

The Reality for Pentesters

If you are tasked with a physical security assessment of an election facility or similar high-security environment, your engagement should start with the same reconnaissance the researchers used. Do not assume the hardware is hardened.

1. Identify the Hardware: Look for the manufacturer and model numbers on the equipment.
2. Search Public Repositories: Check the NIST Voting System Testing documentation or state-level election board websites for training manuals. These documents are gold mines for identifying the specific locks and seals in use.
3. Verify the "Default" State: Assume that if a machine is in use, it is likely using the manufacturer's default keying.

The impact of this is severe. Once you have physical access to the USB ports or the internal maintenance interface, you are no longer dealing with a "hardened" system. You are dealing with a standard computer that may be vulnerable to T1203 (Exploitation for Client Execution) or other local privilege escalation techniques.

A Call for Better Design

Defenders need to move away from the "Fortress Island" mentality. Relying on a $3 latch to protect the integrity of a democratic process is a systemic failure. Manufacturers must move toward unique, serialized keying for every unit, and election officials must implement rigorous, standardized training for seal application.

If you are working with a client in this space, your advice should be simple: physical security is not a static defense. It requires the same level of auditing and lifecycle management as your digital infrastructure. If you can buy the key to your client's most sensitive equipment on the open market, you haven't built a fortress—you've built a target.