By Darren Smith, Weekend Contributor
A six year effort by Computer Scientist Jerry Epstein of SRI International has finally achieved fruition in his quest to decertify AVS WinVote Machines for election use due to what can described as extremely broken security measures and weaknesses in its design. Such deficiencies were so magnified the machines had not only the potential for fault but a relatively unsophisticated hacker could have brought down the State of Virginia’s election system.
Mr. Epstein reportedly stated the WinVote system “would get an F-” in security.
SRI International pushed for a formal inquiry into the vendor of Virginia’s Voting machines meeting originally with resistance from the state’s boards of elections. However after much prodding the state commissioned a study and its report was damning of the voting system and advocated for it’s immediate discontinuance.
On April 14th The Virginia Information Technologies Agency and Commonwealth Security and Risk Management issues its findings. Your author will summarize this report and offer analysis of the key points. Comments are italicized.
The full report may be read HERE.
During a recent election, one precinct in Virginia reported unusual activity with some of the devices used to capture votes. The devices were displaying errors that interfered with the ability to collect votes. In order to diagnose the problem, the Department of Elections (ELECT) initiated a review of the devices to identify the cause of the problems. As part of the review, ELECT engaged Commonwealth Security and Risk Management staff in the Virginia Information Technologies Agency (VITA) to perform a security analysis of the devices.
As a result of the findings included in this report, VITA recommends discontinuing use of the Advanced Voting System WINVote devices. The security review determined that the combination of weak security controls used by the devices would not be able to prevent a malicious third party from modifying the votes recorded by the WINVote devices. The primary contributor to these findings is a combination of weak security controls used by the devices: namely, the use of encryption protocols that are not secure, weak passwords, and insufficient system hardening.
Security deficiencies were identified in multiple areas, including physical controls, network access, operating system controls, data protection, and the voting tally process. The combination of critical vulnerabilities in these areas, along with the ability to remotely modify votes discretely, is considered to present a significant risk. This heightened level of risk has led VITA security staff to conclude that malicious third party could be able to alter votes on these devices. These machines should not remain in service.
The report summarizes efforts made to identify areas of vulnerability of the system. It is not a complete testing but it is very effective at finding numerous easily circumvented security measures or physical compromises. Some are so blatant it is from a technical point of view almost laughable. Unfortunately, an election system of a state was put at risk.
The physical security of the device consists of a single locking mechanism that covers the printer and power button. This lock can be easily circumvented, although the access it provides to the device would not allow a device to be compromised without using supplementary equipment. In addition to the universal serial bus (USB) port under the locked cover, the device has two USB ports on the top of the device. These ports are easily accessible and accept standard USB devices. While there are some limitations of the types of devices that can be plugged into the ports without notice, a malicious third party could plug in a device that provides access to the machine either locally or remotely.
As part of testing, VITA accessed each device’s basic input/output system (BIOS) and modified the drive boot order. VITA then attached a USB compact disc drive (CD-ROM), and had the system boot from that CD-ROM instead of the internal drives. By doing this, VITA was able to force the system to boot to an alternate operating system (Knopix), and take images of the system drives. This test, as performed, is likely to be noticed; however, it may be possible to use a smaller profile bootable device and access the system discretely. This approach would enable modification of the device if it was discreetly rebooted.
Time constraints prohibited testing of each type of external USB device that could allow local access. However, VITA believes it is probable that an attacker could install a device that would allow remote or local access to monitor, modify, or provide unauthorized access to data.
For reference purposes a BIOS is a system that, among other functions, loads hardware resources and prepares the system for hand-off to the Operating System. The WinVote system appears to have failed to password protect the BIOS and allowed penetration tests that are described above. The BIOS can only be accessed however through a physical connection to the system however due to the ability to reportedly gain access to this system the BIOS could be modified to receive a USB stick and have malicious software introduced. While the report is correct in that it is likely to be noticed in many respects, it is doubtful that election workers would have sufficient expertise to recognize the boot and loading parameters were altered.
However, in an attempt to compromise the WinVote system physical access is not necessary and would for the attacker involve greater risk. The preferred, and significantly easier method would be through a wireless network connection.
One of the most significant concerns involving the WINVote system is the ability to access the devices from a remote location using the Institute for Electronics Engineers (IEEE) 802.11b wireless protocol. The wireless cards on the devices provide an attack vector where an external party can access the WINVote devices and modify the data without notice from a nearby location.
The first part of the wireless testing involved a review of the security used to protect communications between WINVote devices. Each device has a default configuration where wireless communication is configured as peer-to-peer with wired equivalent privacy (WEP) encryption. The devices broadcast their wireless network name (service set identifier, commonly known as the SSID) where it can be easily detected by most devices that have wireless cards.
One additional important note is that while the WINVote application appears to have the ability to disable the wireless network from within the application, it does not disable the network interface on the device. When the wireless network is disabled using the WINVote interface, the application will no longer seek other devices on the network. Although the application will not find other systems, the device’s network card remains online and will send and receive traffic even though the application indicates it is disabled. Based on VITA testing it is not possible to prevent network access by disabling the network using the WINVote application.
The WinVote System uses a network protocol that has been out of date for over ten years, replaced several times since with faster and significantly more secure standards. In their default setting WinVote machines broadcast their identities which provides an easy and uniform method for a hacker to differentiate between a WinVote machine and other network notes such as those in offices or home systems. The hacker could remain undetected and able to compromise the system as long as he or she is within the wireless range of the network.
The report identifies that the system creates a false sense of security in that the User Interface proffers to disable the wireless system, but it fails in that since the network interface must be physically removed prior to installment at a polling station; an event unlikely to occur.
During VITA’s testing of the devices, network communications between two WINVote devices were monitored for approximately two minutes and a packet trace was taken of the wireless network communications. Using this packet trace, it was possible to craft a network packet and use that packet to exploit the weakness in the WEP algorithm to crack the WEP encryption key. This password (“abcde”) is classified as weak and could have been quickly identified using common password guessing tools. With that passphrase it was possible to join to the WINVote ad-hoc network with specialized security workstations and start attempting to compromise the WINVote device’s operating system.
The device uses the deprecated network security protocol WEP which was discontinued due to its vulnerability to exploitation. What is even more astounding is that coupled with the issue of WEP being subject to eavesdropping and spoofing, the testing team easily cracked the password to the encryption key (a string of data used to scramble to traffic to other listeners) and from that read and or modify the traffic or gain access to the WinVote network.
The use of a password such as “abcde” is fundamentally not only easily defeated by even simple guessing avails itself to a possible back door that can be used by an unscrupulous employee to gain access.
The WINVote systems run Windows XP Embedded 2002 as an operating system (OS). This OS is currently supported by Microsoft but is scheduled to go end-of-life on January 12, 2016. Although patches for the OS have been released, the WINVote devices do not appear to have patches or service packs applied. This puts the OS in a deprecated and therefore vulnerable state. Because of this, the devices are vulnerable to many published exploits, such as vulnerability first identified in 2004, … The age of this vulnerability provides confirmation that the devices have not been patched for a number of years.
Imagine if you would a computer using Windows that has not been updated since the operating system was released by Microsoft. Here the developers of WinVote have in the view of your author committed an act of recklessness because every possible exploit that could be made against this operating system could potentially be utilized to compromise the system or allow it to suffer some form of meltdown due to a flaw in the operating system that remained unfixed by updates or patches.
The approach to testing the OS began with an attempt to access a privileged account. Information from the Nmap and Nessus scans was used to target the file sharing service and the file shares to perform a password guessing (brute-force) attack utilizing the open source tool Hydra7. The first account targeted was the local administrative account “Administrator” using a standard wordlist (a list of passwords). The use of a weak password by the devices enabled VITA to crack the password (“admin”) for that account almost immediately. Using this account and password, full administrative access to the WINVote operating system was available.
It should be stressed how easily the system could be compromised here.
The strategy of accessing a privileged account means that the goal in such is to have the ability to take control of a system using a User account having sufficient ability to make changes to or gain access of the system. A secure system operates with the least privilege so that if this user is compromised, it limits the scope for which a hacker can cause damage.
In the WinVote system, gaining access to a highly privileged account is easy–very easy in fact. There are two reasons for this. First, the system uses a standard name for its high privileged user “Administrator” which is the default super-user account name in this flavor of Windows. Had the system utilized a different name, it would make unauthorized entry into the system logarithmically more difficult to accomplish. To add to the pun, the password used was “Admin”. Your author actually laughed aloud when reading this report because when trying to break into a system, after a Blank Password (Windows XP’s default administrator password) admin is the next password a hacker will attempt. It is also the default password on many retail network products.
Once a hacker gains access to the administrator account, practically all other security measures are compromised and the system may be modified at will.
The voting databases on the devices would be a primary target for an attacker. The databases contain information, such as the ballot, the voting location, and (most importantly) the number of votes. The databases are Microsoft Access databases and require a password. It is important to note that while there is a password on the database, the database itself is not encrypted. The password on the database provides very limited protection and can be bypassed easily with a hex editor (a specialized tool to edit individual bytes of a file) or identified with a password cracker.
A password cracker was used by VITA to attempt to obtain the password protecting the database. The weak password on the database permitted VITA staff to access it in approximately 10 seconds using “AccessPasswordRetrievalLite” to guess the password (“shoup”). This password was used for all of the database files. With the password, it was possible to copy the database files to the security analysis system, open them and modify the voting data. To validate that the changes were permanent and not overwritten by the application’s controls, a hash of the file (MD5 checksum) was taken and validated after the database had been copied back to the WINVote device. The hash values matched, confirming that the altered files remained on the system.
The database exploit offers a digital-age rendition of the timeless story of “It is not who votes that matters. It is who counts the votes that does.” Rather than take the entire system down, which would be obvious, a hacker could manipulate the database by creating just enough votes to swing an election by a small margin while maintaining the total vote count. If a hacker compromises enough WinVote machines there is the potential to affect an election.
There is a practice in penetration testing and hacking called Social Engineering. This involves in computer security terms using the human factor in attempting to gain access to a system. Methods include using permutations of a user’s name, family members, hobbies, or other items to derive a password based upon the probable use of these items by the user. After reading that VITA used the password cracker and obtained the word “shoup” as a database password your author became curious as to why such a word was used. It took just over two minutes to reverse engineer the password and obtain the source of the word shoup by using Bing.com. Shoup refers to the following according to Vote Trust USA:
Advanced Voting Solutions (AVS) develops hardware and software systems for the electronic tallying of ballots. Its products include the WINvote touchscreen voting machine and applications for managing the voting process. The company was established in 2001 by CEO Howard Van Pelt, who sold his previous business, Global Election Systems, to Diebold, which renamed the business Diebold Election Systems. AVS was once known as Shoup Voting Solutions, a company that manufactured mechanical voting equipment. Shoup got out of the equipment manufacturing business in 1992 and was involved in servicing its installed equipment. The voting equipment repair firm, founded in 1911, is now known as Elections USA Inc. by Shoup
Vote Talley Process
The primary goal of the WINVote testing was to identify whether votes could be modified remotely without detection by voting staff. To determine whether this was possible, VITA executed a controlled election with the vote tallies for each candidate noted. Before closing out the election, VITA downloaded and modified the database containing the vote tallies for each candidate on a remote security analysis station connected to the ad-hoc network. This modified database was loaded back onto the WINVote device and the election was closed. The compromised vote tallies were reflected in the closed election results, proving that the vote data could be remotely modified. This process test was performed with the wireless network both enabled and disabled through the WINVote software.
The documentation reviewed by VITA indicated that the system performed integrity checking of the vote cast to ensure it was not modified during the voting process. However, the system did not perform checks to identify whether the file that stores the votes has been modified. This lack of integrity check allows the file to be changed and votes to be modified.
VITA recommends that the Advanced Voting Systems WINVote devices not be used in future elections.
The possibilities for hacking Virginia’s Election system are limited only by the imagination of the hackers as there are so few technical security measures in place it is certainly a Target Rich Environment.
What is even more disturbing is to reflect on what could have happened. The report from VITA needed only to address the core vulnerabilities to demonstrate the security of the system was fundamentally broken to make a convincing argument that the state must immediately remove WinVote from use. However the examples cited, while sufficient, do not fully engender the magnitude for which the election system could be compromised.
A worst case scenario involves the introduction of a malicious software worm into one of the WinVote machines that is carried through to the main state server upon sync of the databases or through hopping downward through the nodes that compromises the entire state voting network. Worrying possibilities are many once this occurs. The worm could smash the entire election, alter the vote, or install software during a minor election that will be propagated to all voting machines for a future election and alter the vote to whatever the hacker wishes. It is ballot stuffing at its pinnacle of achievement.
Why did such a failure for bringing such brokenness into Virginia’s, and several other states that formerly used WinVote, election system? There are several possibilities that interact with each other.
In the software development world two problems are inherent. First, the notion of “He who makes it to market first wins” causes on occasion software companies to rush into beating the competition at any cost, and quality often takes lower priority. When this approach is held closely only the necessary and most visible features are developed and heavy marketing is utilized to woo customers. Many promises are made and not all are fulfilled–and the company knows this. In the WinVote product, this type of strategy seems to have manifested itself. Securing a system requires truly years of penetration testing and system design. For a voting machine, counting votes is easy and the user interface and basic system could be developed rather quickly. However the software testing and security development is going to be the most involved aspect of this product from an application basis. It is probable that Advanced Voting Systems rushed to get this to market without providing a fully developed solution.
The second problem is the problem is lack of competence in smaller companies that do not have the public visibility of a Microsoft or Oracle. The latter companies must put vast resources into quality assurance but smaller companies tend to have limited resources and might lack an understanding of fundamental procedures to create workable software. Their lack of experience shows in their products. I believe that this coupled with lack of oversight of the development process led to these serious breaches in security of their product that ultimately led to its demise. It is a common problem.
Blame also lies with the states that adopted WinVote. It is apparent these states failed to utilize due diligence when evaluating vendors for electronic voting machines. The WinVote product is so fundamentally broken from a security standpoint it is obvious that this occurred. One problem is that the state got hoodwinked with effective marketing and did not have experts evaluating the quality of the software. With such a important aspect of our society and government at stake the effort by the state is inexcusable and outrageous. Since an eight year effort was required to finally convince the state to accept performing a comprehensive study decades after implementation shows that there was much face to be lost and bureaucrats and officials did not want to accept responsibility for their actions. WinVote became figuratively both the 800 Pound Gorilla in the room and the Unwanted Step-Child nobody wanted to talk about. Once implemented, it was too big a problem to correct and embarrassment and face reigned supreme.
Moreover, it seems that once WinVote wormed its way into the Virginia polling service its maker Advanced Voting Systems virtually abandoned its product by failing to provide even rudimentary updates to its software or correct security weaknesses that it knew it implemented. If such poor measures were utilized there are almost certainly bugs that caused irregularities that did not go noticed because AVS failed to provide adequate software testing.
The real losers in this affair are the voters of Virginia and those within other states that implemented this system before it was removed. Not only was a large amount of tax money spent but their votes could have been invalidated.
Anecdotally, after millions of dollars wasted, your author proposes that a monkey with a typewriter could have written a better software product. Why? because its incoherent typings would have been equally as unacceptable as the WinVote system but could be purchased instead for a few bananas.
By Darren Smith
The views expressed in this posting are the author’s alone and not those of the blog, the host, or other weekend bloggers. As an open forum, weekend bloggers post independently without pre-approval or review. Content and any displays or art are solely their decision and responsibility.