Computer Scientist Gives Virginia Voting Machines F- Security Grade

By Darren Smith, Weekend Contributor

WinVote User Interface
WinVote User Interface

A six year effort by Computer Scientist Jerry Epstein of SRI International has finally achieved fruition in his quest to decertify AVS WinVote Machines for election use due to what can described as extremely broken security measures and weaknesses in its design. Such deficiencies were so magnified the machines had not only the potential for fault but a relatively unsophisticated hacker could have brought down the State of Virginia’s election system.

Mr. Epstein reportedly stated the WinVote system “would get an F-” in security.

SRI International pushed for a formal inquiry into the vendor of Virginia’s Voting machines meeting originally with resistance from the state’s boards of elections. However after much prodding the state commissioned a study and its report was damning of the voting system and advocated for it’s immediate discontinuance.

On April 14th The Virginia Information Technologies Agency and Commonwealth Security and Risk Management issues its findings. Your author will summarize this report and offer analysis of the key points. Comments are italicized.

The full report may be read HERE.

Executive Summary

During a recent election, one precinct in Virginia reported unusual activity with some of the devices used to capture votes. The devices were displaying errors that interfered with the ability to collect votes. In order to diagnose the problem, the Department of Elections (ELECT) initiated a review of the devices to identify the cause of the problems. As part of the review, ELECT engaged Commonwealth Security and Risk Management staff in the Virginia Information Technologies Agency (VITA) to perform a security analysis of the devices.

As a result of the findings included in this report, VITA recommends discontinuing use of the Advanced Voting System WINVote devices. The security review determined that the combination of weak security controls used by the devices would not be able to prevent a malicious third party from modifying the votes recorded by the WINVote devices. The primary contributor to these findings is a combination of weak security controls used by the devices: namely, the use of encryption protocols that are not secure, weak passwords, and insufficient system hardening.

Security deficiencies were identified in multiple areas, including physical controls, network access, operating system controls, data protection, and the voting tally process. The combination of critical vulnerabilities in these areas, along with the ability to remotely modify votes discretely, is considered to present a significant risk. This heightened level of risk has led VITA security staff to conclude that malicious third party could be able to alter votes on these devices. These machines should not remain in service.

The report summarizes efforts made to identify areas of vulnerability of the system. It is not a complete testing but it is very effective at finding numerous easily circumvented security measures or physical compromises. Some are so blatant it is from a technical point of view almost laughable. Unfortunately, an election system of a state was put at risk.

Physical

The physical security of the device consists of a single locking mechanism that covers the printer and power button. This lock can be easily circumvented, although the access it provides to the device would not allow a device to be compromised without using supplementary equipment. In addition to the universal serial bus (USB) port under the locked cover, the device has two USB ports on the top of the device. These ports are easily accessible and accept standard USB devices. While there are some limitations of the types of devices that can be plugged into the ports without notice, a malicious third party could plug in a device that provides access to the machine either locally or remotely.

As part of testing, VITA accessed each device’s basic input/output system (BIOS) and modified the drive boot order. VITA then attached a USB compact disc drive (CD-ROM), and had the system boot from that CD-ROM instead of the internal drives. By doing this, VITA was able to force the system to boot to an alternate operating system (Knopix), and take images of the system drives. This test, as performed, is likely to be noticed; however, it may be possible to use a smaller profile bootable device and access the system discretely. This approach would enable modification of the device if it was discreetly rebooted.

Time constraints prohibited testing of each type of external USB device that could allow local access. However, VITA believes it is probable that an attacker could install a device that would allow remote or local access to monitor, modify, or provide unauthorized access to data.

For reference purposes a BIOS is a system that, among other functions, loads hardware resources and prepares the system for hand-off to the Operating System. The WinVote system appears to have failed to password protect the BIOS and allowed penetration tests that are described above. The BIOS can only be accessed however through a physical connection to the system however due to the ability to reportedly gain access to this system the BIOS could be modified to receive a USB stick and have malicious software introduced. While the report is correct in that it is likely to be noticed in many respects, it is doubtful that election workers would have sufficient expertise to recognize the boot and loading parameters were altered.

However, in an attempt to compromise the WinVote system physical access is not necessary and would for the attacker involve greater risk. The preferred, and significantly easier method would be through a wireless network connection.

Network

One of the most significant concerns involving the WINVote system is the ability to access the devices from a remote location using the Institute for Electronics Engineers (IEEE) 802.11b wireless protocol. The wireless cards on the devices provide an attack vector where an external party can access the WINVote devices and modify the data without notice from a nearby location.

The first part of the wireless testing involved a review of the security used to protect communications between WINVote devices. Each device has a default configuration where wireless communication is configured as peer-to-peer with wired equivalent privacy (WEP) encryption. The devices broadcast their wireless network name (service set identifier, commonly known as the SSID) where it can be easily detected by most devices that have wireless cards.

One additional important note is that while the WINVote application appears to have the ability to disable the wireless network from within the application, it does not disable the network interface on the device. When the wireless network is disabled using the WINVote interface, the application will no longer seek other devices on the network. Although the application will not find other systems, the device’s network card remains online and will send and receive traffic even though the application indicates it is disabled. Based on VITA testing it is not possible to prevent network access by disabling the network using the WINVote application.

The WinVote System uses a network protocol that has been out of date for over ten years, replaced several times since with faster and significantly more secure standards. In their default setting WinVote machines broadcast their identities which provides an easy and uniform method for a hacker to differentiate between a WinVote machine and other network notes such as those in offices or home systems. The hacker could remain undetected and able to compromise the system as long as he or she is within the wireless range of the network.

The report identifies that the system creates a false sense of security in that the User Interface proffers to disable the wireless system, but it fails in that since the network interface must be physically removed prior to installment at a polling station; an event unlikely to occur.

During VITA’s testing of the devices, network communications between two WINVote devices were monitored for approximately two minutes and a packet trace was taken of the wireless network communications. Using this packet trace, it was possible to craft a network packet and use that packet to exploit the weakness in the WEP algorithm to crack the WEP encryption key. This password (“abcde”) is classified as weak and could have been quickly identified using common password guessing tools. With that passphrase it was possible to join to the WINVote ad-hoc network with specialized security workstations and start attempting to compromise the WINVote device’s operating system.

The device uses the deprecated network security protocol WEP which was discontinued due to its vulnerability to exploitation. What is even more astounding is that coupled with the issue of WEP being subject to eavesdropping and spoofing, the testing team easily cracked the password to the encryption key (a string of data used to scramble to traffic to other listeners) and from that read and or modify the traffic or gain access to the WinVote network.

The use of a password such as “abcde” is fundamentally not only easily defeated by even simple guessing avails itself to a possible back door that can be used by an unscrupulous employee to gain access.

Operating System

The WINVote systems run Windows XP Embedded 2002 as an operating system (OS). This OS is currently supported by Microsoft but is scheduled to go end-of-life on January 12, 2016. Although patches for the OS have been released, the WINVote devices do not appear to have patches or service packs applied. This puts the OS in a deprecated and therefore vulnerable state. Because of this, the devices are vulnerable to many published exploits, such as vulnerability first identified in 2004, … The age of this vulnerability provides confirmation that the devices have not been patched for a number of years.

Imagine if you would a computer using Windows that has not been updated since the operating system was released by Microsoft. Here the developers of WinVote have in the view of your author committed an act of recklessness because every possible exploit that could be made against this operating system could potentially be utilized to compromise the system or allow it to suffer some form of meltdown due to a flaw in the operating system that remained unfixed by updates or patches.

The approach to testing the OS began with an attempt to access a privileged account. Information from the Nmap and Nessus scans was used to target the file sharing service and the file shares to perform a password guessing (brute-force) attack utilizing the open source tool Hydra7. The first account targeted was the local administrative account “Administrator” using a standard wordlist (a list of passwords). The use of a weak password by the devices enabled VITA to crack the password (“admin”) for that account almost immediately. Using this account and password, full administrative access to the WINVote operating system was available.

It should be stressed how easily the system could be compromised here.

The strategy of accessing a privileged account means that the goal in such is to have the ability to take control of a system using a User account having sufficient ability to make changes to or gain access of the system. A secure system operates with the least privilege so that if this user is compromised, it limits the scope for which a hacker can cause damage.

In the WinVote system, gaining access to a highly privileged account is easy–very easy in fact. There are two reasons for this. First, the system uses a standard name for its high privileged user “Administrator” which is the default super-user account name in this flavor of Windows. Had the system utilized a different name, it would make unauthorized entry into the system logarithmically more difficult to accomplish. To add to the pun, the password used was “Admin”. Your author actually laughed aloud when reading this report because when trying to break into a system, after a Blank Password (Windows XP’s default administrator password) admin is the next password a hacker will attempt. It is also the default password on many retail network products.

Once a hacker gains access to the administrator account, practically all other security measures are compromised and the system may be modified at will.

Data

The voting databases on the devices would be a primary target for an attacker. The databases contain information, such as the ballot, the voting location, and (most importantly) the number of votes. The databases are Microsoft Access databases and require a password. It is important to note that while there is a password on the database, the database itself is not encrypted. The password on the database provides very limited protection and can be bypassed easily with a hex editor (a specialized tool to edit individual bytes of a file) or identified with a password cracker.

A password cracker was used by VITA to attempt to obtain the password protecting the database. The weak password on the database permitted VITA staff to access it in approximately 10 seconds using “AccessPasswordRetrievalLite” to guess the password (“shoup”). This password was used for all of the database files. With the password, it was possible to copy the database files to the security analysis system, open them and modify the voting data. To validate that the changes were permanent and not overwritten by the application’s controls, a hash of the file (MD5 checksum) was taken and validated after the database had been copied back to the WINVote device. The hash values matched, confirming that the altered files remained on the system.

The database exploit offers a digital-age rendition of the timeless story of “It is not who votes that matters. It is who counts the votes that does.” Rather than take the entire system down, which would be obvious, a hacker could manipulate the database by creating just enough votes to swing an election by a small margin while maintaining the total vote count. If a hacker compromises enough WinVote machines there is the potential to affect an election.

There is a practice in penetration testing and hacking called Social Engineering. This involves in computer security terms using the human factor in attempting to gain access to a system. Methods include using permutations of a user’s name, family members, hobbies, or other items to derive a password based upon the probable use of these items by the user. After reading that VITA used the password cracker and obtained the word “shoup” as a database password your author became curious as to why such a word was used. It took just over two minutes to reverse engineer the password and obtain the source of the word shoup by using Bing.com. Shoup refers to the following according to Vote Trust USA:

Advanced Voting Solutions (AVS) develops hardware and software systems for the electronic tallying of ballots. Its products include the WINvote touchscreen voting machine and applications for managing the voting process. The company was established in 2001 by CEO Howard Van Pelt, who sold his previous business, Global Election Systems, to Diebold, which renamed the business Diebold Election Systems. AVS was once known as Shoup Voting Solutions, a company that manufactured mechanical voting equipment. Shoup got out of the equipment manufacturing business in 1992 and was involved in servicing its installed equipment. The voting equipment repair firm, founded in 1911, is now known as Elections USA Inc. by Shoup

Vote Talley Process

The primary goal of the WINVote testing was to identify whether votes could be modified remotely without detection by voting staff. To determine whether this was possible, VITA executed a controlled election with the vote tallies for each candidate noted. Before closing out the election, VITA downloaded and modified the database containing the vote tallies for each candidate on a remote security analysis station connected to the ad-hoc network. This modified database was loaded back onto the WINVote device and the election was closed. The compromised vote tallies were reflected in the closed election results, proving that the vote data could be remotely modified. This process test was performed with the wireless network both enabled and disabled through the WINVote software.

The documentation reviewed by VITA indicated that the system performed integrity checking of the vote cast to ensure it was not modified during the voting process. However, the system did not perform checks to identify whether the file that stores the votes has been modified. This lack of integrity check allows the file to be changed and votes to be modified.

Recommendation

VITA recommends that the Advanced Voting Systems WINVote devices not be used in future elections.

The possibilities for hacking Virginia’s Election system are limited only by the imagination of the hackers as there are so few technical security measures in place it is certainly a Target Rich Environment.

What is even more disturbing is to reflect on what could have happened. The report from VITA needed only to address the core vulnerabilities to demonstrate the security of the system was fundamentally broken to make a convincing argument that the state must immediately remove WinVote from use. However the examples cited, while sufficient, do not fully engender the magnitude for which the election system could be compromised.

A worst case scenario involves the introduction of a malicious software worm into one of the WinVote machines that is carried through to the main state server upon sync of the databases or through hopping downward through the nodes that compromises the entire state voting network. Worrying possibilities are many once this occurs. The worm could smash the entire election, alter the vote, or install software during a minor election that will be propagated to all voting machines for a future election and alter the vote to whatever the hacker wishes. It is ballot stuffing at its pinnacle of achievement.

~+~

Why did such a failure for bringing such brokenness into Virginia’s, and several other states that formerly used WinVote, election system? There are several possibilities that interact with each other.

In the software development world two problems are inherent. First, the notion of “He who makes it to market first wins” causes on occasion software companies to rush into beating the competition at any cost, and quality often takes lower priority. When this approach is held closely only the necessary and most visible features are developed and heavy marketing is utilized to woo customers. Many promises are made and not all are fulfilled–and the company knows this. In the WinVote product, this type of strategy seems to have manifested itself. Securing a system requires truly years of penetration testing and system design. For a voting machine, counting votes is easy and the user interface and basic system could be developed rather quickly. However the software testing and security development is going to be the most involved aspect of this product from an application basis. It is probable that Advanced Voting Systems rushed to get this to market without providing a fully developed solution.

The second problem is the problem is lack of competence in smaller companies that do not have the public visibility of a Microsoft or Oracle. The latter companies must put vast resources into quality assurance but smaller companies tend to have limited resources and might lack an understanding of fundamental procedures to create workable software. Their lack of experience shows in their products. I believe that this coupled with lack of oversight of the development process led to these serious breaches in security of their product that ultimately led to its demise. It is a common problem.

Blame also lies with the states that adopted WinVote. It is apparent these states failed to utilize due diligence when evaluating vendors for electronic voting machines. The WinVote product is so fundamentally broken from a security standpoint it is obvious that this occurred. One problem is that the state got hoodwinked with effective marketing and did not have experts evaluating the quality of the software. With such a important aspect of our society and government at stake the effort by the state is inexcusable and outrageous. Since an eight year effort was required to finally convince the state to accept performing a comprehensive study decades after implementation shows that there was much face to be lost and bureaucrats and officials did not want to accept responsibility for their actions. WinVote became figuratively both the 800 Pound Gorilla in the room and the Unwanted Step-Child nobody wanted to talk about. Once implemented, it was too big a problem to correct and embarrassment and face reigned supreme.

Moreover, it seems that once WinVote wormed its way into the Virginia polling service its maker Advanced Voting Systems virtually abandoned its product by failing to provide even rudimentary updates to its software or correct security weaknesses that it knew it implemented. If such poor measures were utilized there are almost certainly bugs that caused irregularities that did not go noticed because AVS failed to provide adequate software testing.

The real losers in this affair are the voters of Virginia and those within other states that implemented this system before it was removed. Not only was a large amount of tax money spent but their votes could have been invalidated.

Anecdotally, after millions of dollars wasted, your author proposes that a monkey with a typewriter could have written a better software product. Why? because its incoherent typings would have been equally as unacceptable as the WinVote system but could be purchased instead for a few bananas.

By Darren Smith

Sources:

The Guardian
Virginia Department of Elections
Vote Trust USA

The views expressed in this posting are the author’s alone and not those of the blog, the host, or other weekend bloggers. As an open forum, weekend bloggers post independently without pre-approval or review. Content and any displays or art are solely their decision and responsibility.

58 thoughts on “Computer Scientist Gives Virginia Voting Machines F- Security Grade”

  1. issac
    Yet, what good is a strong local government when the central agency renders the local governance invalid? I call that something other than a democratic process in action… I think you do too.

  2. Nick Spinelli
    Two people who battle each other daily use the same Stalin quote. Just an observation.
    = = =
    Yea, I noticed that too… Odd how Squeeky and I are actually two sides of the same coin sometimes.

  3. Paul, the report shows a pattern that is quite different from the past. The data show that in every case the polls showed Democrats with an edge (read the report to find out how much of an edge; sorry I don’t have a link) and the Republicans managing to win. Yes, a few people lie but if that’s the reason for the results, then my conclusion would have to be that it’s just Republicans who lie. hmmmm.

    1. bettykath – there has been such a problem with polling since the last two elections that it should be stopped. The reasons the numbers are so screwy is because the Democrats over value the Democratic responses.

  4. Daniel Boone was a Man!
    Yes a BIG MAN!
    With eyes like an eagle and dong like a weasel was he.

    With a Coonskin Cap on top of his head..
    He was one of the sporting creeeew!
    A fake little pistol in the small of his back..
    He’d shoot one for youuuu!

    Oh, Daniel Boone was a man!

    etc.

    But I heard his daddy didnt vote and he didnt vote. Its kind of a southern far west thing.

  5. Nick…good idea about skipping citing various “heroes” (they’re all Hollywood after all) from here or up north. However, “Sgt Preston of the Yukon” was not very “Canadian” in fact, and was mostly filmed in Ashcroft, Colorado, an old ghost town on NFS land. Ashcroft is near Aspen, CO…and was the home to all of the several “King” husky dogs at a large kennel there named Toklat Lodge….which I think has changed hands since I visited. It’s a neat place to visit, if one is in the Aspen area, in the foot hills and creeks of the Maroon Bells mountains. Ashcroft is among the most “authentic” of western ghost towns…crude and rough like the times it flourished.

  6. C’mon, Nick. Davy Crockett helped steal much land from Mexico. John Wayne’s screen persona was to solve every problem with a fist or a gun.

    1. bettykath – Davy Crockett was killed by Santa Ana after the Battle of the Alamo. He did steal any land from Mexico. Get your history right.

  7. Issac … thank you for the thoughtful response…as I said we “narrowly” agree on this subject.

    I did get a kick out of this line:

    However, if government can regulate and control drivers through the various DMVs then it surely can do the same with voting.

    Dang tootin’…everybody who votes need to have a photo ID…just like driver’s licenses for operating a motor vehicle. 🙂

    Then you said:

    The agencies entrusted by our society to administer our most sacred rite should be absolutely autonomous from the political party in power in absolutely every way.

    I’d add autonomy from both parties, the one in power and the one not…let alone some 3rd party. I’ll admit, as someone who was a DOD “Fed” for years, that I’m not sure I want government deciding who gets what money for an election cycle…however, on principle, if it can be assumed that the department managing the funds is truly autonomous & unbiased I could support that idea. However my experience informs me that finding such autonomy would be v-e-r-y hard. I’ve never meet a bureaucrat yet who didn’t have a niche to protect. Due to that, while in service, both in uniform and as a military “Fed”, I made more enemies than friends. Forcefully advocating strict adherence to the law didn’t make a lot of people happy 🙁 I was “trained” to follow orders and think for myself as well. That’s not always popular in bureaucrat circles, and is frequently misunderstood by many even on this board vis a vis what the military teaches its recruits.

    1. Aridog – Arizona is being required to change its driver’s licences to comply with Fed voter ID. It is going to require a lot of people to go to DMV with all their documents to prove who they are.

  8. blackboxvoting.org has lots of good information. Unfortunately, they are undergoing web site re-do so much of their information isn’t available now.

    I recently saw a scholarly report where election results were compared to poll results for the recent Congressional seats. The conclusion was that they didn’t match. Some differences are to be expected, and the differences should go both ways, i.e. some Republicans win unexpectedly and some Democrats win unexpectedly. This study showed that there were an unusual number of differences and the Republicans won unexpectedly every time. Sorry, I can’t find the report.

  9. If presidential votes are tallied up at 600 million, then I would suspect China hacked the system. But who would they vote for? Hillary? And why?

  10. i respectfully request our friend from Canada stop using John Wayne and Davey Crockett derisively. No one here mocks Sgt. Preston of the Yukon. Indeed, we stayed @ the Sgt. Preston Lodge in Skagway, Alaska prior to sojourn to the beautiful Yukon. Now, I know Sgt. Preston was a fictional character. But, you hosers don’t have many real life heroes, except for maybe Don Cherry and a few other hockey mooks.

  11. Aridog

    Almost all societies are a combination of social and private concerns. Certain areas are appropriately dealt with by the society or the government and others are left to the individual or the private sector. The gray area between seems to be the area of contention.

    If you approach government as a necessity and pull back from the John Wayne, Davy Crockett syndrome, there are logical associations between choosing leaders and the government that are intertwined with individual freedoms. Firstly the mechanics of tabulating who voted for whom should be, without exception, fully under the control of government agencies. There will always be mistakes. There will always be fraud. However, if government can regulate and control drivers through the various DMVs then it surely can do the same with voting. There should be no private involvement in the mechanics of how Americans choose its leaders. This is a common, social issue to be handled by the society or the government. The agencies entrusted by our society to administer our most sacred rite should be absolutely autonomous from the political party in power in absolutely every way. They should be as the military, under oath to follow their duty, not the local financial powerhouses.

    Secondly, the US has the most perverted system of surfacing potential leaders as well as electing them. It is beyond argument that the person with the most money will be chosen and more often than not be elected. The more money involved, the less substance. This is a fact that can be reviewed easily by simply reflecting upon the calibre of our present and past leaders.

    The media exists. The government exists. The government should be the only source of funding for potential candidates once they have proven to hold enough interest. This works very well in Canada where the government provides funding for campaigns based on the number of each candidate’s voter representation. The question to be addressed is do we want to be governed by low calibre, feel good, well funded representatives or do we want the best of the best based solely on merit. We need to take money out of the equation. The private sector doesn’t even perform this way. To make it to the top one has to climb every rung of the ladder. Marco Rubio and the midget cowboy would never have made it out of the stock room.

    In the more successful democracies, the truer democracies, the better functioning democracies, private financial infusion is far, far, far, less a factor in choosing a representative. Special interest groups such as the NRA do not decide who gets elected as is the case here in the supposed cradle of democracy.

    You can pontificate all you wish about 1776 and the Constitution and the US being a Republic, etc, etc, etc. You can be cynical and throw in the towel. However when two fat cats from New York decide the governorship of Wisconsin and union money buys elections, the US is nothing more than the recipient of the finger that John Wayne and so many others pointed.

    We ought to be ashamed of ourselves, cowered and ashamed, something to think about during the upcoming two year circus.

  12. Most voting machines today are owned by Leftwing Progressive companies. A Canadian firm in fact owns most.
    Diebold believe it or not was sold in 2009

  13. Paper ballots signed by the voter with a fingerprint and phone number. One person from each party counts the paper ballots. Each may agree or disagree and put the contested ballots on one stack. Election official supervising. Ballots counted and tallied. Paper ballots kept in a vault for later scrutiny. It takes people and it takes more time to get the results. So what. It is secure and the computer method is totally suspect. Round up the suspects. They were cheating on voting machines in 1972 and they are cheating now. It has been 42 years. Don’t you folks learn?

  14. “A pure democracy is a society consisting of a small number of citizens, who assemble and administer the government in person.” James Madison

    To act surprised that these types of issues are present is to not acknowledge our real history (propaganda is alive and well).

  15. Justice Holmes

    It’s certainly a serious issue. Just not as serious as the bankrupt system that underlies this issue.

  16. Even if everyone who should be able to vote was able to vote it wouldn’t matter if the “faulty software” can make those votes disappear in the blink of an eye. Computers don’t make voting more safe or secure they make the results more manipulable once they are cast. This is serious.

Comments are closed.