On April 14, the Virginia State Board of Elections voted to immediately decertify use of the AVS WinVote touch-screen Direct Recording Electronic voting machine. That means that the machine, which the Washington Post says was used by “dozens of local governments” in Virginia, can’t be used any more, though the commonwealth is holding primaries in just two months. The move comes in light of a report that shows just how shoddy and insecure voting machines can be.
As one of my colleagues taught me, BLUF—bottom line up front: If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. A hacker wouldn’t have needed to be in the polling place—he could have been within a few hundred feet (say, in the parking lot) or within a half-mile if he used a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
Now for some background.
The AVS WinVote is a Windows XP embedded laptop with a touch screen. Early versions of the software actually ran Windows 2000. (An election official told me about playing solitaire on the device.) Later versions ran a somewhat cut-down version, although it’s not clear to me how much it was actually simplified. The WinVote system was certified as meeting the Voting Systems Standards of 2002 and was approved for use in Virginia, Pennsylvania, and Mississippi. Pennsylvania and Mississippi both stopped using theirs a few years ago.
But Virginia used it as recently as the November 2014 election, when voting machines in one precinct were repeatedly crashing. Some suggested that the problem was caused by someone trying to stream music on a smartphone. (There were problems with other brands of voting machines, but I’m going to focus on the WinVote, because it’s the most egregious.) The State Board of Elections invited the Virginia Information Technologies Agency, the agency charged with providing IT services to the state government, to investigate the problem. The report, which was released April 14, includes a litany of problems. (I still don’t understand how the iPhone interfered with the system, but that’s not really important at this point.)
I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me—as bad as I thought the problems were likely to be, VITA’s report showed that they were far worse.
Among the goodies VITA found:
- The encryption key for the wireless connection is “abcde,” and that key is unchangeable.
- The system hasn’t been patched since 2004.
- The administrator password seems to be hardwired to “admin.” Because the system has a weak set of controls, it would be easy for someone to guess and then enter in the password.
- The database is a very obsolete version of Microsoft Access and uses a very weak encryption key (“shoup”). There are no controls on changing the database. That means that someone could copy the voting database to a separate machine (which is easy to do given the weaknesses described above), edit the votes, and put it back. There are no controls to detect that the tampering occurred.
- The USB ports and other physical connections are only marginally physically protected from tampering. Furthermore, there are no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant, given how severe the other problems are.
The amazing thing is that to find all this, VITA just scratched the surface, and mostly used off-the-shelf, open-source tools—nothing special. It didn’t have access to source code or any advanced tools.
In other words, anyone within a half-mile could have modified every vote, undetected.
So how would someone use these vulnerabilities to change an election?
- Take your laptop to a polling place and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the wireless connection password, which was “abcde.”
- Connect to the voting machine over Wi-Fi.
- If asked for a password, the administrator password is “admin.”
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”).
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published.
None of the above steps, with the possible exception of figuring out the Wi-Fi password, require any technical expertise. (And that password was “abcde”!) In fact, they’re pretty much things that the average office worker does on a daily basis.
You wouldn’t want to vote on a machine that insecure, would you? But some local officials didn’t think the system needed to be decertified (that is, taken out of commission). As quoted in the Washington Post, Richard Herrington, secretary of the Fairfax City Electoral Board, said, “No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system.”
Herrington is wrong. This isn’t a remote possibility but an almost certain reality. A high school student could perform undetectable tampering, perhaps without even leaving his or her bedroom. In short, the state election board’s decision was right. (The vote passed 2–0.) Now that the information is public on just how weak the systems are, it is inevitable that someone will try it out, and it will take only minutes to manipulate an election.
Why doesn’t the vendor just fix the problems? Well, it went out of business five years ago. Its domain is now owned by a Chinese organization of some sort. And even if it were still in business, this isn’t a matter of fixing a few problems—what VITA found was undoubtedly the tip of the iceberg.
Bottom line is that if no Virginia elections were ever hacked (and we have no way of knowing if it happened), it’s because no one with even a modicum of skill tried. The Diebold machines that got lots of bad press a few years ago were much, much more secure than the WinVote.
Replacing these machines in time for a primary in two months will not be easy. I feel for the local election officials who will have many sleepless nights to replace the WinVote systems. But once the State Board of Election learned just how vulnerable they are, it had no choice—it would have been criminally negligent to continue to use a system this vulnerable.