Until Tuesday, the state of Virginia was using what one expert dubbed the “worst voting machine in the US” – one with security so appalling that all it would take to compromise it would be a laptop with a wireless card and some free software.
Immediately following the publishing of a scathing report on Tuesday by the Virginia Information Technologies Agency (VITA), the Virginia State Board of Elections decertified use of the machines.
The audit was triggered by the voting machines having repeatedly crashed in the November 2014 election.
As North Carolina Public Radio reports, interference from a mobile phone (an election official was streaming music) was suspected of causing the crashes.
But when state auditors investigated, they didn’t find that particular problem.
They found a far more serious problem, discovering that mobile phones were able to connect to the machines’ wireless network, used to tally votes, and that the passwords were as easy to guess as “abcde”.
The auditors were able to easily change the vote counts remotely, without detection.
The system at the heart of the matter is the AVS WINVote touchscreen Direct Recording Electronic (DRE) machine, made by Advanced Voting Solutions.
It was used in a long list of Virginia counties in 2014, passed the required Voting Systems Standards of 2002, and was used in Pennsylvania and Mississippi until a few years ago.
Its flaws include things that are making infosec pros wince, such as the use of the Wired Equivalent Privacy (WEP) protocol to secure its Wi-Fi network.
The international tech group IEEE deprecated the protocol in 2004, and in 2005, the FBI gave a demo in which it cracked it in 3 minutes with publicly available tools.
WINVote also committed egregious password sins, the report found, using hard-coded, easy-to-crack passwords – “admin,” “abcde,” and “shoup” (the name of the company that preceded Advanced Voting Solutions) – to lock down its Windows administrator account, Wi-Fi network, and voting results database, respectively.
Jeremy Epstein, of nonprofit SRI International, is a security expert specialising in e-voting who served on a Virginia state legislative commission investigating the voting machines in 2008 and has been trying to get them decertified ever since.
He summed up the flaws like this on his Freedom to Tinker blog:
The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place - within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
And these are the steps he said that somebody could take to easily change election results, with minimal technical expertise:
- Take your laptop to a polling place, and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
- Connect to the voting machine over WiFi.
- If asked for a password, the administrator password is "admin" (VITA provided that).
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key ("shoup"), which VITA also did for us.
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published.
Why can’t the vendor fix the machines, you may well ask?
Because it’s no longer around, Epstein says. Its domain is now owned “by a Chinese organization of some sort.”
But even if the vendor hadn’t gone belly-up, these problems aren’t easy to fix, he said – particularly given that VITA only “scratched the surface”, using mostly off-the-shelf, open source tools, and what it found “was undoubtedly the tip of the iceberg.”
The systems don’t keep logs, so there’s no easy way to determine if they’ve been tampered with in the past.
If the rigging of votes hasn’t yet been tried on these systems, he said on his blog, it’s only because it hasn’t occurred to anybody:
If an election was held using the AVS WINVote, and it wasn’t hacked, it was only because no one tried.
Bottom line is that *if* no Virginia elections were ever hacked (and we have no way of knowing if it happened), it’s because no one with even a modicum of skill tried.
Unfortunately, Virginia voting officials are going to be hard-pressed to swap out these machines, both because of the expense and the time crunch.
Officials in Fairfax City, Virginia, told North Carolina Public Radio that it will cost about $130,000 (about £87,000) to replace each WINVote machine.
Plus, there’s an election right around the corner, in June.
The city’s general registrar, Kevin Linehan, thinks it’s riskier to roll out a new system than it is to react to the possibility of tampering.
North Carolina Public Radio quotes what he said to the state board:
My most vulnerable aspect of running an election is having properly trained officers of election. I'm looking at a very short timeline getting my officers trained in a whole new system.
Karen Alexander, who runs elections in Powhatan County, isn’t sure what to do but told the radio station that her county might borrow machines to get through June’s primary.
If worse comes to worst, she said, they’ll count the votes by hand.
I feel for the local election officials who will have many sleepless nights to replace the WINVote systems.
Unfortunately, they have no choice, he said: the only alternative is criminal negligence.Follow @NakedSecurity
Image of AVS WINVote from VerifiedVoting.org