On Apr 14 2015, the Virginia State Board of Elections immediately decertified use of the AVS WinVote touchscreen Direct Recording Electronic (DRE) voting machine. This seems pretty minor, but it received a tremendous amount of pushback from some local election officials. In this post, I’ll explain how we got to that point, and what the problems were.
As one of my colleagues taught me, BLUF – Bottom Line Up Front. If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
Now for some background.
The AVS WinVote is a Windows XP Embedded laptop with a touchscreen. Early versions of the software ran the Windows 2000 (an election official told me about playing solitaire on the device, to demonstrate just how complete it was). Later versions ran a somewhat cut-down version, although it’s not clear to me how much it was actually cut down. The WinVote system was certified as meeting the Voting Systems Standards (VSS) of 2002, and was approved for use in Virginia, Pennsylvania, and Mississippi. (It was decertified a few years ago in Pennsylvania, and Mississippi also stopped using theirs a few years ago after some malfunction that I can’t recall in Hinds County.) [A later version of the software was submitted for certification to the Election Assistance Commission, but never approved. I don’t know if that version solved any of the problems described here.]
So how did Virginia get to decertification? It seems that in the November 2014 election, voting machines in one precinct were repeatedly crashing, and it was hypothesized to be due to some interference from someone trying to download music using their iPhone. (There were other problems with other brands of voting machines, but I’m going to focus on the WinVote.) The State Board of Elections invited the Virginia Information Technology Agency (VITA, the agency charged with providing IT services to the state government) to investigate the problem. The report, which was released on Apr 14, includes a litany of problems. [I still don’t understand how the iPhone interfered with the system, but that’s not really important at this point.]
I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me – as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.
Among the goodies VITA found:
- The wireless connection uses WEP (which we knew). What we didn’t know is that a few minutes of wireless monitoring showed that the encryption key is “abcde”, and that key is unchangeable.
- The system hasn’t been patched since 2004 (which we knew). What we didn’t know is that the system is running a whole bunch of open ports with active services. The report specifically notes that ports 135/tcp, 139/tcp, 445/tcp, 3389/tcp, 6000/tcp and 16001/tcp are all running unpatched services. (Layman’s explanation: the voting machines aren’t just voting machines, they’re also servers happy to give you whatever files you ask for, and various other things, if only you ask. Think of them as an extra disk drive on the network, that just happens to hold all of the votes.) (Obdisclosure: In retrospect, I *probably* could have figured this out a few years ago when I had supervised access to a WinVote with a shell prompt, but I didn’t think of checking.)
- The system has a weak set of controls – it’s easy to get to a DOS prompt (which we knew). What we didn’t know is that the administrator password seems to be hardwired to “admin”.
- The database is a very obsolete version of Microsoft Access, and uses a very weak encryption key (which I knew a couple years ago, but didn’t want to disclose – the key is “shoup”, as also disclosed in the VITA report). What we didn’t know is that there are no controls on changing the database – if you copy the database to a separate machine, which is easy to do given the file services described above, edit the votes, and put it back, it’s happy as can be, and there are no controls to detect that the tampering occurred.
- The USB ports and other physical connections are only marginally physically protected from tampering. What we didn’t know is that there’s no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant given how severe the other problems are.
- And so on.
The amazing thing is that to find all this, VITA just scratched the surface, and mostly used off-the-shelf open source tools – nothing special. They didn’t have access to source code, or any advanced tools. Or said in other words, anyone within a half mile could have modified every vote, undetected.
So how would someone use these vulnerabilities to change an election?
- Take your laptop to a polling place, and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
- Connect to the voting machine over WiFi.
- If asked for a password, the administrator password is “admin” (VITA provided that).
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published.
Note that none of the above steps, with the possible exception of figuring out the WEP password, require any technical expertise. In fact, they’re pretty much things that the average office worker does on a daily basis.
Was it really necessary to decertify immediately? As quoted in the Washington Post, Richard Herrington, secretary of the Fairfax City Electoral Board said “No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system”. Herrington is wrong – this isn’t a remote possibility, but an almost certain reality. A high school student could perform undetectable tampering, perhaps without even leaving their bedroom. In short, the SBE’s decision was right. Now that the information is public on just how weak the systems are, it is inevitable that someone will try it out, and it will take only minutes to manipulate an election.
Why doesn’t the vendor just fix the problems? Well, they went out of business five years ago. Their domain is now owned by a Chinese organization of some sort. And even if they were still in business, this isn’t a matter of fixing a few problems – what VITA found was undoubtedly the tip of the iceberg.
Bottom line is that *if* no Virginia elections were ever hacked (and we have no way of knowing if it happened), it’s because no one with even a modicum of skill tried. The Diebold machines that got lots of bad press a few years ago were 100 times more secure than the WinVote.
Replacing these machines in time for a primary in two months will not be easy. I feel for the local election officials who will have many sleepless nights to replace the WinVote systems. But once the State Board of Election learned just how vulnerable they are, they had no choice – it would have been criminally negligent to continue to use a system this vulnerable.
[Updated 4/15/15: Added step to possibly provide an administrator password.]
[Updated 4/15/15: Added a mention that the vendor is out of business, and so can’t fix the problems.]