If Virginia Elections Weren't Hacked, It's Only Because No One Tried

from the hey-that's-my-password dept

Fri, Apr 17th 2015 4:14am — Mike Masnick

It's actually been a pretty long time since we last wrote about electronic voting machines and how insecure they are. Back in the 2005 to 2010 time frame, it was a regular topic of discussion around here, but there really hasn't been that much new information on that front in a while. However, earlier this week, Virginia decided to decertify a bunch of electronic voting machines after noting that the security on them was abysmal. As Jeremy Epstein notes in a detailed blog post about this issue:

If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.

It's that bad. The headline grabbing line that many news sites have run with is the unchangeable WEP encryption key used on the machines was "abcde." Meaning it was crazy easy for people to hack into (even if you didn't know the password originally, it would not be difficult to figure that out just by monitoring the system). But that's just the start. Other massive problems, explained by Epstein:

The system hasn’t been patched since 2004 (which we knew). What we didn’t know is that the system is running a whole bunch of open ports with active services. The report specifically notes that ports 135/tcp, 139/tcp, 445/tcp, 3389/tcp, 6000/tcp and 16001/tcp are all running unpatched services. (Layman’s explanation: the voting machines aren’t just voting machines, they’re also servers happy to give you whatever files you ask for, and various other things, if only you ask. Think of them as an extra disk drive on the network, that just happens to hold all of the votes.) (Obdisclosure: In retrospect, I *probably* could have figured this out a few years ago when I had supervised access to a WinVote with a shell prompt, but I didn’t think of checking.)

The system has a weak set of controls – it’s easy to get to a DOS prompt (which we knew). What we didn’t know is that the administrator password seems to be hardwired to “admin”.

The database is a very obsolete version of Microsoft Access, and uses a very weak encryption key (which I knew a couple years ago, but didn’t want to disclose – the key is “shoup”, as also disclosed in the VITA report). What we didn’t know is that there are no controls on changing the database – if you copy the database to a separate machine, which is easy to do given the file services described above, edit the votes, and put it back, it’s happy as can be, and there are no controls to detect that the tampering occurred.

The USB ports and other physical connections are only marginally physically protected from tampering. What we didn’t know is that there’s no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant given how severe the other problems are.

And, as Epstein notes, the Virginia Information Technology Agency figured all of this out on its own -- in other words, it wasn't given the source code for these machines. That means, pretty much anyone probably could have figured out the same things. Epstein makes it clear just how easy this process is:

Take your laptop to a polling place, and sit outside in the parking lot.

Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).

Connect to the voting machine over WiFi.

If asked for a password, the administrator password is “admin” (VITA provided that).

Download the Microsoft Access database using Windows Explorer.

Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.

Use Microsoft Access to add, delete, or change any of the votes in the database.

Upload the modified copy of the Microsoft Access database back to the voting machine.

Wait for the election results to be published.

As he points out, the only bits that might take some sort of technical expertise is extracting the passwords, but that's not that hard, and the kind of thing that lots of script kiddies have figured out how to do with free online tools for ages. Epstein points out that the Diebold machines that everyone mocked a decade ago were "100 times more secure" than these WinVote machines.

Because there's an election coming up, apparently some election officials were against decertifying these machines:

Richard Herrington, secretary of the Fairfax City Electoral Board, said he was unconvinced that WINVote machines were risky enough to warrant decertification.

“No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system,” he said.

Richard Herrington is both right and wrong. Yes, it's true that almost any system will have security vulnerabilities, but he's ridiculously, laughably wrong, in suggesting that these machines are likely secure enough. These machines don't require a sophisticated hacker (especially now that the VITA revealed all the necessary passwords). Basically anyone can change the votes however they want based on the information that has been revealed.

For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough." Yet, time and time again, we've discovered that the machines weren't even the tiniest bit secure -- and this is just the most egregious example so far.

WINVote Final (PDF)WINVote Final (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: avs winvote, e-voting, electronic voting, hacked, passwords, security, virginia

46 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Southern Republican, 17 Apr 2015 @ 5:07am

Voter IDs
This type of voter fraud can easily be fixed by requiring a photo ID at the polls.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Apr 2015 @ 5:18am
  
  Re: Voter IDs
  No it cannot, as it has nothing to do getting extra voters into a polling station, or forging who is voting, but but changing who the votes were cast for.
  [ link to this | view in chronology ]
  - Southern Republican, 17 Apr 2015 @ 9:48am
    
    Re: Re: Voter IDs
    That's why we also need photo ID's for the people on the ballots.
    [ link to this | view in chronology ]
- Michael, 17 Apr 2015 @ 5:29am
  
  Re: Voter IDs
  What!? You must have missed the part in which, with a wifi antenna, you can be several city blocks away from the polling location and change votes.
  
  You don't even need to be a registered voter to hack these machines. Heck, China could hack them with a low-orbit satellite.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Apr 2015 @ 6:23am
    
    Re: Re: Voter IDs
    Whooosh
    [ link to this | view in chronology ]
    - unkabob, 22 Apr 2015 @ 11:05pm
      
      Re: Re: Re: Voter IDs
      Simple.. That would cost extra and they don't wanna raise taxes.
      [ link to this | view in chronology ]
  - Sothern Republican, 17 Apr 2015 @ 9:46am
    
    Re: Re: Voter IDs
    If that isn't reason enough to bomb Iran, I don't know what is.
    [ link to this | view in chronology ]
- Rich Kulawiec, 17 Apr 2015 @ 5:31am
  
  Re: Voter IDs
  Troll quality: A, with extra credit for pulling it off so effectively so early in the day.
  [ link to this | view in chronology ]
- Anonymous Coward, 17 Apr 2015 @ 5:39am
  
  Re: Voter IDs
  I assume you're being sarcastic? If 70% of the people voted for Republican here, someone could hack it, and make the vote 90% for Democrats instead. Voter ID or no Voter ID. This has nothing to do with WHO goes to the vote.
  [ link to this | view in chronology ]
- PaulT (profile), 17 Apr 2015 @ 6:03am
  
  Re: Voter IDs
  Really, *this* type of fraud can be fixed by requiring ID for the people voting? The type that can be performed half a mile away from the polling station without any record of it even happening?
  
  You didn't even make it to the second paragraph before trying to spout a frequently debunked talking point, did you?
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Apr 2015 @ 6:24am
    
    Re: Re: Voter IDs
    Really
    
    No, not really. Pretty obvious that this guy is attempting to do some weird parody of a Republican.
    [ link to this | view in chronology ]
    - PaulT (profile), 17 Apr 2015 @ 6:51am
      
      Re: Re: Re: Voter IDs
      Poe's law. I've seen actual politicians state similar things in equally absurd situations.
      [ link to this | view in chronology ]
  - Anonymous Coward, 17 Apr 2015 @ 7:50am
    
    Re: Re: Voter IDs
    I'd say it depends on the ID used. Take, for example, the DoD Common Access Card. It contains a smart card chip that has an embedded security module, and exists as a part of a PKI. Using this as a basis for an ID, you can digitally sign your vote record, which will allow the vote counter to detect the alteration when it is counted (assuming that the attacker cant break the PKI system).
    [ link to this | view in chronology ]
- Anonymous Coward, 17 Apr 2015 @ 6:46am
  
  Re: Voter IDs
  There's a saying that Joseph Stalin started about elections.
  
  "It doesn't matter who votes, only who counts the votes".
  
  Fraud and stolen elections are committed far, far, more often by those who count the votes then those who cast the ballots.
  
  There's also more states then there are people who have been prosecuted for voter fraud (illegally casting votes) in the last 10 years. In a nation of over 300 million, that's a very insignificant number.
  [ link to this | view in chronology ]
- Northern Democrat, 20 Apr 2015 @ 12:47pm
  
  Re: Voter IDs
  Try reading the story again. It's talking about hacking in and changing the votes. Has nothing to do with voter ID.
  [ link to this | view in chronology ]
Michael, 17 Apr 2015 @ 5:14am

within a half mile with a rudimentary antenna built using a Pringles can

So why isn't the CEO of Pringles being arrested right now?
[ link to this | view in chronology ]
- PaulT (profile), 17 Apr 2015 @ 6:04am
  
  Re:
  "5. Download the Microsoft Access database using Windows Explorer."
  
  Clearly, they're too busy building their case against Microsoft first.
  [ link to this | view in chronology ]
  - Michael, 17 Apr 2015 @ 8:34am
    
    Re: Re:
    "5. Download the Microsoft Access database using Windows Explorer."
    
    It must be Google's fault.
    [ link to this | view in chronology ]
Rich Kulawiec, 17 Apr 2015 @ 5:23am

These are features, not bugs
They just happen to be features designed and implemented for a certain select group of people:

"Those who cast the votes decide nothing. Those who count the votes decide everything."
[ link to this | view in chronology ]
- John Fenderson (profile), 17 Apr 2015 @ 8:19am
  
  Re: These are features, not bugs
  No, they're bugs. If you want to install a backdoor on a system for your buddies to use, you probably don't want to make it so insecure that any random script kiddie could use it with only a minimal amount of experimentation.
  
  The security on these devices is so pitiful that I think the proper way to describe them is "unsecured".
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Apr 2015 @ 8:36am
    
    Re: Re: These are features, not bugs
    On the other hand, a carefully crafted backdoor makes it clear who the guilty party is. Poor security that any script kiddie could compromise widens the suspect pool and can allow the guilty party to walk away clean.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 17 Apr 2015 @ 9:54am
      
      Re: Re: Re: These are features, not bugs
      But it also makes it impossible to have confidence that the election-fixing you want to have happen is the election-fixing that actually happens. Someone else could come in and change your carefully changed election results.
      [ link to this | view in chronology ]
    - OGquaker (profile), 17 Apr 2015 @ 4:00pm
      
      Re: Re: Re: These are features, not bugs
      ''a carefully crafted backdoor makes it clear who the guilty party is. Poor security that any script kiddie could compromise widens the suspect pool and can allow the guilty party to walk away clean''
      
      The Diebold machines at the voting precincts 'phone home' also.
      
      HeHe 10 years ago the LA Green Party was so hard on the LA County Reg-O-voters about 12 'donated' wired-in-parallel Dell machines and the 6foot tall 'donated' Cisco 19inch rack & the Cat-5 LAN cables running out the ceiling panels that they installed a new Honorary 'John Wenger' viewing window in the counting room; ''because we let the counters watch their laptops after the polls close''.
      That second floor has a few hallway 'viewing windows' AND two full walls of external glass.
      
      I say let a million 14year-olds get to work and pick the next US President!
      [ link to this | view in chronology ]
Spaceman Spiff (profile), 17 Apr 2015 @ 5:43am

Someone may want to "steal" an election?
Like maybe the Koch brothers, or our friend Rupert, or our friends in the GOP? What must we be thinking?!
[ link to this | view in chronology ]
- Rich Kulawiec, 17 Apr 2015 @ 5:59am
  
  Re: Someone may want to "steal" an election?
  Bruce Schneier wrote a cost analysis of this over a decade ago. The numbers have changed, of course, but it's still just as incisive as it was when published: Stealing An Election.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Apr 2015 @ 7:46am
    
    Re: Re: Someone may want to "steal" an election?
    It's even worse now because politics has gotten even more expensive, so the value of the election is actually higher now.
    [ link to this | view in chronology ]
Andy, 17 Apr 2015 @ 6:07am

Given 'Da Manns' position on encryption for everyday folks personal devices, is it really any surprise that systems like this are not secure and are not audited before implementation.
[ link to this | view in chronology ]
Geno0wl (profile), 17 Apr 2015 @ 6:16am

why why why
Why are any of the stand alone voting machines connected to the net?
My old Crypto Professor used to say "The only really secure connection is NO connection".
Each voting station should be a stand alone box, not connected to ANYTHING. At the start of the day you load it with the polling options. At the end of the day you pull the flash drive for storage, syncing with the rest of the machines, and finally to upload the results. Secondarily every person should get a "receipt" print off of their vote as a backup.

How is this a hard god damn concept?
[ link to this | view in chronology ]
- Anonymous Coward, 17 Apr 2015 @ 6:33am
  
  Re: why why why
  Secondarily every person should get a "receipt" print off of their vote as a backup.
  
  Making easy for someone to check that they voted the right way as they exit the polling station, supporting a market for vote buying.
  [ link to this | view in chronology ]
- John Fenderson (profile), 17 Apr 2015 @ 8:22am
  
  Re: why why why
  "Why are any of the stand alone voting machines connected to the net?"
  
  An even better question is... why in the world are we using computerized voting machines at all? It's completely unnecessary and dramatically enlarges the attack surface even if they aren't connected to the net.
  
  Computers aren't the correct solution to every problem.
  [ link to this | view in chronology ]
deadspatula (profile), 17 Apr 2015 @ 6:35am

What I really want to know is....why in the hell were they using wifi?
[ link to this | view in chronology ]
Anonymous Coward, 17 Apr 2015 @ 6:37am

So if in 2016 the entire state of Virginia votes for write-in candidate and the FBI's most wanted terrorist Ahmad Abousamra for President do you think Herrington would recognize that there's a security issue here?
[ link to this | view in chronology ]
- Anonymous Coward, 17 Apr 2015 @ 7:02am
  
  Response to: Anonymous Coward on Apr 17th, 2015 @ 6:37am
  I expect it to go something like the new Mt Dew flavor poll or Lays Do Us a Flavor contest.
  
  Our next president of 2016 will be "HITLER DID NOTHING WRONG"
  [ link to this | view in chronology ]
Anonymous Coward, 17 Apr 2015 @ 6:48am

Virginia was a Diebold state
So it isn't like they have an excuse for not knowing better.

Digitizing is only going to be serviceable with a system that renders digital security in a physically verifying way. Pollsters are volunteers and can't be expected to understand infosec.

One method might be block chaining the votes with a interspersed random video that can be physically verified. (more or less Johnny Mnemonic style). In that way the pollster could watch bugs bunny during the poll, and then go with the machine to the counting site, and then watch bugs bunny again, to verify the data integrity. In that way you could have multiple verifying parties, who themselves would have no requirement for technological competency.

Still a waste of time IMHO. Stuff like "hanging chads" is how you know which states are corrupt. So even if technology can mitigate corruption, it doesn't mitigate the opacity caused by digital abstraction. IOW, it is just as important to know how corrupt you are, as to be less corrupt.
[ link to this | view in chronology ]
Anonymous Coward, 17 Apr 2015 @ 6:55am

Obviously..
It's only a trial run for the "golden keys" the NSA wants to implement.. Because our security would be about as effective as these stations if they get their way.
[ link to this | view in chronology ]
Anonymous Coward, 17 Apr 2015 @ 8:39am

"Secure enough"
For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough."
This completely misses the point. A legitimate democratic election must be understandable by the general public and have their trust. Any system that requires a PhD in security engineering is not suitable, whether or not people with that knowledge say it's safe. (Maybe in 50 years or so, if "everyone" understand the security implications well enough, such systems could be considered.)
[ link to this | view in chronology ]
Stig Rudeholm (profile), 17 Apr 2015 @ 8:56am

Forgot #10 on the list
Epstein makes it clear just how easy this process is:

...
...
10. Profit
[ link to this | view in chronology ]
Jacob H, 17 Apr 2015 @ 9:44am

This makes me want to shoup
[ link to this | view in chronology ]
Thrudd, 17 Apr 2015 @ 10:12am

wrote in members of the silly party
My vote for president would be the slab of concrete.
Senator would be a duck with a pronounced limp.
[ link to this | view in chronology ]
Thrudd, 17 Apr 2015 @ 10:12am

wrote in members of the silly party
My vote for president would be the slab of concrete.
Senator would be a duck with a pronounced limp.
[ link to this | view in chronology ]
BentFranklin (profile), 17 Apr 2015 @ 10:43am

It is impossible to believe that the Virginia Department of Elections was the first to know about this. So, one must assume that dozens of people, many with much to gain have know about this for years. Those are precisely the kind of people that would use this without qualms. So, take various comforting phrases like "we know of no actual exploits" with a salt mine full of salt, because the odds are highly likely that they have been exploited.
[ link to this | view in chronology ]
- John Fenderson (profile), 17 Apr 2015 @ 10:49am
  
  Re:
  " take various comforting phrases like "we know of no actual exploits" with a salt mine full of salt"
  
  I would put it a bit more strongly than that: take it as entirely meaningless. The exploits that are possible on these machines are such that they can be accomplished without leaving a trace. So, unless someone were caught in the act, they would not be noticed.
  [ link to this | view in chronology ]
Anonymous Coward, 17 Apr 2015 @ 5:26pm

Obvious solution
Store a copyrighted string in the Access database, so that the password "effectively controls access to a protected work." Then stealing the election will be a DMCA violation, and nobody dares commit copyright violation with the DMCA hanging around.
[ link to this | view in chronology ]
GNU/Linux, 17 Apr 2015 @ 6:05pm

Holy crap. It has more holes than Microsoft Windows... oh wait!
[ link to this | view in chronology ]
Jake, 18 Apr 2015 @ 2:16am

Well, I guess we know who Dilbert actually works for now.
[ link to this | view in chronology ]
Anonymous Coward, 20 Apr 2015 @ 3:49am

I guees it's about time for 2~ billion votes for Kang and -2~ billion votes for Kodos.
[ link to this | view in chronology ]