If Virginia Elections Weren't Hacked, It's Only Because No One Tried
from the hey-that's-my-password dept
It's actually been a pretty long time since we last wrote about electronic voting machines and how insecure they are. Back in the 2005 to 2010 time frame, it was a regular topic of discussion around here, but there really hasn't been that much new information on that front in a while. However, earlier this week, Virginia decided to decertify a bunch of electronic voting machines after noting that the security on them was abysmal. As Jeremy Epstein notes in a detailed blog post about this issue:If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.It's that bad. The headline grabbing line that many news sites have run with is the unchangeable WEP encryption key used on the machines was "abcde." Meaning it was crazy easy for people to hack into (even if you didn't know the password originally, it would not be difficult to figure that out just by monitoring the system). But that's just the start. Other massive problems, explained by Epstein:
- The system hasn’t been patched since 2004 (which we knew). What we didn’t know is that the system is running a whole bunch of open ports with active services. The report specifically notes that ports 135/tcp, 139/tcp, 445/tcp, 3389/tcp, 6000/tcp and 16001/tcp are all running unpatched services. (Layman’s explanation: the voting machines aren’t just voting machines, they’re also servers happy to give you whatever files you ask for, and various other things, if only you ask. Think of them as an extra disk drive on the network, that just happens to hold all of the votes.) (Obdisclosure: In retrospect, I *probably* could have figured this out a few years ago when I had supervised access to a WinVote with a shell prompt, but I didn’t think of checking.)
- The system has a weak set of controls – it’s easy to get to a DOS prompt (which we knew). What we didn’t know is that the administrator password seems to be hardwired to “admin”.
- The database is a very obsolete version of Microsoft Access, and uses a very weak encryption key (which I knew a couple years ago, but didn’t want to disclose – the key is “shoup”, as also disclosed in the VITA report). What we didn’t know is that there are no controls on changing the database – if you copy the database to a separate machine, which is easy to do given the file services described above, edit the votes, and put it back, it’s happy as can be, and there are no controls to detect that the tampering occurred.
- The USB ports and other physical connections are only marginally physically protected from tampering. What we didn’t know is that there’s no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant given how severe the other problems are.
- Take your laptop to a polling place, and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
- Connect to the voting machine over WiFi.
- If asked for a password, the administrator password is “admin” (VITA provided that).
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published.
Because there's an election coming up, apparently some election officials were against decertifying these machines:
Richard Herrington, secretary of the Fairfax City Electoral Board, said he was unconvinced that WINVote machines were risky enough to warrant decertification.Richard Herrington is both right and wrong. Yes, it's true that almost any system will have security vulnerabilities, but he's ridiculously, laughably wrong, in suggesting that these machines are likely secure enough. These machines don't require a sophisticated hacker (especially now that the VITA revealed all the necessary passwords). Basically anyone can change the votes however they want based on the information that has been revealed.
“No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system,” he said.
For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough." Yet, time and time again, we've discovered that the machines weren't even the tiniest bit secure -- and this is just the most egregious example so far.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: avs winvote, e-voting, electronic voting, hacked, passwords, security, virginia
Reader Comments
Subscribe: RSS
View by: Time | Thread
Voter IDs
[ link to this | view in chronology ]
Re: Voter IDs
[ link to this | view in chronology ]
Re: Re: Voter IDs
[ link to this | view in chronology ]
Re: Voter IDs
You don't even need to be a registered voter to hack these machines. Heck, China could hack them with a low-orbit satellite.
[ link to this | view in chronology ]
Re: Re: Voter IDs
[ link to this | view in chronology ]
Re: Re: Re: Voter IDs
[ link to this | view in chronology ]
Re: Re: Voter IDs
[ link to this | view in chronology ]
Re: Voter IDs
[ link to this | view in chronology ]
Re: Voter IDs
[ link to this | view in chronology ]
Re: Voter IDs
You didn't even make it to the second paragraph before trying to spout a frequently debunked talking point, did you?
[ link to this | view in chronology ]
Re: Re: Voter IDs
No, not really. Pretty obvious that this guy is attempting to do some weird parody of a Republican.
[ link to this | view in chronology ]
Re: Re: Re: Voter IDs
[ link to this | view in chronology ]
Re: Re: Voter IDs
[ link to this | view in chronology ]
Re: Voter IDs
"It doesn't matter who votes, only who counts the votes".
Fraud and stolen elections are committed far, far, more often by those who count the votes then those who cast the ballots.
There's also more states then there are people who have been prosecuted for voter fraud (illegally casting votes) in the last 10 years. In a nation of over 300 million, that's a very insignificant number.
[ link to this | view in chronology ]
Re: Voter IDs
[ link to this | view in chronology ]
So why isn't the CEO of Pringles being arrested right now?
[ link to this | view in chronology ]
Re:
Clearly, they're too busy building their case against Microsoft first.
[ link to this | view in chronology ]
Re: Re:
It must be Google's fault.
[ link to this | view in chronology ]
These are features, not bugs
"Those who cast the votes decide nothing. Those who count the votes decide everything."
[ link to this | view in chronology ]
Re: These are features, not bugs
The security on these devices is so pitiful that I think the proper way to describe them is "unsecured".
[ link to this | view in chronology ]
Re: Re: These are features, not bugs
[ link to this | view in chronology ]
Re: Re: Re: These are features, not bugs
[ link to this | view in chronology ]
Re: Re: Re: These are features, not bugs
The Diebold machines at the voting precincts 'phone home' also.
HeHe 10 years ago the LA Green Party was so hard on the LA County Reg-O-voters about 12 'donated' wired-in-parallel Dell machines and the 6foot tall 'donated' Cisco 19inch rack & the Cat-5 LAN cables running out the ceiling panels that they installed a new Honorary 'John Wenger' viewing window in the counting room; ''because we let the counters watch their laptops after the polls close''.
That second floor has a few hallway 'viewing windows' AND two full walls of external glass.
I say let a million 14year-olds get to work and pick the next US President!
[ link to this | view in chronology ]
Someone may want to "steal" an election?
[ link to this | view in chronology ]
Re: Someone may want to "steal" an election?
[ link to this | view in chronology ]
Re: Re: Someone may want to "steal" an election?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
why why why
My old Crypto Professor used to say "The only really secure connection is NO connection".
Each voting station should be a stand alone box, not connected to ANYTHING. At the start of the day you load it with the polling options. At the end of the day you pull the flash drive for storage, syncing with the rest of the machines, and finally to upload the results. Secondarily every person should get a "receipt" print off of their vote as a backup.
How is this a hard god damn concept?
[ link to this | view in chronology ]
Re: why why why
Making easy for someone to check that they voted the right way as they exit the polling station, supporting a market for vote buying.
[ link to this | view in chronology ]
Re: why why why
An even better question is... why in the world are we using computerized voting machines at all? It's completely unnecessary and dramatically enlarges the attack surface even if they aren't connected to the net.
Computers aren't the correct solution to every problem.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Response to: Anonymous Coward on Apr 17th, 2015 @ 6:37am
Our next president of 2016 will be "HITLER DID NOTHING WRONG"
[ link to this | view in chronology ]
Virginia was a Diebold state
Digitizing is only going to be serviceable with a system that renders digital security in a physically verifying way. Pollsters are volunteers and can't be expected to understand infosec.
One method might be block chaining the votes with a interspersed random video that can be physically verified. (more or less Johnny Mnemonic style). In that way the pollster could watch bugs bunny during the poll, and then go with the machine to the counting site, and then watch bugs bunny again, to verify the data integrity. In that way you could have multiple verifying parties, who themselves would have no requirement for technological competency.
Still a waste of time IMHO. Stuff like "hanging chads" is how you know which states are corrupt. So even if technology can mitigate corruption, it doesn't mitigate the opacity caused by digital abstraction. IOW, it is just as important to know how corrupt you are, as to be less corrupt.
[ link to this | view in chronology ]
Obviously..
[ link to this | view in chronology ]
"Secure enough"
[ link to this | view in chronology ]
Forgot #10 on the list
...
...
10. Profit
[ link to this | view in chronology ]
[ link to this | view in chronology ]
wrote in members of the silly party
Senator would be a duck with a pronounced limp.
[ link to this | view in chronology ]
wrote in members of the silly party
Senator would be a duck with a pronounced limp.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I would put it a bit more strongly than that: take it as entirely meaningless. The exploits that are possible on these machines are such that they can be accomplished without leaving a trace. So, unless someone were caught in the act, they would not be noticed.
[ link to this | view in chronology ]
Obvious solution
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]