The Virginia Information Technologies Agency (VITA) is calling on the board of elections in that commonwealth to immediately discontinue use of its electronic voting devices after an examination revealed the systems lack strong credentials and encryption and are utterly vulnerable to vote manipulation.
The vulnerable devices are identified as “Advanced Voting System WINVote.” The machines have been in use since 2002. Threatpost contacted the Virginia Board of Elections to inquire how widely adopted these systems are in the commonwealth, but they did not provide that information before the time of publication. The Virginia Board of Elections has decertified the WINVote machines.
“The Board and the Department took immediate action to address the serious security concerns identified with this equipment and to protect Virginia’s electoral system from potential significant problems in the future,” said Department of Elections Commissioner Edgardo Cortés in a statement. “Today’s decision to decertify WINVote voting equipment showed a bipartisan commitment to ensuring the integrity of elections in the Commonwealth.”
In general, the report indicates that the level of sophistication required to perform attacks on the WINVote election systems was low. In fact, Jeremy Epstein of Freedom to Tinker explains that exploiting the WINVote system is trivial from the parking lot of a polling place (i.e. within Wi-Fi range) or from as far as a half-mile away.
“If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know,” Epstein wrote.
Beyond weak passwords and easily breakable encryption, auditors also found security deficiencies in physical controls, network access, operating system controls and even the vote tallying process. VITA notes that these critical security vulnerabilities, along with “the ability to remotely modify votes discretely,” pose substantial risk to voting integrity in the commonwealth.
“This heightened level of risk has led VITA security staff to conclude that malicious third party could be able to alter votes on these devices,” VITA concluded in its report. “These machines should not remain in service.”
The board of elections has since decertified the WINVote machines.
As their name suggests, the devices run on the Windows operating system. Unfortunately, the particular variant is Windows XP Embedded 2002, which, depending on the service pack, may or may not be supported and may or may not receive security updates. VITA claims the systems are supported until Jan. 12, 2016, a claim that is validated by one Microsoft lifecycle and support schedule. However, another of Microsoft’s lifecycle fact sheets notes that the first service pack of XP Embedded 2002 received its last update on April 10, 2007. If it’s the second service pack, then the final patches would have been applied on January 11, 2011.
In either case, VITA found the devices exposed to a remote execution vulnerability resolved by a patch first released in 2004. Regardless of the operating systems support sunset date, these particular machines have gone without security updates for at least 11 years.
Voting data is stored in an unencrypted format. It took VITA auditors 10 seconds to brute-force the password protecting these data (“shoup”). To be very clear, VITA was able to remotely modify and change the results of a mock election performed under official conditions. There was no system integrity check to determine whether such manipulations had taken place.
Physically, the voting machines contained easily accessible USB ports through which a malicious third party could access the machine locally. VITA also accessed the device BIOS, manipulated the boot order, plugged a detachable CD drive into one of the USB ports, compelled the machine to boot a separate operating system (Knoppix) and took pictures of the drives. VITA believed it would be easy to install malware on the voting machines.
Also of concern is that ability to access the machines wirelessly, providing an attack vector through which an attacker could modify device data from nearby. This problem is exacerbated by the fact that the machines broadcast their Wi-Fi network and deploy weak WEP cryptographic protection. The auditors managed to break the WEP encryption, steal the keys and, adding insult to injury, determine that the network was protected by the password “abcde”. With this password, an attacker could easily view and modify voting and vote tallying information in real time.
The WINVote application allows administrators to disable Wi-Fi. However, the devices still transmit wireless signals even when they are disabled inside the application. In other words, there is no way to disable wireless access without rendering the machines useless.
A brute-force tool very quickly determined that the administrative interfaces were protected by the password “admin”, which allowed full access to the WINVote operating system.
VITA tested 10 Advanced Voting Systems WINVote devices with default configurations. VITA was not given any advance information about existing security controls implemented on the devices, and the agency used common exploit techniques to attack them. Ultimately, the goal was to determine if the devices were sufficiently secure against vote manipulation.