If Virginia Elections Weren't Hacked, It's Only Because No One Tried

from the hey-that's-my-password dept

It's actually been a pretty long time since we last wrote about electronic voting machines and how insecure they are. Back in the 2005 to 2010 time frame, it was a regular topic of discussion around here, but there really hasn't been that much new information on that front in a while. However, earlier this week, Virginia decided to decertify a bunch of electronic voting machines after noting that the security on them was abysmal. As Jeremy Epstein notes in a detailed blog post about this issue:
If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
It's that bad. The headline grabbing line that many news sites have run with is the unchangeable WEP encryption key used on the machines was "abcde." Meaning it was crazy easy for people to hack into (even if you didn't know the password originally, it would not be difficult to figure that out just by monitoring the system). But that's just the start. Other massive problems, explained by Epstein:
  • The system hasn’t been patched since 2004 (which we knew). What we didn’t know is that the system is running a whole bunch of open ports with active services. The report specifically notes that ports 135/tcp, 139/tcp, 445/tcp, 3389/tcp, 6000/tcp and 16001/tcp are all running unpatched services. (Layman’s explanation: the voting machines aren’t just voting machines, they’re also servers happy to give you whatever files you ask for, and various other things, if only you ask. Think of them as an extra disk drive on the network, that just happens to hold all of the votes.) (Obdisclosure: In retrospect, I *probably* could have figured this out a few years ago when I had supervised access to a WinVote with a shell prompt, but I didn’t think of checking.)
  • The system has a weak set of controls – it’s easy to get to a DOS prompt (which we knew). What we didn’t know is that the administrator password seems to be hardwired to “admin”.
  • The database is a very obsolete version of Microsoft Access, and uses a very weak encryption key (which I knew a couple years ago, but didn’t want to disclose – the key is “shoup”, as also disclosed in the VITA report). What we didn’t know is that there are no controls on changing the database – if you copy the database to a separate machine, which is easy to do given the file services described above, edit the votes, and put it back, it’s happy as can be, and there are no controls to detect that the tampering occurred.
  • The USB ports and other physical connections are only marginally physically protected from tampering. What we didn’t know is that there’s no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant given how severe the other problems are.
And, as Epstein notes, the Virginia Information Technology Agency figured all of this out on its own -- in other words, it wasn't given the source code for these machines. That means, pretty much anyone probably could have figured out the same things. Epstein makes it clear just how easy this process is:
  1. Take your laptop to a polling place, and sit outside in the parking lot.
  2. Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
  3. Connect to the voting machine over WiFi.
  4. If asked for a password, the administrator password is “admin” (VITA provided that).
  5. Download the Microsoft Access database using Windows Explorer.
  6. Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
  7. Use Microsoft Access to add, delete, or change any of the votes in the database.
  8. Upload the modified copy of the Microsoft Access database back to the voting machine.
  9. Wait for the election results to be published.
As he points out, the only bits that might take some sort of technical expertise is extracting the passwords, but that's not that hard, and the kind of thing that lots of script kiddies have figured out how to do with free online tools for ages. Epstein points out that the Diebold machines that everyone mocked a decade ago were "100 times more secure" than these WinVote machines.

Because there's an election coming up, apparently some election officials were against decertifying these machines:
Richard Herrington, secretary of the Fairfax City Electoral Board, said he was unconvinced that WINVote machines were risky enough to warrant decertification.

“No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system,” he said.
Richard Herrington is both right and wrong. Yes, it's true that almost any system will have security vulnerabilities, but he's ridiculously, laughably wrong, in suggesting that these machines are likely secure enough. These machines don't require a sophisticated hacker (especially now that the VITA revealed all the necessary passwords). Basically anyone can change the votes however they want based on the information that has been revealed.

For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough." Yet, time and time again, we've discovered that the machines weren't even the tiniest bit secure -- and this is just the most egregious example so far.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Southern Republican, 17 Apr 2015 @ 5:07am

    Voter IDs

    This type of voter fraud can easily be fixed by requiring a photo ID at the polls.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2015 @ 5:18am

      Re: Voter IDs

      No it cannot, as it has nothing to do getting extra voters into a polling station, or forging who is voting, but but changing who the votes were cast for.

      reply to this | link to this | view in chronology ]

    • identicon
      Michael, 17 Apr 2015 @ 5:29am

      Re: Voter IDs

      What!? You must have missed the part in which, with a wifi antenna, you can be several city blocks away from the polling location and change votes.

      You don't even need to be a registered voter to hack these machines. Heck, China could hack them with a low-orbit satellite.

      reply to this | link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 17 Apr 2015 @ 5:31am

      Re: Voter IDs

      Troll quality: A, with extra credit for pulling it off so effectively so early in the day.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2015 @ 5:39am

      Re: Voter IDs

      I assume you're being sarcastic? If 70% of the people voted for Republican here, someone could hack it, and make the vote 90% for Democrats instead. Voter ID or no Voter ID. This has nothing to do with WHO goes to the vote.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 17 Apr 2015 @ 6:03am

      Re: Voter IDs

      Really, *this* type of fraud can be fixed by requiring ID for the people voting? The type that can be performed half a mile away from the polling station without any record of it even happening?

      You didn't even make it to the second paragraph before trying to spout a frequently debunked talking point, did you?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Apr 2015 @ 6:24am

        Re: Re: Voter IDs

        Really


        No, not really. Pretty obvious that this guy is attempting to do some weird parody of a Republican.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Apr 2015 @ 7:50am

        Re: Re: Voter IDs

        I'd say it depends on the ID used. Take, for example, the DoD Common Access Card. It contains a smart card chip that has an embedded security module, and exists as a part of a PKI. Using this as a basis for an ID, you can digitally sign your vote record, which will allow the vote counter to detect the alteration when it is counted (assuming that the attacker cant break the PKI system).

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2015 @ 6:46am

      Re: Voter IDs

      There's a saying that Joseph Stalin started about elections.

      "It doesn't matter who votes, only who counts the votes".

      Fraud and stolen elections are committed far, far, more often by those who count the votes then those who cast the ballots.

      There's also more states then there are people who have been prosecuted for voter fraud (illegally casting votes) in the last 10 years. In a nation of over 300 million, that's a very insignificant number.

      reply to this | link to this | view in chronology ]

    • identicon
      Northern Democrat, 20 Apr 2015 @ 12:47pm

      Re: Voter IDs

      Try reading the story again. It's talking about hacking in and changing the votes. Has nothing to do with voter ID.

      reply to this | link to this | view in chronology ]

  • identicon
    Michael, 17 Apr 2015 @ 5:14am

    within a half mile with a rudimentary antenna built using a Pringles can

    So why isn't the CEO of Pringles being arrested right now?

    reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 17 Apr 2015 @ 5:23am

    These are features, not bugs

    They just happen to be features designed and implemented for a certain select group of people:

    "Those who cast the votes decide nothing. Those who count the votes decide everything."

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 17 Apr 2015 @ 8:19am

      Re: These are features, not bugs

      No, they're bugs. If you want to install a backdoor on a system for your buddies to use, you probably don't want to make it so insecure that any random script kiddie could use it with only a minimal amount of experimentation.

      The security on these devices is so pitiful that I think the proper way to describe them is "unsecured".

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Apr 2015 @ 8:36am

        Re: Re: These are features, not bugs

        On the other hand, a carefully crafted backdoor makes it clear who the guilty party is. Poor security that any script kiddie could compromise widens the suspect pool and can allow the guilty party to walk away clean.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 17 Apr 2015 @ 9:54am

          Re: Re: Re: These are features, not bugs

          But it also makes it impossible to have confidence that the election-fixing you want to have happen is the election-fixing that actually happens. Someone else could come in and change your carefully changed election results.

          reply to this | link to this | view in chronology ]

        • icon
          OGquaker (profile), 17 Apr 2015 @ 4:00pm

          Re: Re: Re: These are features, not bugs

          ''a carefully crafted backdoor makes it clear who the guilty party is. Poor security that any script kiddie could compromise widens the suspect pool and can allow the guilty party to walk away clean''

          The Diebold machines at the voting precincts 'phone home' also.

          HeHe 10 years ago the LA Green Party was so hard on the LA County Reg-O-voters about 12 'donated' wired-in-parallel Dell machines and the 6foot tall 'donated' Cisco 19inch rack & the Cat-5 LAN cables running out the ceiling panels that they installed a new Honorary 'John Wenger' viewing window in the counting room; ''because we let the counters watch their laptops after the polls close''.
          That second floor has a few hallway 'viewing windows' AND two full walls of external glass.

          I say let a million 14year-olds get to work and pick the next US President!

          reply to this | link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 17 Apr 2015 @ 5:43am

    Someone may want to "steal" an election?

    Like maybe the Koch brothers, or our friend Rupert, or our friends in the GOP? What must we be thinking?!

    reply to this | link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 17 Apr 2015 @ 5:59am

      Re: Someone may want to "steal" an election?

      Bruce Schneier wrote a cost analysis of this over a decade ago. The numbers have changed, of course, but it's still just as incisive as it was when published: Stealing An Election.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Apr 2015 @ 7:46am

        Re: Re: Someone may want to "steal" an election?

        It's even worse now because politics has gotten even more expensive, so the value of the election is actually higher now.

        reply to this | link to this | view in chronology ]

  • identicon
    Andy, 17 Apr 2015 @ 6:07am

    Given 'Da Manns' position on encryption for everyday folks personal devices, is it really any surprise that systems like this are not secure and are not audited before implementation.

    reply to this | link to this | view in chronology ]

  • icon
    Geno0wl (profile), 17 Apr 2015 @ 6:16am

    why why why

    Why are any of the stand alone voting machines connected to the net?
    My old Crypto Professor used to say "The only really secure connection is NO connection".
    Each voting station should be a stand alone box, not connected to ANYTHING. At the start of the day you load it with the polling options. At the end of the day you pull the flash drive for storage, syncing with the rest of the machines, and finally to upload the results. Secondarily every person should get a "receipt" print off of their vote as a backup.

    How is this a hard god damn concept?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2015 @ 6:33am

      Re: why why why

      Secondarily every person should get a "receipt" print off of their vote as a backup.

      Making easy for someone to check that they voted the right way as they exit the polling station, supporting a market for vote buying.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 17 Apr 2015 @ 8:22am

      Re: why why why

      "Why are any of the stand alone voting machines connected to the net?"

      An even better question is... why in the world are we using computerized voting machines at all? It's completely unnecessary and dramatically enlarges the attack surface even if they aren't connected to the net.

      Computers aren't the correct solution to every problem.

      reply to this | link to this | view in chronology ]

  • icon
    deadspatula (profile), 17 Apr 2015 @ 6:35am

    What I really want to know is....why in the hell were they using wifi?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2015 @ 6:37am

    So if in 2016 the entire state of Virginia votes for write-in candidate and the FBI's most wanted terrorist Ahmad Abousamra for President do you think Herrington would recognize that there's a security issue here?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2015 @ 7:02am

      Response to: Anonymous Coward on Apr 17th, 2015 @ 6:37am

      I expect it to go something like the new Mt Dew flavor poll or Lays Do Us a Flavor contest.

      Our next president of 2016 will be "HITLER DID NOTHING WRONG"

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2015 @ 6:48am

    Virginia was a Diebold state

    So it isn't like they have an excuse for not knowing better.

    Digitizing is only going to be serviceable with a system that renders digital security in a physically verifying way. Pollsters are volunteers and can't be expected to understand infosec.

    One method might be block chaining the votes with a interspersed random video that can be physically verified. (more or less Johnny Mnemonic style). In that way the pollster could watch bugs bunny during the poll, and then go with the machine to the counting site, and then watch bugs bunny again, to verify the data integrity. In that way you could have multiple verifying parties, who themselves would have no requirement for technological competency.

    Still a waste of time IMHO. Stuff like "hanging chads" is how you know which states are corrupt. So even if technology can mitigate corruption, it doesn't mitigate the opacity caused by digital abstraction. IOW, it is just as important to know how corrupt you are, as to be less corrupt.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2015 @ 6:55am

    Obviously..

    It's only a trial run for the "golden keys" the NSA wants to implement.. Because our security would be about as effective as these stations if they get their way.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2015 @ 8:39am

    "Secure enough"

    For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough."
    This completely misses the point. A legitimate democratic election must be understandable by the general public and have their trust. Any system that requires a PhD in security engineering is not suitable, whether or not people with that knowledge say it's safe. (Maybe in 50 years or so, if "everyone" understand the security implications well enough, such systems could be considered.)

    reply to this | link to this | view in chronology ]

  • icon
    Stig Rudeholm (profile), 17 Apr 2015 @ 8:56am

    Forgot #10 on the list

    Epstein makes it clear just how easy this process is:

    ...
    ...
    10. Profit

    reply to this | link to this | view in chronology ]

  • identicon
    Jacob H, 17 Apr 2015 @ 9:44am

    This makes me want to shoup

    reply to this | link to this | view in chronology ]

  • identicon
    Thrudd, 17 Apr 2015 @ 10:12am

    wrote in members of the silly party

    My vote for president would be the slab of concrete.
    Senator would be a duck with a pronounced limp.

    reply to this | link to this | view in chronology ]

  • identicon
    Thrudd, 17 Apr 2015 @ 10:12am

    wrote in members of the silly party

    My vote for president would be the slab of concrete.
    Senator would be a duck with a pronounced limp.

    reply to this | link to this | view in chronology ]

  • icon
    BentFranklin (profile), 17 Apr 2015 @ 10:43am

    It is impossible to believe that the Virginia Department of Elections was the first to know about this. So, one must assume that dozens of people, many with much to gain have know about this for years. Those are precisely the kind of people that would use this without qualms. So, take various comforting phrases like "we know of no actual exploits" with a salt mine full of salt, because the odds are highly likely that they have been exploited.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 17 Apr 2015 @ 10:49am

      Re:

      " take various comforting phrases like "we know of no actual exploits" with a salt mine full of salt"

      I would put it a bit more strongly than that: take it as entirely meaningless. The exploits that are possible on these machines are such that they can be accomplished without leaving a trace. So, unless someone were caught in the act, they would not be noticed.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2015 @ 5:26pm

    Obvious solution

    Store a copyrighted string in the Access database, so that the password "effectively controls access to a protected work." Then stealing the election will be a DMCA violation, and nobody dares commit copyright violation with the DMCA hanging around.

    reply to this | link to this | view in chronology ]

  • identicon
    GNU/Linux, 17 Apr 2015 @ 6:05pm

    Holy crap. It has more holes than Microsoft Windows... oh wait!

    reply to this | link to this | view in chronology ]

  • identicon
    Jake, 18 Apr 2015 @ 2:16am

    Well, I guess we know who Dilbert actually works for now.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Apr 2015 @ 3:49am

    I guees it's about time for 2~ billion votes for Kang and -2~ billion votes for Kodos.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.