from the hey-that's-my-password dept
If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.It's that bad. The headline grabbing line that many news sites have run with is the unchangeable WEP encryption key used on the machines was "abcde." Meaning it was crazy easy for people to hack into (even if you didn't know the password originally, it would not be difficult to figure that out just by monitoring the system). But that's just the start. Other massive problems, explained by Epstein:
- The system hasn’t been patched since 2004 (which we knew). What we didn’t know is that the system is running a whole bunch of open ports with active services. The report specifically notes that ports 135/tcp, 139/tcp, 445/tcp, 3389/tcp, 6000/tcp and 16001/tcp are all running unpatched services. (Layman’s explanation: the voting machines aren’t just voting machines, they’re also servers happy to give you whatever files you ask for, and various other things, if only you ask. Think of them as an extra disk drive on the network, that just happens to hold all of the votes.) (Obdisclosure: In retrospect, I *probably* could have figured this out a few years ago when I had supervised access to a WinVote with a shell prompt, but I didn’t think of checking.)
- The system has a weak set of controls – it’s easy to get to a DOS prompt (which we knew). What we didn’t know is that the administrator password seems to be hardwired to “admin”.
- The database is a very obsolete version of Microsoft Access, and uses a very weak encryption key (which I knew a couple years ago, but didn’t want to disclose – the key is “shoup”, as also disclosed in the VITA report). What we didn’t know is that there are no controls on changing the database – if you copy the database to a separate machine, which is easy to do given the file services described above, edit the votes, and put it back, it’s happy as can be, and there are no controls to detect that the tampering occurred.
- The USB ports and other physical connections are only marginally physically protected from tampering. What we didn’t know is that there’s no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant given how severe the other problems are.
- Take your laptop to a polling place, and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
- Connect to the voting machine over WiFi.
- If asked for a password, the administrator password is “admin” (VITA provided that).
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published.
Because there's an election coming up, apparently some election officials were against decertifying these machines:
Richard Herrington, secretary of the Fairfax City Electoral Board, said he was unconvinced that WINVote machines were risky enough to warrant decertification.Richard Herrington is both right and wrong. Yes, it's true that almost any system will have security vulnerabilities, but he's ridiculously, laughably wrong, in suggesting that these machines are likely secure enough. These machines don't require a sophisticated hacker (especially now that the VITA revealed all the necessary passwords). Basically anyone can change the votes however they want based on the information that has been revealed.
“No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system,” he said.
For years, whenever we'd point to concerns and problems with e-voting machines, people would argue that it was just conspiracy theories and that these machines were mostly "secure enough." Yet, time and time again, we've discovered that the machines weren't even the tiniest bit secure -- and this is just the most egregious example so far.