[Image courtesy of theprepperjournal]
Yesterday, the Virginia State Board of Elections voted to decertify the AVS WinVote system effective immediately. The decision was very unpopular with the 30 localities who use the system – especially since Virginia will hold a primary election in June – but a report released in the wake of the decertification vote reveals why the state moved so quickly.
The report by the Virginia Information Technologies Agency (VITA) describes what the agency found after being asked to examine WinVote machines following reports of problems in recent elections (emphasis in original):
During a recent election, one precinct in Virginia reported unusual activity with some of the devices used to capture votes. The devices were displaying errors that interfered with the ability to collect votes. In order to diagnose the problem, the Department of Elections (ELECT) initiated a review of the devices to identify the cause of the problems. As part of the review, ELECT engaged Commonwealth Security and Risk Management staff in the Virginia Information Technologies Agency (VITA) to perform a security analysis of the devices.
As a result of the findings included in this report, VITA recommends discontinuing use of the Advanced Voting System WINVote devices. The security review determined that the combination of weak security controls used by the devices would not be able to prevent a malicious third party from modifying the votes recorded by the WINVote devices. The primary contributor to these findings is a combination of weak security controls used by the devices: namely, the use of encryption protocols that are not secure, weak passwords, and insufficient system hardening.
Security deficiencies were identified in multiple areas, including physical controls, network access, operating system controls, data protection, and the voting tally process. The combination of critical vulnerabilities in these areas, along with the ability to remotely modify votes discretely, is considered to present a significant risk. This heightened level of risk has led VITA security staff to conclude that malicious third party could be able to alter votes on these devices. These machines should not remain in service.
Specifically, VITA found that
- although they were able to prevent individual machines from accessing the shared wireless network used to transmit results, they were unable to disable external wireless access to the machines without rendering the machine inoperable for voting;
- WinVote machines were using WEP wireless security – a protocol “deprecated” in 2004 because of security concerns – and every machine was hard-coded with a WEP password of “abcde”;
- the system was running a version of WindowsXP – which will no longer be supported by Microsoft in January 2016 – and was hard-coded with an administrator password of “admin” which the agency used tools to guess almost immediately, giving them full external access to the machines; and
- a key threat to the machine was accessing its voting databases, also protected by a password which VITA took 10 seconds to guess (“shoup”, from the manufacturer’s former name). VITA used that password to access, change and replace voting data on the machine and then verified that such an action would be undetectable within the system.
Based on all of these vulnerabilities, VITA performed a simulated attack on the vote tally process:
The primary goal of the WINVote testing was to identify whether votes could be modified remotely without detection by voting staff. To determine whether this was possible, VITA executed a controlled election with the vote tallies for each candidate noted. Before closing out the election, VITA downloaded and modified the database containing the vote tallies for each candidate on a remote security analysis station connected to the ad-hoc network. This modified database was loaded back onto the WINVote device and the election was closed. The compromised vote tallies were reflected in the closed election results, proving that the vote data could be remotely modified. This process test was performed with the wireless network both enabled and disabled through the WINVote software.
The documentation reviewed by VITA indicated that the system performed integrity checking of the vote cast to ensure it was not modified during the voting process. However, the system did not perform checks to identify whether the file that stores the votes has been modified. This lack of integrity check allows the file to be changed and votes to be modified.
In summary, VITA in essence “sounded the alarm”:
Because the WINVote devices use insecure security protocols, weak passwords, and unpatched software, the WINVote devices operate with a high level of risk. The security testing by VITA proved that the vulnerabilities on the WINVote devices can allow a malicious party to compromise the confidentiality and integrity of voting data … VITA recommends that the Advanced Voting Systems WINVote devices not be used in future elections.
Questions still remain about what this action means long-term for other manufacturers, standards and testing (these machines were certified in 2002, pre-HAVA/EAC) and voting technology in general.
And those questions pale in comparison to the short-term problems facing Virginia WinVote jurisdictions who must find a way to conduct their primary with different equipment. The state is encouraging non-primary jurisdictions to share voting equipment with their colleagues, but either way it’s likely to be a challenging period. The sad part (to me at least) is that the general sense beyond frustration with the timing is relief that very few voters will turn out in June so scale shouldn’t be an issue in most places.
Fallout aside, this is a remarkable report that should be required reading for anyone interested in elections or voting technology (NOTE TO TECHNOPHOBES: It’s only 8 pages and very accessible to the layperson.) It may also increase interest in other states reaching out to their own IT agencies to conduct similar testing.
What a story … by all means stay tuned!