Sunday, August 16, 2015

The Least Secure Voting Machines in the US

And possibly the world.

H/T to Yahoo! Tech for the story.  As usual, the problem is government.  In particular, after the "Hanging Chad" election in 2000, the congress passed the Help America Vote Act of 2002. Among other things, the Act banned punched-card and mechanical-lever voting machines.  This led to the inevitable gold rush to suck up that gubmint money by producing voting machines.  And just as the War on Some Drugs money has always been spent so wisely; like the Quadro Tracker, the $1000 empty box with a 'diving rod' on it, so was spent the Help America Vote money.  As I've said before, the Fed.Gov dribbles money like a toddler dripping turds out of its Pampers, and this always attracts companies ready to suck up the gubmint droppings.
Outside of Virginia, only a few counties in Pennsylvania and Mississippi adopted Winvote (from the now-defunct Frisco, Tex.-based Advanced Voting Systems). But Winvote terminals had much in common with other electronic voting machines of that time: They were built to win government contracts. And they were based on general-purpose Windows platforms that made them needlessly complex and vulnerable to exploits.
Winvote fulfilled its purpose, to suck up money, and quite possibly delivered the least secure systems ever.  
Jeremy Epstein, a security scientist with SRI International, has spent years investigating the weaknesses of these and other electronic voting systems. But even he didn’t know how bad Winvote terminals were until this past April

That’s when the Virginia Information Technologies Agency condemned the security of these machines and banned them from the commonwealth. Their only remaining use was, literally, as a lesson to others.
Switching to Epstein's summary for a moment:
If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place – within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
How bad was it?  How about the shiny key to lock the machine?  Epstein reports “All the keys are the same for every Winvote that’s ever been made, because that way it’s easier,”
• Winvote’s machine runs a version of Windows XP that hasn’t had patches installed since 2004 — four years before AVS deservedly went out of business.
• Its wireless network is “safeguarded” with insecure WEP encryption — and the password is abcde. (and that was unchangeable)
• The Windows admin password is (no, I’m not making this up) admin. (and that seemed unchangeable as well)
• Windows file-sharing is left on.
• The machine tracks votes using an obsolete version of Microsoft Access, in which the unencrypted database file is “protected” with a five-character password that a security tool cracked in seconds. (That password — shoup — apparently refers to a voting-machine company with a history of criminal indictments.)
• The system doesn’t log changes to that file.
• You can’t turn off the WiFi; if you remove the wireless card, the device won’t boot.
As the saying goes, security wasn't an afterthought; it was never thought of at all.     

It's hard to say just what the worst part of this situation is, but possibly it's (as mentioned a few paragraphs ago), "if an election was hacked any time in the past, we will never know."  Possibly the worst part is that this might not be unique to Winvote machines at all.  In fact, Diebold wasn't much better

Technology moves quickly, as I don't have to tell you.  Governments don't - they're the second slowest institutions to change in the world.  We've got to get smarter about electronic voting machines.  The county I'm in has you enter votes on a sheet of paper and tallies them optically, the way standardized tests are graded.  Those are only "hacker proof" if they're off a network and handled carefully.  But, just as they say the hackers are winning attacks on the financial institutions because there's so much money at stake, the amount of money and power at stake here dwarfs anything in the banks. 

(A Winvote key and administrator's card)


  1. As disturbing as these security vulnerabilities are, it's even more infuriating that Virginia's (and others') elected representatives allowed these things to be bought in the first place. Look, there are always going to be charlatans and hucksters seeking to pry money out of the hands of the gullible. But to spend hard-earned taxpayer money with nary a thought as to proper security for one of the most vital exercises in the republic? That should be a career-ending move. Of course it won't be, as the elected representative will use his/her ignorance as an excuse, and the bureaucrats who actually bought these things probably got promoted and given even bigger budgets for successfully spending all that Federal money before it expired. Unconscious incompetence all around!

  2. I have worked with/on computers my entire career. I have worked with systems built by the CIA. It is actually easy to build a system that tracks every key sstroke, every change, who made the change, etc. In other words it would have been incredibly simple to build into the voting machines a system that would keep an entire record of everything including any attemts to change data. So even with a computerized system and no paper hard copies the system would have a ability to track everything. This was not required so it was not included in the design. Simple as that.

    Every close election in the last 50 plus years has likely been stolen. It could be prevented and it could be identified when it happens. For reasons that should be obvious the politicians fall all over themselves to prevent simple and effective methods of preventing voter fraud.

  3. More years ago than I care to admit, I worked for a consulting company that sometimes did some work for a company that made vote-counting equipment.
    We always took security seriously, assuming that no information was to be allowed to leak in nor out, and having fun brainstorming sessions to discuss countermeasures, counter-countermeasures, and Gee, It's A Shame We're Not Allowed To Use A Proper Destruct Charge In Our Crypto Module. Deploying general-purpose computers in the counting machines wasn't remotely an option (even if such things had been generally available back then).
    But, then, our chief engineer was a reservist in the Army Signal Corps, so he had some background in communications security. And, somehow, our best ideas turned out to be more than the client wanted to bother with.
    It looks disconcertingly like a lot of critical systems these days are developed by kids supervised by the marketing department, with no actual grown-ups involved in the process.

  4. There's ALWAYS the financial gain aspect to something like this... that's the obvious thing.

    Then there's the "avenue for exploitation... by accident? - Or by design?" angle.
    I've always been feeling a touch paranoid about electronic voting... we (meaning tech neanderthals such as myself) in the public could conceivably be hoodwinked into believing that our keystrokes on the vote stations are actually being counted in a manner that's less nefarious than software designed to clock "one for you, two for me" a la slot machine programming. Not sayin' I'm right, I'm jus' sayin'.