A recent report released by the Virginia Information Technologies Agency (VITA) showed that the state’s WINVote voting devices had severe vulnerabilities that could compromise the validity of elections. SecureState encounters security deficiencies similar to the ones identified in the report on a regular basis. These vulnerabilities and security gaps take on an added importance since voter confidence in the validity of elections is the backbone of a functioning democracy. Below, we outline the major voting machine vulnerabilities identified in the report and our recommendations to parties responsible for managing elections.
WEP Protocol: The WINVote voting machines use WEP-enabled networks, a notoriously weak encryption protocol, to communicate wirelessly. The tools and techniques for attacking WEP networks have been around for several years, making this encryption method obsolete. These tools can crack a complex WEP key in 30 seconds, and could compromise these machines in much less time since they are hard coded with the password “abcde”. When the weaknesses in WEP were identified around 2001, WPA was rolled out as a quick-fix, with WPA2 adopted as the industry standard in 2004. The hardware built to support WEP originally cannot support WPA2, which could mean that current voting machines are incapable of meeting the current standard and will have to be replaced (or at least receive significant upgrades).
Unpatched Windows XP System: The WINVote machines run Windows XP Embedded 2002. Unlike other versions of XP, whose end-of-life passed last year, Microsoft will continue to support this system until January 12, 2016. This looming deadline certainly limits the number of elections that the WINVote machines can safely be used in. However, even if Microsoft continued to support the machines for the next twenty years it would make little impact since the study shows that the machines have not been patched since at least 2004 (and likely have never been patched).
Weak Administrator Password: The administrator password “admin” in use on the WINVote machines is incredibly weak and can be brute-forced by an attacker very quickly. After a successful exploitation, an attacker would have full control of the electronic voting machine and can begin focusing on finding and compromising vote counts.
Microsoft Access Database not Encrypted: In what is probably the most extreme vulnerability, voting results were stored in an unencrypted Microsoft Access database. The database was “protected” by a weak password (“shoup”) that the assessors were able to crack in 10 seconds. With no encryption in place, attackers with the recovered password would then have immediate access to the database. Since there are no auditing or logging functions in place, attackers can manipulate vote counts undetected. SecureState would expect voting machine manufacturers to use a more robust database solution (such as MS SQL) that is more widely supported and protected.
If you are a state or local government that uses the WINVote machines, your elections are vulnerable to a host of cyber-attacks. Many of the vulnerable configurations, such as the use of WEP, are hard-coded into the machines and cannot be changed. Your safest option is to discontinue any planned use of the machines and find a more secure replacement. Even if you are using other electronic voting machines, it is highly likely that they have similar vulnerabilities, especially if they have previously passed the same certification standards as the WINVote machines. SecureState recommends you take the following steps to verify security controls and protect the sanctity of your elections:
Perform Security Assessments: One of the most surprising facts in the VITA report is that the security study was only conducted in response to an error message on some of the machines. Had this error never occurred, the commonwealth of Virginia would likely still be unaware that they were using easily compromised voting machines. You can protect yourself by performing proactive security assessments to test the physical and logical security controls in place on the voting machines. Security assessments can include a device attack and penetration tests, vulnerability scans, and configuration reviews. Assessments should encompass the entire infrastructure, not just an individual machine.
Review Your Security Standards: State and local governments should review any policies, regulations, and laws surrounding the use of electronic voting machines. The Election Assistance Commission recommends that the NISTcontrols framework be used as a minimum baseline for security controls.
Implement a Patch Management Program: Virginia’s WINVote machines had not been patched since at least 2004. Local and state governments should look into a patching program that fits their frequency of electronic voting machine use and personnel resources.