PDA

View Full Version : Decertifying the worst voting machine in the US




Suzanimal
05-01-2015, 05:44 AM
On Apr 14 2015, the Virginia State Board of Elections immediately decertified use of the AVS WinVote touchscreen Direct Recording Electronic (DRE) voting machine. This seems pretty minor, but it received a tremendous amount of pushback from some local election officials. In this post, I’ll explain how we got to that point, and what the problems were.

...

I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me – as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.
Among the goodies VITA found:

The wireless connection uses WEP (which we knew). What we didn’t know is that a few minutes of wireless monitoring showed that the encryption key is “abcde”, and that key is unchangeable.

The system hasn’t been patched since 2004 (which we knew). What we didn’t know is that the system is running a whole bunch of open ports with active services. The report specifically notes that ports 135/tcp, 139/tcp, 445/tcp, 3389/tcp, 6000/tcp and 16001/tcp are all running unpatched services. (Layman’s explanation: the voting machines aren’t just voting machines, they’re also servers happy to give you whatever files you ask for, and various other things, if only you ask. Think of them as an extra disk drive on the network, that just happens to hold all of the votes.) (Obdisclosure: In retrospect, I *probably* could have figured this out a few years ago when I had supervised access to a WinVote with a shell prompt, but I didn’t think of checking.)

The system has a weak set of controls – it’s easy to get to a DOS prompt (which we knew). What we didn’t know is that the administrator password seems to be hardwired to “admin”.

The database is a very obsolete version of Microsoft Access, and uses a very weak encryption key (which I knew a couple years ago, but didn’t want to disclose – the key is “shoup”, as also disclosed in the VITA report). What we didn’t know is that there are no controls on changing the database – if you copy the database to a separate machine, which is easy to do given the file services described above, edit the votes, and put it back, it’s happy as can be, and there are no controls to detect that the tampering occurred.

The USB ports and other physical connections are only marginally physically protected from tampering. What we didn’t know is that there’s no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant given how severe the other problems are.

And so on.

The amazing thing is that to find all this, VITA just scratched the surface, and mostly used off-the-shelf open source tools – nothing special. They didn’t have access to source code, or any advanced tools. Or said in other words, anyone within a half mile could have modified every vote, undetected.
So how would someone use these vulnerabilities to change an election?

Take your laptop to a polling place, and sit outside in the parking lot.

Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).

Connect to the voting machine over WiFi.

If asked for a password, the administrator password is “admin” (VITA provided that).

Download the Microsoft Access database using Windows Explorer.

Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.

Use Microsoft Access to add, delete, or change any of the votes in the database.

Upload the modified copy of the Microsoft Access database back to the voting machine.

Wait for the election results to be published.

Note that none of the above steps, with the possible exception of figuring out the WEP password, require any technical expertise. In fact, they’re pretty much things that the average office worker does on a daily basis.

Was it really necessary to decertify immediately? As quoted in the Washington Post, Richard Herrington, secretary of the Fairfax City Electoral Board said “No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system”. Herrington is wrong – this isn’t a remote possibility, but an almost certain reality. A high school student could perform undetectable tampering, perhaps without even leaving their bedroom. In short, the SBE’s decision was right. Now that the information is public on just how weak the systems are, it is inevitable that someone will try it out, and it will take only minutes to manipulate an election.

Why doesn’t the vendor just fix the problems? Well, they went out of business five years ago. Their domain is now owned by a Chinese organization of some sort. And even if they were still in business, this isn’t a matter of fixing a few problems – what VITA found was undoubtedly the tip of the iceberg.

Bottom line is that *if* no Virginia elections were ever hacked (and we have no way of knowing if it happened), it’s because no one with even a modicum of skill tried. The Diebold machines that got lots of bad press a few years ago were 100 times more secure than the WinVote.

...



https://freedom-to-tinker.com/blog/jeremyepstein/decertifying-the-worst-voting-machine-in-the-us/


http://www.ronpaulforums.com/showthread.php?122010-Need-Help-Virginia-Voting-Irregularities&highlight=AVS+WinVote

tangent4ronpaul
05-01-2015, 05:58 AM
Well there goes VA :rolleyes: J/K