March 22, 2018

UNLOCKING DEMOCRACY: Inside the Most Insecure Voting Machines in America

Unlocking Democracy: Inside the Most Insecure Voting Machines in America

Like hundreds of thousands of other Virginians, I’ve been casting ballots for over a decade using Winvote voting machines. I now have physical proof of how catastrophically insecure those machines are.

It’s a tiny key that opens the plastic door hiding the USB port on every Winvote terminal.

This keepsake came my way at an eye-opening presentation about voting-machine security at this past Tuesday’s Usenix Security Symposium in Washington.

Jeremy Epstein, a security scientist with SRI International, has spent years investigating the weaknesses of these and other electronic voting systems. But even he didn’t know how bad Winvote terminals were until this past April.

That’s when the Virginia Information Technologies Agency condemned the security of these machines and banned them from the commonwealth. Their only remaining use was, literally, as a lesson to others.

Epstein led off his his talk by asking the audience if any of us would like a Winvote key. (“All the keys are the same for every Winvote that’s ever been made, because that way it’s easier,” he pointed out.) How about one of the smart cards that poll workers used to administer these machines?

I took one of each. He also offered us one of the spare Winvote terminals he had stashed in his car, but I passed on that.

The e-voting gold rush

In the aftermath of the 2000 election, Congress passed the Help America Vote Act of 2002. Among other things, the Act banned punched-card and mechanical-lever voting machines. That in turn led to a rush to implement digital voting systems such as Winvote.

Outside of Virginia, only a few counties in Pennsylvania and Mississippi adopted Winvote (from the now-defunct Frisco, Tex.-based Advanced Voting Systems). But Winvote terminals had much in common with other electronic voting machines of that time: They were built to win government contracts. And they were based on general-purpose Windows platforms that made them needlessly complex and vulnerable to exploits.

On top of that, vendors paid too little attention to configuring those systems for security. (See, for example, the flaws in Diebold’s voting machines that Johns Hopkins University professor Avi Rubin documented soon after Maryland agreed to spend $55 million deploying them statewide.) The geniuses behind Winvote, however, botched the job worse than anybody else.

It wasn’t just the horrible voter interface. (My favorite example of that: When you chose a candidate on the Winvote touchscreen, your choice was highlighted in red, with an “X” next to it — which by any normal interface standards looked very much like you were voting against that person.) The innards were even worse.

As Epstein explained in his autopsy Tuesday:

• Winvote’s machine runs a version of Windows XP that hasn’t had patches installed since 2004 — four years before AVS deservedly went out of business.

• Its wireless network is “safeguarded” with insecure WEP encryption — and the password is abcde.

• The Windows admin password is (no, I’m not making this up) admin.

• Windows file-sharing is left on.

• The machine tracks votes using an obsolete version of Microsoft Access, in which the unencrypted database file is “protected” with a five-character password that a security tool cracked in seconds. (That password — shoup — apparently refers to a voting-machine company with a history of criminal indictments.)

• The system doesn’t log changes to that file.

• You can’t turn off the WiFi; if you remove the wireless card, the device won’t boot.

All that, Epstein explained, made it trivial to edit election results from a polling place’s parking lot: Connect to the WiFi, log into Windows, download the Access file, unlock and edit it, upload it, then sit back and watch the election results.

“You don’t need to write a single line of code,” he said. “This is not hacking in any meaningful sense of that word.“

Panacea or poison

I knew all that from reading Virginia’s damning report, but being reminded of this idiotic use of my tax dollars — which might have continued had poll workers not complained that Winvote terminals crashed when they tried to download music on their iPhones — made me angry all over again.

Then I looked up some of the closer election results in recent Virginia elections — such as the 2014 special election for state senate in which Lynwood Lewis (D) defeat Burwell Coleman (R) by all of nine votes — and got seriously nervous.

We will never know with certainty whether tampering with Winvote machines actually affected the outcome of an election. The only thing we know for sure is that we put too much trust in the idea of upgrading analog systems to digital ones — the Help America Vote Act of 2002 didn’t require election officials to use computers as voting terminals — and then threw money at the wrong vendors.

The cities and counties that invested in the Winvote loser were’t alone in deluding themselves about a digital upgrade fixing everything. As later Usenix sessions Tuesday made clear, they’ve got company.

In Australia, an online election was left vulnerable to tampering by insecure third-party analytics code on the voting site. Here in the U.S., “verified voting” systems confuse voters trying to confirm that their ballot was recorded properly and then see many incorrect receipts go unreported anyway.

We have to be smarter and more skeptical about this, because our choices in voting systems are usually long-term decisions. “Once they’re here, they stay here for a long time,” Epstein said. “What is the threat model going to look like in 2025 or 2030?”