It’s nearly time for my annual pilgrimage to Vegas, the Holy Week of Black Hat and Defcon, so I’m going to re-up this post I shared elsewhere last year on the voting machine vulnerabilities discovered by the attendees. It’s really interesting, especially if you value our electoral system and are tired of hearing about Russian hackers and collusion. Since 1997, I’ve attended Defcon, and though I’ve missed a few years, and have only hovered on the periphery of the community, I’ve learned a few things by osmosis, and I have enough information to scoff scornfully whenever it is revealed that our government or various foreign agents have been spying on us. Or that we as consumers have given away our privacy in exchange for the convenience of having the same porn on all of our Apple devices.
I normally take a day or two to wander the Strip, and then hit the con on Saturday, but the talks of 2017 – specifically the voting machine hacking village – really caught my attention. It was where my interest in politics and information dovetailed, which made me get up earlier to take notes and watch people do stuff I didn’t really understand. Fortunately, I found someone to explain it to me, and this is the result.
“Note: A “DRE voting machine” is an abbreviation for “direct-recording electronic” voting machine which designates a voting system that records votes directly to some sort of digital storage or memory, in contrast to optical scan systems that read the voter’s marks directly off of ballot paper. Also, an electronic pollbook is a system that essentially replaces the spiral-bound lists of registered voters in every polling place by putting that functionality into a laptop, tablet, or kiosk-like computing platform.” — Joseph L Hall
So basically, what did the demo we just saw tell us? How easy was it really to “break into” the WinVote machine on display?
The village in general showed us that there is still considerable work that needs to be done to secure the DRE voting machines.
The majority of these machines were compromised very quickly once physical access was granted, but the AVS WinVote was compromised wirelessly in under 90 minutes.
Also, simply attaching a keyboard to the non-secured, user accessible USB ports on the back of the WinVote DRE and hitting ctrl+alt+del allows you to bypass the voting application and access the underlying OS (Windows XP).
Fun fact: the exploit that was used to remotely compromise the WinVote DRE was MS03–26-DCOM; an exploit from 2003.
As to the difficulty, there were a variety of different attack vectors that could be leveraged to varying degrees of severity on each of the DREs at the village.
We were just talking about the WinVote DRE, but there were other DREs (ExpressPoll) that had serious security flaws; for example exposing the PII of some 654,517 voters…
In this instance voter status, DOB, Precinct ID, country, party, language, last 4 of SSN, drivers license, affidavit number, address, first middle and last name, and name prefix or suffix were identified..
Others took physical access to the internals of the device to compromise it.
How practical would those steps taken be in a real voting situation? You wouldn’t have enough time for that stuff, would you?
Depends. This was just the tip of the iceberg, so to speak. I think more analysis needs to be done on the entire DRE posture before anything can be said for certain.
That being said, some of the vulnerabilities identified are absolutely practical and an attacker could very well have time to execute.
Physically compromising one voting machine is one thing but compromising that same machine within the confines of a controlled environment is another.
Bottom line: The integrity of the voting/polling data is only as strong as the virtue and vigilance of the poll workers. There is a documented instance of a poll worker compromising the WinVote DRE to play minesweeper on it..
If a machine can be compromised, what would the practical applications be?
Well in the case of the WinVote DRE, it would really depend on the people setting this up. For example if the wireless networking was left on (as it is by default), the system could be compromised remotely and votes could be read and changed, PII of voters obtained, or simply turn off the machine.
Furthermore, pivoting from this voting machine into deeper areas of the network would become trivial. It would really just come down to the the goals of the attacker.
- PII of voters — enough said there.
- Undermining the confidence of the voting process is probably the easiest thing to accomplish.
- Technical compromise and vote manipulation coupled with the lack of confidence a PsyOps campaign would cause could realistically sway an actual vote.
So “they”?— election officials, politicians?— kept telling us that this was impossible. That it could never happen. Have they just been proven wrong?
Absolutely. We are dealing with closed systems that were not developed or designed with security in mind. Coupled with the fact that these systems are not patched and are running old firmware makes for a very soft target.
Best case scenario here is that no one was aware that vulnerabilities like these existed (and I assure you there are more yet to be discovered) and “they” were simply giving assurances without data. I would need a lot of tin-foil if I were to go down the rabbit hole that is the worst case scenario.
So how can we “protect the integrity of our elections” to use the words we’ve been hearing annoyingly often since this most recent dumpster fire election?
Bottom line, the cat is out of the bag and voters should be demanding assurances and accountability with regards to digital voting. There needs to be a mindset shift as we start leveraging DREs for future elections:
- Build standardizations for the physical machine and user interface that all companies must adhere to
- Decommission standards to wipe any stored data prior to being circulated into the general public
- Independent analysis on systems prior to being leveraged for live voting/polling
- Community analysis to verify what that builder and independent researchers identified were adhered to or resolved.
- Usage of strong crypto end to end
- Two factor authentication
- Vigilant polling staff
- While all these machines were independently tested, it just goes to show the value in transparency and community evaluations.
- The voting village was only open for a total of about 25 hours, given more time and resources I have no doubt that additional vulnerabilities would have been discovered.
This should be a wakeup call for all parties involved and specifically the American people. As we start to leverage and rely on technology, that technology needs to be vetted (voting machines, medical devices, internet connected things, etc). If it is not we leave ourselves open to fraud and manipulation on larger and larger scales.
TJ Horner