We Now Have Corporate Sponsorship
It’s nearly time for my annual pilgrimage to Vegas, the Holy Week of Black Hat and Defcon, so I’m going to re-up this post I shared elsewhere last year on the voting machine vulnerabilities discovered by the attendees. It’s really interesting, especially if you value our electoral system and are tired of hearing about Russian hackers and collusion. Since 1997, I’ve attended Defcon, and though I’ve missed a few years, and have only hovered on the periphery of the community, I’ve learned a few things by osmosis, and I have enough information to scoff scornfully whenever it is revealed that our government or various foreign agents have been spying on us. Or that we as consumers have given away our privacy in exchange for the convenience of having the same porn on all of our Apple devices.
I normally take a day or two to wander the Strip, and then hit the con on Saturday, but the talks of 2017 – specifically the voting machine hacking village – really caught my attention. It was where my interest in politics and information dovetailed, which made me get up earlier to take notes and watch people do stuff I didn’t really understand. Fortunately, I found someone to explain it to me, and this is the result.
“Note: A “DRE voting machine” is an abbreviation for “direct-recording electronic” voting machine which designates a voting system that records votes directly to some sort of digital storage or memory, in contrast to optical scan systems that read the voter’s marks directly off of ballot paper. Also, an electronic pollbook is a system that essentially replaces the spiral-bound lists of registered voters in every polling place by putting that functionality into a laptop, tablet, or kiosk-like computing platform.” — Joseph L Hall
So basically, what did the demo we just saw tell us? How easy was it really to “break into” the WinVote machine on display?
The village in general showed us that there is still considerable work that needs to be done to secure the DRE voting machines.
The majority of these machines were compromised very quickly once physical access was granted, but the AVS WinVote was compromised wirelessly in under 90 minutes.
Also, simply attaching a keyboard to the non-secured, user accessible USB ports on the back of the WinVote DRE and hitting ctrl+alt+del allows you to bypass the voting application and access the underlying OS (Windows XP).
Fun fact: the exploit that was used to remotely compromise the WinVote DRE was MS03–26-DCOM; an exploit from 2003.
As to the difficulty, there were a variety of different attack vectors that could be leveraged to varying degrees of severity on each of the DREs at the village.
We were just talking about the WinVote DRE, but there were other DREs (ExpressPoll) that had serious security flaws; for example exposing the PII of some 654,517 voters…
In this instance voter status, DOB, Precinct ID, country, party, language, last 4 of SSN, drivers license, affidavit number, address, first middle and last name, and name prefix or suffix were identified..
Others took physical access to the internals of the device to compromise it.
How practical would those steps taken be in a real voting situation? You wouldn’t have enough time for that stuff, would you?
Depends. This was just the tip of the iceberg, so to speak. I think more analysis needs to be done on the entire DRE posture before anything can be said for certain.
That being said, some of the vulnerabilities identified are absolutely practical and an attacker could very well have time to execute.
Physically compromising one voting machine is one thing but compromising that same machine within the confines of a controlled environment is another.
Bottom line: The integrity of the voting/polling data is only as strong as the virtue and vigilance of the poll workers. There is a documented instance of a poll worker compromising the WinVote DRE to play minesweeper on it..
If a machine can be compromised, what would the practical applications be?
Well in the case of the WinVote DRE, it would really depend on the people setting this up. For example if the wireless networking was left on (as it is by default), the system could be compromised remotely and votes could be read and changed, PII of voters obtained, or simply turn off the machine.
Furthermore, pivoting from this voting machine into deeper areas of the network would become trivial. It would really just come down to the the goals of the attacker.
- PII of voters — enough said there.
- Undermining the confidence of the voting process is probably the easiest thing to accomplish.
- Technical compromise and vote manipulation coupled with the lack of confidence a PsyOps campaign would cause could realistically sway an actual vote.
So “they”?— election officials, politicians?— kept telling us that this was impossible. That it could never happen. Have they just been proven wrong?
Absolutely. We are dealing with closed systems that were not developed or designed with security in mind. Coupled with the fact that these systems are not patched and are running old firmware makes for a very soft target.
Best case scenario here is that no one was aware that vulnerabilities like these existed (and I assure you there are more yet to be discovered) and “they” were simply giving assurances without data. I would need a lot of tin-foil if I were to go down the rabbit hole that is the worst case scenario.
So how can we “protect the integrity of our elections” to use the words we’ve been hearing annoyingly often since this most recent dumpster fire election?
Bottom line, the cat is out of the bag and voters should be demanding assurances and accountability with regards to digital voting. There needs to be a mindset shift as we start leveraging DREs for future elections:
- Build standardizations for the physical machine and user interface that all companies must adhere to
- Decommission standards to wipe any stored data prior to being circulated into the general public
- Independent analysis on systems prior to being leveraged for live voting/polling
- Community analysis to verify what that builder and independent researchers identified were adhered to or resolved.
- Usage of strong crypto end to end
- Two factor authentication
- Vigilant polling staff
- While all these machines were independently tested, it just goes to show the value in transparency and community evaluations.
- The voting village was only open for a total of about 25 hours, given more time and resources I have no doubt that additional vulnerabilities would have been discovered.
This should be a wakeup call for all parties involved and specifically the American people. As we start to leverage and rely on technology, that technology needs to be vetted (voting machines, medical devices, internet connected things, etc). If it is not we leave ourselves open to fraud and manipulation on larger and larger scales.
Resources:
TJ Horner [1]
Defcon?[1]
Emily Gorcenski?[1]
Last I heard this was getting fixed, slowly.
14 years too late, but that’s America for you.
https://www.engadget.com/2018/02/10/pennsylvania-requires-voting-machine-paper-backup/Report
This is really good stuff. Worrying, obviously.
I am pretty adamant about paper backups for everything. Of course, I am against electronic voting as a matter of course. But if we’re going to do it! I mean, even if it doesn’t get hacked, we don’t want the question hanging out there.Report
“We are dealing with closed systems that were not developed or designed with security in mind. Coupled with the fact that these systems are not patched and are running old firmware makes for a very soft target.”
eeep.
Is it too soon to suggest we just poll directly on Facebook?Report
Dude. Awesome post.
Speaking of Vegas, why don’t we put the slot machine people in charge of voting machines?Report
As an IT dude, I can tell you that this may be one of the smartest decisions. They are #1 for being on the ball about all things leading to correctness of output. (Physical security, digital security, trust models, failure modes.) There is a small risk that they may not be able to modify their $s based methodologies for government work, but they, in general, are the best there is.
It will never ever ever happen though.Report
You know, Vegas casinos have a fantastic rep for dealing with cash integrity, I don’t see why we don’t put that level of scrutiny towards our voting procedures.
Unless that isn’t really what is wanted…Report
The biggest reason is cost. It is crazy expensive to manage even the physical security of slot machines. Nearly everything is done by at least 2 people, parts from end to end are monitored 24×7. Development takes an age and the product is archaic by the time it is first deployed. This means large expenses for parts that will be in production for decades OR purchasing ahead and warehousing with requisite monitoring.Report
And then 11 wise guys come along and loot the place anyway.Report
Not since the faceless corporations took over.Report
ATM’s have better security than voting machines, which is weird because last I checked at least one brand of voting machine was made by a company that makes ATMs.Report
One of the things I’d like to see is a study of the economics of voting machines. They’re purchased by state/local governments, where budgets have been tight for at least the last decade. What happens to a vendor who says, “We’ve built in the same level of security as we use in our ATMs,” then gets a response, “Yeah, but your price per unit is 50% higher than the competition.”?Report
Another motto for Vegas should be Quis custodiet ipsos custodes?
The key to Vegas’s business model (besides house advantage) is a level of staffing that most other industries would find uneconomical, or at least redundant. Just about every task has one or two people doing the work, one or two people watching them, and then another one or two people watching the people who are watching.Report
So when I was proofing this yesterday, I was all in Serious Reading Mode (and it’s pretty serious stuff!) and you still made me laugh out loud twice. The minesweeper bit is glorious. I realize it’s TRUE, but that just makes it more glorious. Had to explain what I was reading to my student worker and he appreciated it / was appalled by it too.Report
Okay, let’s go through this list:
Build standardizations for the physical machine and user interface that all companies must adhere to
There are already standards. They are usually completely ignored.
Decommission standards to wipe any stored data prior to being circulated into the general public
This…isn’t really an election security thing. I mean, yes, all governments, heck, all institutions, should have decommissioning standards, but that is just general government stupidity.
Usage of strong crypto end to end
Are you alleging vote tampering is going to happen while transmitting the results across the internet? If not, then this isn’t really solving anything.
Two factor authentication
For who?
The voting village was only open for a total of about 25 hours, given more time and resources I have no doubt that additional vulnerabilities would have been discovered.
I think your tense is a bit wonky. Voting machines have been stolen, years ago. All the security issues on them are already for sale.
Event like this are just hackers screwing around. No real prep, unrealistic time limitations, it’s sorta a friendly competition. Who can figure out what exploit will work? Can we load new firmware? Can we guess a password? As soon as someone figures out some new information, they yell it out so they get credit for discovering it. Hackers love being shoved into the deep end like this for a challenge.
How far those guys got in a day shouldn’t be confused with how utterly hacked those machines have been by professionals that have already spent resources, money, and months on them.
Although honestly the DEFCON hackers got so far, and the security was revealed to be such utter crap, that that alone should cause everyone to swear off the things.
Vigilant polling staff
Voting staff in my state have, repeatedly, allowed representatives of the voting machine company to walk into precincts and make software alterations to ‘fix’ already certified machines, in violation of both the law and common sense. While this is indeed a problem, somehow I suspect this is not what people mean when they list ‘Vigilant polling staff’.
If by ‘Vigilant polling staff’, you mean ‘paying attention to see if someone is hacking’, anything that can be done with a ‘USB keyboard’ can be done with a tiny USB device that plugs in, pretends to be a keyboard, and runs a script. All while the malicious voter can keep making vague voting-ish gestures.
To be continued…Report
Re build standards: if they are being ignored, the companies should be held accountable and have their contract. There needs to be end-to-end compliance and auditing. There need to be randomized checks.
Re decom standards: any govt entity has decom standards and if they aren’t being adhered to, someone needs to be held accountable. See audit and compliance reporting.
Re strong crypto: there is no reason that ANYTHING should be unencrypted. As not all vulnerabilities are known, having end to end encryption mitigates potential exploitation vectors.
“All of the security issues are for sale”
Fake news. While some voting machines may have been stolen, data-scraped, and the info sold, there are several different kinds of voting machines and not all of them have been exploited—yet. This makes the case for end-to-end encryption.
Voting machines won’t be scrapped. This is why we need to pay attention to this, take it seriously and make changes.
Re vigilant polling staff: the staff at the polls in your state should be held accountable. Training and a layered security model is obviously a must. Training polling staff to recognize aberrant behavior would be helpful.Report
Fake news. While some voting machines may have been stolen, data-scraped, and the info sold, there are several different kinds of voting machines and not all of them have been exploited—yet.
You realize that all that stuff at DEFCON was purchased? DEFCON sometimes looks the other way at lawbreaking by hackers, but I kinda doubt they were willing to buy and publicly display stolen property. There’s no magical rule that says only governments can buy these machines, or won’t sell them on gov surplus sites they when they are finished, and thus hackers finding exploits do not need to steal the code.
Meanwhile, my state currently operates off machines that manufacturer (Diebold) idiotically released the source code to on the internet. No one needed to ‘steal’ that code.
Or, let flip the question around: You assert that not all voting machines have not been exploited. So please list one of them, in current usage anywhere in the US, that you think could not already have been exploited at this time.
This makes the case for end-to-end encryption.
End-to-end encryption has almost nothing to do with this topic whatsoever. The only information that should possibly be transmitted over the internet is, hypothetically, voting tallies from each precinct, but those should be confirmed by precinct workers.
The fact that people are transmitting anything else demonstrates they know nothing about computer security, but, hey, we already knew that.
Of course, now that I’ve said that, I recall that, as part of the examination of Diebold code, it was discovered that despite using smart cards to trigger the ability of voters to cast ballots, those smart cards were not encrypted.
That’s not really lack of encryption of any data (The smart cards literally just contained triggers telling the machines how to act, not vote totals or voter information), but it does means anyone could make their own smart card and appoint themselves administrator. Or, more fun, program it not to toggle the ‘already cast a ballot’ bit (Which the voting machine tries to flip on after you have voted), and vote an infinite amount of times, or until the election administrations got tied of them tying up a machine.
The entire premise of using a smart card over directly accessible flash memory is that the reader sends a password or code or something to ‘unlock’ the smart card, and only after that can the reader read and write the card. Otherwise you might as well use a USB flash drive or something. But Diebold was so stupid they didn’t understand that. I guess they thought the reason smart cards were secure was ‘Not that many people have smart card readers, and what bits would need to be set are _secret_. (And now let us publish our source code on the internet, herp derp.)’
But, then again, we already have plenty of evidence that DRE companies have no idea of how the concept of security even functions in any manner whatsoever. At this point, it’s rather akin to complaining how our dog seems to have no idea how to use a knife and fork.
—
But, none of that is actually important anyway.
In fact, disccussing the fact that every single DRE ever produced in the entire history of the planet has been complete and utter crap security-wise by having blatantly obvious problems, and everyone screams and yells about the practical problems…makes it easy to ignore the fundamental problems of the fact we can never be sure what is actually happening inside a computer, and even if we had a perfectly designed system, we still cannot actually trust it. The entire concept is nonsense from the start.
It’s like we’re in a broken airplane on the moon plummeting towards the ground, and a lot of people are running around complaining about the broken engine and flaps and everything, and some people are even trying to fix them or explain why they are broken and how airplanes should be designed in the future…
…and meanwhile there’s a group of us over here saying ‘What the hell are you talking about? We’re on the moon. Airplanes don’t work on the moon. Not because they are broken, but because they literally cannot operate without an atmosphere. We _should not be using airplanes_ for this. Why did we even _start_?’
To paraphrase Douglas Adams, as I always do about electronic voting: DRE’s massive but unobvious security flaws in the entire premise are completely hidden by DRE’s massive and obvious security flaws in the various implementations.Report
But those were all practical problems. Here are the theoretical ones:
Independent analysis on systems prior to being leveraged for live voting/polling
Community analysis to verify what that builder and independent researchers identified were adhered to or resolved.
‘Okay, I’m here to analyze this machine. Please disassemble that ROM chip so I can check the firmware on it via my electronic scanning microscope.’
I doubt they will do that.
Heck, they won’t even let me plug the voting machine hard drive into my own computer to analyze it, which means I have to trust an untrusted computer to tell me that it, or some other computer, can be trusted.
It is like someone shows up at your door and says ‘I am the IRS, you have to pay us money right now’, and you’re like ‘I think you are fake’, and his solution is to produce documentation signed by the head of the IRS, and, just in case you’re not sure, he brought a guy with him who has a fancy machine that will confirm the signature.
‘Here, let me write you a check. What, I shouldn’t make it out to the Treasury Department? Well, that seems weird, but that machine you drove up with says you’re legit, so I have no choice but to believe you.’
No. Just, no.
If I cannot use my own equipment to confirm that a voting machine at least contains exactly the software people say it does, and nothing that could tamper with the output, I cannot possibly analyze the machine. And a computer can’t show me information on its own screen to prove that it itself is something. That is nonsense.
And of course the obvious response to that is ‘Wait, if the hard drive is hooked to your computer, how do we know you didn’t tamper with it. Now we have to check it with our computer…and then you have to check it back with yours…and…hrm…’.
That is a good point. Why, it’s almost as if this cannot work at all.
While all these machines were independently tested, it just goes to show the value in transparency and community evaluations.
Anyone who is serious about the ‘community evaluation’ of DRE machines would have to almost immediately admit the ‘community evaluation’ of DRE voting machines by the security community is nearly 100% ‘We should not have DRE voting machines, period, full stop.’.
Saying we should have community evaluations of our DRE voting machines is sorta like saying ‘People who operate dog fights should have the ASPCA evaluate how humane they are’. I’m not sure what outcome people expect from that, but it’s a weird request.Report
No one is suggesting that maintenance/evaluation should be done AT the physical polling place. I assumed it would be understood that these evaluations would take place before any new models/machines would be rolled out.
Voting machines aren’t going away. There’s no reason these machines should be treated any differently than any hardened system.Report
No one is suggesting that maintenance/evaluation should be done AT the physical polling place. I assumed it would be understood that these evaluations would take place before any new models/machines would be rolled out.
I’m not unreasonable. I’m perfectly willing to bring my computer anywhere local-ish to hook up the hard drives and inspect them, if the voting machines are then kept under seal and no one is allowed to alter them before the election.
Weirdly, this is not something that is offered by anyone.
In fact, I don’t even seem to have access to a _disk image_ of what the hard drives of those machines are supposed to contain, which woud at least let me look through it for backdoors and, perhaps, have some trusted third party confirm that image is what is actually on the hard drive.
There’s no reason these machines should be treated any differently than any hardened system.
I am not talking about ‘hardening’. Voting machines do, indeed, need to be hardened, but that is not the only reason why the public needs to check them.
In any other hardened system, the entity doing the hardening is hardening them only against _other people_. Whereas in a voting a system, we have to make sure the entity that did the hardening didn’t, _itself_, set up something we don’t want.
Which actually restricts the amount of hardening we can allow in the system. In something like an ATM or whatnot, the designer can set up a black box that has limited inputs and limited outputs, and as long as the black box properly check those inputs, it is secure.
In a voting tabulator, we cannot allow that. If the system is a black box and we cannot see how it works, we cannot know that, for example, a specific input configuration (aka, a specific vote, or a specific date, or a pattern fof votes) does not trigger code altering certain votes.Report
I guess I am with Will on this; paper ballots are the way to go.
Great piece and welcome!Report
Right. Touchscreens are a big advantage for a certain class of people – vision impaired and so on.
How do you feel about a touchscreen machine that produces a paper ballot which is then read by some other machine but could be tallied by hand? I think those would be ok, do you?Report
Not sure, I hadn’t really thought about that type of tech. I think overall that it would work, but would be open to ideas that shoot it down.
For me, the biggest thing is integrity. This is an area that I feel we could stand to drop a bit of money in good machines, double-blind checking results, two people transporting any votes, etc. But I have a background in logistics, so things like that are second nature to me.Report
I’ve always been in favor that. That always seemed the most logical. I used to think everyone agreed with me on that..that we should use computers make traditional paper ballots easy to cast and count. But an interesting incident that just happened to in that regard:
I’m on the mailing list for some anti-DRE stuff here in Georgia, and one of the more moronic things they have just done is shoot down a bill (HB 641 if anyone cares) to change thing from straight DRE to a machine that prints a paper ballot that can be viewed by the voters, and manually audited later, and the paper ballot is what counts for recounts.
Now, I have a slight objection to this bill, because the bill doesn’t say the part of the paper ballot that is human readable is the part that counts. There are some voting systems that print the names, and below that print a machine barcode that is scanned to total the votes…we shouldn’t be using that. Also, this is what should count _originally_, not just for ‘recounts’.
But at least tampering this way could be detected…if you can somehow find a ballot with one set of votes in plain text and a different set in the barcode, you have definitive evidence the election was rigged. A spot check is possible.
But I would much rather have the name itself be machine readable…we’ve had easily OCR-able fonts for decades, and it’s not like the responses on the ballot are anything close to each other and might confuse things. And I’d rather have them be the original count, or at least be _required_ to be counted once, even if we present the electronic totals temporarily until that’s done. I can see some sane objections to this.
So at first I _assumed_ one of these were my allies’ objections to the proposal. But instead, my stupid ‘allies’ were objecting to it on the grounds that ‘A lot of people would not check their ballot at the end, so the machine could print anything’. (In a universe where a lot of people object because their stupid touchscreens are misaligned and claim it’s a conspiracy, no one would notice the names on their printed ballot didn’t match the names on their computer screen end screen?)
I.e., they didn’t instead want the names printed and read, they don’t want anything printed at all, they don’t want machines involved in the process of filling out a ballot at all. Meanwhile, they seem perfectly fine with optical scan system, they just want _humans_ marking the paper. Of course, humans marking optical scan ballots is what gave us the Florida 2000 disaster.
And not only was that a stupid position to take in regard to that bill, but it’s not like there was a choice between different bills. Here in Georgia, we either continue to use a completely unverifiable electronic system, or we move to a verifiable paper one, and hope people will, duh, actually verify their votes. We’re not going back to filling out paper ballots by hand and trying to figure out how to get a machine to read them.
It’s sad in politics when you realize your supposed allies are complete and utter morons.Report
Build standardizations for the physical machine and user interface that all companies must adhere to
That’s nice for the future, assuming there’s state/local government budget. I have a friend that works for a company that has built DRE machines for a long time. I got e-mail from her recently asking if I was interested in trying to make 20-year-old compilers work. Early machines were sold with lifetime software support, and someone was calling them on it because that jurisdiction’s budget didn’t support replacing the antique (in computer years) machines.
I live in the Census Bureau region that’s going off in its own direction entirely. In my state, >95% of all ballots cast are paper and cast by mail. For the region, >50%. The regional number continues to increase…Report
Really nice piece, @april-joy and I very much hope we see more from you!
If I were truly malignantly subversive, I would be very satisfied with the easiest goal you identify: diminishing trust in the institutions of democracy. This is, IMO, the most corrosive thing that is out there.
If she’s like most of us, a typical politically aware citizen can accept that her preferred candidate and preferred policy results don’t always prevail. If she looks around her constituency and perceives that it’s relatively evenly split, or even easier that she’s in the minority, she can understand that’s why her representative behaves the way he does, that’s why the elected executive governs the way she does. Our citizen doesn’t like it, but she can accept it as legitimate.
I mean, it’s bad enough (if she’s paying attention) when she realizes that she’s likely a member of at least five different constituencies (the United States as a whole, her individual State, her Congressional district, and two different state legislative districts) and that three of those five constituencies were at best semi-democratically created with the production of a particular partisan result in mind regardless of her intent. This can make her feel like her vote is somewhat futile, that the outcome was foreordained and that she and others who feel like she does politically need to do a daunting amount of work to create change.
It’s worse when she looks at how campaign donations, extra-constituency-sourced pressure, and highly-focused special interest groups — let’s simply disregard the possibility of actual overt corruption — causes her elected representative to behave in ways that appear to contradict the collective will of her fellow-citizens. Now she has to wonder at whether whatever the people say they want matters to the folks who ought to be worried about re-election.
But when the vote itself is uncertain, when she has a substantial but reasonable uncertainty that her vote will be altered or manipulated or ignored to produce a result that is contrary to the collective intent of her constituency, she’s now liable to give up on the whole endeavor of democracy in the first place as an illusory gloss upon some other kind of system and just accept that her lot in life is to be actually ruled by a kakistocratic oligarchy and that’s just how life is going to be. Maybe she satisfies herself with bread and circuses, maybe she despairs, maybe she ignores. But what she doesn’t do is meaningfully participate in her government.
That’s not what the American experience ought to be. But populace giving up on self-government and accepting the role of “subjects” rather than “citizens” is where this path ends.Report