In what has quite possibly been one of the longest periods between security problems being revealed and action being taken, the Virginia Board of Elections voted on Tuesday to remove the certification of more than 300 AVS WINVote touchscreen voting machines. The Virginia Information Technology Agency, and consultancy Pro V&V, uncovered multiple flaws in the voting technology which had also been used in other states including Mississippi and Pennsylvania. The scandal here is that there have been concerted efforts to remove these machines from the electoral system since 2008 when experts investigating irregularities first flagged their concerns. They have consistently been used in Virginia between 2002 and 2014, and if you have voted there you may well have cause for concern.
The security audit found a whole catalogue of vulnerabilities including the machines using, wait for it, WEP wireless security which has long since been relegated to the Do Not Use pile courtesy of it being easily hacked. Just to make that hacking even easier, the password was hard coded into the machines; and it was 'abcde' can you believe? Talking of passwords, the OS admin password was, erm, 'admin' and database storing the votes (an old version of Microsoft Access) used an easily hacked encryption key of 'shoup' for good measure. Oh, and talking of that database, should someone have wanted to copy it, edit it and then put it back nobody would have been any the wiser as there were no controls in place to prevent this happening. What else? Well, the underlying Windows OS (XP Embedded) had not been patched since 2004. There were even a whole bunch of open ports with active services running. Nice, if you are a hacker or vote rigger. Also nice was the fact that the machines had unprotected USB ports. One security expert reckoned you could have hacked into the things from the car park using a Pringles can, and if nobody had it's only because they hadn't tried. Not that we would know, these machines didn't keep any logs for an audit trail.
Gary Newe, Technical Director at F5 Networks, told DaniWeb that "When looking at the AVS WinVote voting machines security scandal it seems that the basics of security were not followed. There are three main areas in terms of security: confidentiality, integrity and availability. In this case, the priority for this company was availability, with the confidentiality and integrity of the data seemingly disregarded. This is worrying as, in this instance, we are talking about someone’s vote and if you cannot confirm that the vote was placed and it is the same as it was when it is placed, then the whole system is flawed. For voting machine companies, they need to focus on the integrity of the data, the confidentiality of the voter and the overall security of the system, ensuring that there is an audit trail at all areas of the process that is rock solid and cannot be tampered with. In most countries people went through a lot of pain to get the right to vote and we need to ensure we continue to respect everyone’s right to vote by protecting this in all areas. Some say paper votes are less secure but at least you had a piece of paper that was a physical vote and once someone marked their paper it was very difficult to change. With electronic voting you lose this built in physical audit trail so it is more important than ever for those responsible to be able to prove, without a doubt, that the vote was cast and that it was not tampered with."
Intercede’s Richard Parris, specializing in secure identity management, told us "the vulnerabilities of the AVS WinVote machines exposed by the Virginia state report earlier this week demonstrate that some federal agencies are still over reliant on password authentication. While some progressive departments already have robust identity management systems in place, these are not being used widely enough and should urgently be adopted across the board – voting systems are no exception. Two-factor authentication is widely accepted as a simple, stronger alternative to passwords. Implementing this method to access electronic voting machines would eradicate the issue highlighted by this report.”
Paul McEvatt, Senior Security Architect at Fujitsu, added "due to electronic voting devices not being frequently used, they have not been subject to regular security testing and do not currently have a set security process in place. The AVS WinVote machine scandal highlighted this is a serious issue. Using such hackable passwords for 12 years is not an acceptable form of security and manufacturers need to establish strict principles to ensure that electronic voting systems are not vulnerable to such hacks. To do this, voting machine manufacturers need to safeguard the Wi-Fi SSID and passwords by changing them regularly; applying the strongest encryption possible. Additionally, devices need to have the latest operating system under support and run regular security software checks where possible. Voting machines should be a secure way to vote, but manufacturers need to enforce appropriate security measures in order to protect data and ensure the systems reach their potential.”