If you voted in a Virginia election any time between 2003 and April of this year, your vote was at serious risk of being compromised by hackers.
That's the assessment reached by Virginia's board of elections, which recently decertified some 3,000 WINVote touchscreen voting machines after learning about security problems with the systems, including a poorly secured Wi-Fi feature for tallying votes.
The problems with the machines are so severe that Jeremy Epstein, a computer scientist with SRI International who tried for years to get them banned, called them the worst voting machines in the country. If the WINVote systems weren't hacked in a past election, he noted in a recent blog post and during a presentation last week at the USENIX security conference, "it was only because no one tried."
The decision to decommission the machines, which came after the state spent a decade repeatedly ignoring concerns raised by Epstein and others, is a stark reminder as the nation heads into the 2016 presidential election season that the ongoing problem of voting machine security is still not taken seriously by election officials. Virginia officials only examined the WINVote systems after Governor Terry McAuliffe tried to vote with one during the state's general elections last November. Dismayed at the problems he encountered first hand trying to select a candidate in a Senate race, he demanded an investigation. But even after serious vulnerabilities were then uncovered, some election officials argued against replacing the machines. Richard Herrington, secretary of the Fairfax City Electoral Board, asserted that no voting system was secure.
“No matter how much time, money and effort we could put into a device or a system to make it as secure as possible, there is always the possibility that someone else would put in the time, money and effort to exploit that system," he said.
Although many of the issues found in the WINVote machines are specific to them, some of the problems are similar to ones found in other voting machine models over the years, all of which demonstrates just how flawed the federal testing and certification process is for approving voting machines used in the US.
The WINVote touchscreen machines, made by the now-defunct Advanced Voting Solutions when it went by its original name, Shoup Voting Solutions, were used in about 30 counties in Virginia before they were decommissioned this year. The machines were also used in Pennsylvania and Mississippi to a lesser degree, but Pennsylvania eliminated its systems in 2007, and Mississippi, which only used them in one county, replaced them in 2013.
Virginia first began using the WINVote machines in 2003 in Fairfax County, the largest county in the state. Problems with the systems emerged immediately. In a race for the Fairfax School Board, the machines inexplicably subtracted one vote for every 100 votes cast (.pdf) in favor of incumbent school-board candidate Rita Thompson, which resulted in a 2 percent reduction in votes for her overall. Thompson lost the race by 1,600 votes. More than 77,000 votes were cast for her countywide, so two percent of the vote was 1,540.
Despite this initial problem, other Virginia counties proceeded to purchase WINVote machines over the years, until some 4,000 were in use across the state by 2014. Fairfax County replaced its WINVote machines last year, but about 3,000 remained in use when the state recently banned them.
The machines came under particular scrutiny last year after voters in at least 57 jurisdictions complained of various troubles with the machines during the state's general elections. Henrico County, which had nearly 800 WINVote machines, experienced one of the highest number of anomalies with the machines, including "embedded" errors, power issues, and unspecified wireless communication issues.
Spotsylvania County had the most intriguing problems, however, particularly in precinct 302, at a public library. Voting machines there crashed individually in succession and simultaneously. At one point during the election, all the machines went down. Election staffers thought the problem was due to a poll worker's smartphone (.pdf), which was being used to stream music over the library's public Wi-Fi network. The WINVote machines have their own wireless network to upload ballots and to tally votes by aggregating totals from each machine into a single machine after polls close. Poll workers thought the smartphone must have interfered with that network and instructed voters to turn off their phones at the polls. When a county investigator later tried to replicate the problem, he found that his mobile device could in fact connect to the voting machines' wireless network. But although he concluded that wireless interference---unintentional or otherwise---might have caused the problems, he couldn't say so definitively. Virginia State Police opened an inquiry to look into the Spotsylvania issue but found no evidence of criminality and closed the inquiry.
After Gov. McAuliffe experienced a problem with machines in another county and called for an investigation, extensive security problems were uncovered. Two separate examinations were conducted by the Virginia Information Technology Agency and a federally accredited lab known as Pro V&V (.pdf). The reports produced were brief but damning. One of the biggest problems they found was that the Wi-Fi connection potentially gave hackers a remote vector into the machines.
"[T]he combination of weak security controls used by the devices would not be able to prevent a malicious third party from modifying the votes recorded by the WINVote devices," VITA concluded in its report.
Although communication between the machines was encrypted, the wireless protocol they used was the notoriously insecure WEP. The FBI had demonstrated in 2005 that it could crack a 128-bit WEP key in about three minutes. But an attacker wouldn't have needed even this much time to attack Virginia's voting machines. By capturing and analyzing just two minutes of wireless traffic between two machines, investigators were able to crack the encryption key. The key turned out to be "abcde."
What's more, investigators found that even when they clicked a button to disable the wireless function in an attempt to close them off from remote attack, the device’s network card was still able to send and receive traffic. Once the encryption key was cracked, an attacker could have joined the wireless network to record voting data as it crossed the network, inject malicious data into the stream, or connect to voting machines to subvert them and an election. How so?
Investigators discovered that the machines were running on a 2002 version of Windows XP that had not been patched since 2005. A simple scan revealed that the machines were vulnerable to at least 18 known software vulnerabilities, any of which could have provided an opening for attackers to take over the machines. At least one vulnerability was a 10-year-old flaw that Microsoft had long ago fixed but had never been patched on the machines.
Time had marched on, but the technology in the WINVote machines had stayed put. "The WinVote machines were originally certified in 2003. Although this equipment has not changed, the myriad of technological advances in other areas after the original certification have resulted in machines which today, more than a decade later, are less secure than when the machines were originally certified," investigators wrote in an early version of their report.
The machines also had an administrative account that was secured with the hardcoded password "admin".
"Using this account and password, full administrative access to the WINVote operating system was available," the investigators wrote in their report (.pdf).
Equally problematic was the Microsoft Access database that stored votes on the machines. Although the database was password-protected, the password was "shoup"---the former name of the vendor. It took investigators just 18 seconds to crack it using a common hacker tool. The database wasn't encrypted and required no authentication to modify it, so an attacker could have added, deleted or changed votes at will. To test this, investigators ran a mock election, copied the database containing vote tallies to a machine they connected to the Wi-Fi network, then modified the database and loaded it back onto a WINVote machine.
"The compromised vote tallies were reflected in the closed election results, proving that the vote data could be remotely modified," they wrote.
In total, the vulnerabilities investigators found were so severe and so trivial to exploit, Epstein noted that "anyone with even a modicum of training could have succeeded" in hacking them. An attacker wouldn't have needed to be inside a polling place either to subvert an election. "[W]ithin a few hundred feet (e.g., in the parking lot) is easy," he noted. Someone "within a half mile with a rudimentary antenna built using a Pringles can" could also have attacked them.
Because the systems had no internal logging capabilities to indicate if tampering had occurred, and they also had no paper trail, there was no way to independently audit and verify that the vote tallies in the machine databases were correct. "[S]o if an election was hacked any time in the past, we will never know," wrote Epstein, who lives in Fairfax County and serves as a poll worker during elections.
Some of the problems with the machines were well known to officials long before the recent examination of them. In fact, Virginia outlawed the use of Wi-Fi with voting machines in 2007, after Epstein pointed out that hackers could use the Wi-Fi connection on WINVote machines to subvert an election. But it turned out that disabling the Wi-Fi on the WINVote machines wasn't an option. The state learned that doing so essentially rendered the machines inoperable. So right before the 2008 presidential election, Virginia officials effectively nullified the ban by making an exception for voting machines that election districts had already purchased. Since no other certified voting systems in Virginia had Wi-Fi capability, the exception was essentially a carve-out to allow continued use of the WINVote machines.
Rather than decertify and decommission the vulnerable machines in 2007, the board allowed their continued use in 30 counties for the next seven years, assuring the public that the systems were nonetheless safe because they employed "strict security protocols." Presumably, they were referring to the Wi-Fi network's "abcde" password. There was nothing else protecting the machines.
The systems have now been replaced in all jurisdictions that were using them, at a cost of about $12,000 per precinct, according to Virginia officials.
Questions remain about whether the insecure machines affected any election outcomes in Virginia since 2003. It's difficult to know for certain because only close races get scrutinized. If the margins are wide, candidates tend not to complain, and only candidates and parties can dispute an election result and call for a recount---not voters. The winner of the attorney general's race in 2005 won by just 360 votes. And in 2009 the attorney general race was decided by just a margin of 165 votes out of more than 2.2 million cast. After a recount, the margin increased to 900. And many found Republican candidate Eric Cantor's loss in the 2014 Republican primary a shock. Cantor had been expected to win with 60 percent of the vote, instead he lost with just 44 percent of the vote to his challenger's 55 percent. There's no indication that voting machine problems played a role in any of these outcomes, but it's impossible to know without logs or paper trails.
"We don't have any concerns about election results and the accuracy of prior results," Edgardo Cortés, the state's commissioner of elections, told WIRED. "I think there are a lot of checks and balances built into the system" to guard against fraudulent outcomes.
State officials have, however, been pushing local election officials to transition to systems that have paper trails for aiding elections. And he said officials are also looking at how to revamp the certification process to ensure that machines as bad as the WINVote systems aren't certified again.
"One thing we have been looking at overall is how do we, when we certify equipment, account for changing technology? Even though a system may be secure when you first certify it, over time technologies change that may make it less secure."
Epstein says the problems found with the WINVote system likely just scratch the surface. All of the issues uncovered had to do with design, not the internal code, which investigators never got around to examining. "The vendor … built the foundation out of quicksand. We never looked at what was built on top of that because the quicksand started falling apart so easily," he told WIRED.
He's convinced that if someone were to examine the source code, it would yield many more problems, like ones that were found previously in Diebold voting machines and others. "If we actually looked at the software I'm quite sure we would have found as much bad stuff in the software itself as we found in Diebold and any other vendor."
Epstein is the proud recipient of several WINVote machines recently retired by his state. He's offered to provide them to anyone interested in examining the now-defunct machines.