There’s more to election integrity than secure voting machines

LAS VEGAS—Some of the least-secure voting machines ever made probably weren’t responsible for vote alteration in Virginia, the top adopter of WinVote terminals. But we will never know for sure.

Researcher Carsten Schürmann revealed inconclusive results of a forensic examination of the solid-state drives of eight WinVote machines in a Thursday morning talk at the Black Hat USA security conference here. During his presentation, Schürmann, a professor at the IT University of Copenhagen and founder of the research project DemTech, emphasized two things: how little a WinVote autopsy reveals, and the importance of securing voting with paper trails and risk-limiting audits.

Everybody loses with WinVote

Virginia was the leading buyer of WinVote machines from the now-defunct Frisco, Texas-based firm Advanced Voting Solutions. Cities and counties across the state bought some 4,000 of these Windows XP-based touch-screen devices and kept them in service from 2004 to 2014. (As a voter in every election in the state, I saw far too many of them.)



READ MORE ON ELECTION HACKING

Mueller’s indictment of election hackers a cybersecurity ‘wake-up call’
For want of a VPN, Guccifer 2.0 was lost
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
For decade-old flaws in voting machines, no quick fix
Post-recount, experts say electronic voting remains ‘shockingly’ vulnerable
Can your vote be hacked—after you cast it?


The interface alone should have been the first warning of Advanced Voting Systems’ ineptitude: It highlighted the selected candidate in red, with a red X to the right—as if you were voting against the person. But as Schürmann explained, the awfulness ran deep.

WinVote terminals compounded the deep-seated insecurity of XP—unpatched on these machines—by requiring Wi-Fi for peer-to-peer connections at voting locations. This wireless network was “secured” only by brittle WEP encryption, with the password set to “abcde.”

A 2015 report by the Virginia Information Technologies Agency recommending the retirement of all remaining WinVote terminals inventoried at least three ways an attacker could compromise a WinVote terminal: USB ports left accessible, Windows network services left on, and the absence of a network firewall.

The vote database also lacked encryption; it was protected only by an easily cracked default password—”shoup,” the name of the founder of Advanced Voting Systems—to thwart tinkering.

Schürmann’s pithy summary of VITA’s conclusions about WinVote: “They kind of said, like, it’s a piece of crap.”

Anomalies but not answers

Earlier studies of WinVote terminals—including the study leading to security researcher Jeremy Epstein’s 2015 presentation at the Usenix Security Summit in Washington—concluded that their rampant insecurity left no way to confirm that nobody tampered with the vote.

But Schürmann decided to try again, using eight WinVote machines from Epstein’s collection. (Schürmann told me afterward that he also found one for sale on eBay for $255, but the seller wasn’t willing to rip out the drive and sell just that.) He removed the drives from those machines and inspected forensic images of them.

An MP3 with a file name in Chinese immediately jumped out at him. “What does an MPEG-3 do on a voting machine?” he asked.

He then found software to rip CDs and broadcast MP3s, which he called “even more weird.”

Schürmann also inspected Windows logs—the security event logs were all empty—for indications of tampering. None emerged, though the defenseless configuration of a WinVote machine would have made it easy for attackers to wipe traces of their intrusion.

“When you go through all of the files, it all looks pretty reasonable,” he said. “There’s no double writing.”

“We have to kind of remember that our elections are supposed to produce some kind of evidence.”—Carsten Schürmann, professor, IT University of Copenhagen

But one machine in use for the November 2013 state election, during which Democrat Terry McAuliffe edged out Republican Ken Cuccinelli by a narrower margin in the gubernatorial race than polling predicted, showed an unusual spike of activity: More than 60 files in the Windows system directory were flagged as changed. Even the WinVote.exe file was flagged as being modified, though Schürmann found no differences in that file from its normal state.

“There’s some strange stuff,” he said.

Schürmann found one other anomaly: In the 2005 election, three of his eight WinVotes dialed out on their modem line—one to a wrong number. In that gubernatorial election, Democrat Tim Kaine handily defeated Republican Jerry W. Kilgore.

But Schürmann’s forensic analysis confirmed nothing about the integrity of elections conducted on WinVote terminals.

“We have to kind of remember that our elections are supposed to produce some kind of evidence,” he said. And WinVotes and other “direct recording” voting machines don’t produce any evidence beyond the bits on their drives.

A longtime critic of electronic voting machines echoed that criticism.

“Computer scientists largely missed the boat in our single-minded focus over the past 15 years on securing voting systems.”—Jeremy Epstein, security researcher

“A good compromise would not leave traces, so no amount of investigating can reasonably conclude that no tampering took place,” wrote Johns Hopkins University computer science professor Avi Rubin. “The best you could say is that none was detected.”

Epstein made the same point in an email. “The WinVote keeps extremely rudimentary audit logs, and they can be tampered with trivially, so it would be very hard to prove that there wasn’t any tampering,” he said. “You can’t prove the negative.”

Paper and audits

Schürmann closed by noting that five states still employ direct-recording machines with no paper backup: Delaware, Georgia, Louisiana, New Jersey, and South Carolina. He urged those and other states to adopt systems that leave paper trails—and to confirm the integrity of each election with the risk-limiting audits developed by Berkeley statistics professor Philip B. Stark.

Stark’s technique allows verifying the integrity of a vote by drawing a small sample of ballots and checking to see if they match the results recorded by machines. Schürmann said Colorado, for example, would need to check only 142 ballots out of 2.8 million cast in the 2016 election to yield 95 percent confidence in the count.

One state, West Virginia, has begun experimenting with mobile electronic voting backed not by a paper trail, but rather by a blockchain.

Epstein and Rubin nominally supported both of those methods but separately suggested paying more attention to election integrity issues beyond voting machines.

“I think there is too much focus on the voting machines and not enough focus on the voter registration rolls,” Rubin wrote. “The Russians have realized that attacking the registration system is one of the weakest links, and there is evidence that they have sabotaged them in some instances.”

Epstein agreed, saying a focus on voting-machine security inflicted opportunity costs.

“Computer scientists largely missed the boat in our single-minded focus over the past 15 years on securing voting systems,” he wrote. ”We didn’t pay nearly enough attention to voter registration systems, vote tabulation systems, etc.,” he said.

“And we paid no attention at all to the impact of social media in influencing voters,” Epstein concluded. “We need to make sure, going forward, that we’re looking at the full scope of what changes election outcomes—not just the votes themselves.”