EXCLUSIVE: An Analysis of WinVote Voting Machines – No Indication of Election Meddling Found
LAS VEGAS, NV – August 2, 2018
As we approach midterm elections in November, American intelligence officials have become more active in their warnings that voting machines could be targeted by Russia or others seeking to disrupt the process.
On August 4 in Mandalay Bay, Las Vegas the world's leading information security event organized by Black Hat USA will convene for the 21st year, providing attendees with the very latest in research, development and trends. The event is attended by more than 17,000 information security professionals from more than 100 countries.
The event brings together the best minds from around the world to provide a comprehensive and unique curriculum covering a broad spectrum of information security topics.
One of these best minds in cybersecurity is Carsten Schuermann, who is an academic expert specializing in election security. He was a member of the Computer Science Department at Yale University. Schuermann holds a PhD from the Computer Science Department at Carnegie Mellon University, and a German Master in Computer Science from University of Karlsruhe. Schuermann has been working with the Carter Center, USA, Council of Europe, Venice Commission, and International IDEA (Sweden). Now he leads the Center for Information Security Research and is a member of the computer science faculity at IT University of Copenhagen.
This Thursday, August 9, Schuermann will present the results of his latest research, dedicated to the Virginia elections during 2004 and 2015. The WinVote voting machine was used extensively in Virginia and several States still use voting machines similar to the WinVote.
The world’s best cybersecurity specialists were asked the question if election meddling took place in Virginia at any time while WinVote machines were in service. After these machines were officially decommissioned, a number of them were released. Schuermann’s research team managed to secure a few of them and forensically analyze them using standard tools and by comparing the content of their respective drives. A few more machines are on their way. The evidence left on each machine were two SSD drives, one small (32MB) and one large (384MB or 512MB).
Researchers concluded that WinVote is the worst voting machine ever. It runs Windows XP, service pack 0. It has by default Wi-Fi enabled. It uses WEP security and all WinVote machines appear to use the same password "abcde". Age old exploits give adversaries administrator level privileges without physical access to the machine and to make matters worse, the remote desktop protocol is enabled by default on each and every machine. WinVote doesn't implement any credible levels of election security either in the form of paper ballots, cryptographic proofs, multiple result paths, or statistical evidence, as Carsten Schuermann outlines.
Experts could clearly establish that some WinVote voting machines were used for purposes other than voting: One voting machine was used to rip songs from CDs and broadcast MP3s, most notably, perhaps, a Chinese song from 1995: 白雪-千古绝唱.mp3. (White snow — eternal singer), Schuermann said.
WinVote — type voting machines are an ideal subject for hacking. The machines — from Diebold to Sequoia and WinVote equipment — were running very outdated and exploitable software — such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes. Carsten was one of the first hackers, who access the machine from his laptop via Wi-Fi and the MS03-026 vulnerability in WinXP, using RDP (remote desktop protocol) shortly after the Voting Machine Voting village opened.
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv— Robert McMillan (@bobmcmillan) July 28, 2017
National elections still use election technologies in highly contested adversarial environments, where network, hardware, software, and configuration processes must be assumed to be under the adversary's control.
Despite all their efforts, the research team could not identify any indication of election meddling, Schuermann said.
After being decommissioned voting machines can be bought on eBay or from government auctions and it turns out that many of the machines weren't completely wiped of data, leaving about 650,000 personal records of voters lingering on them. Hackers were also able to find administrative passwords for the machines via Google, and Rickrolled one box, The Register reports.
There will be more interesting presentations at Black Hat USA 2018. The co-founder of the first DEF CON group in Ukraine, Oleksandr Bazhaniuk from Eclypsium, will present their research “Remotely Attacking System Firmware”.
“In recent years, we have been witnessing a steady increase in security vulnerabilities in firmware. Nearly all of these issues require local (often privileged) or physical access to exploit. In this talk, we will present novel *remote* attacks on system firmware.” Oleksandr Bazhaniuk says. “We will show different remote attack vectors into system firmware, including networking, updates over the Internet, and error reporting. We will also be demonstrating and remotely exploiting vulnerabilities in different UEFI firmware implementations which can lead to installing persistent implants remotely at scale. The proof-of-concept exploit is less than 800 bytes.”