11 August 2017

Learning From Past Mistakes: The Next-Gen Voting Machine

Mark Kuhr

By Charlie Wang

Anne-Marie Hwang contributed to this report

Elections are at the foundation of U.S. democracy, and the voting systems utilized determine the leadership and future of the Nation. Maintaining the integrity of voting systems is thus critical.

After Bush v. Gore and subsequent Help America Vote Act, many states converted to electronic voting machines. However, hacking these electronic voting machines is shockingly simple. Take the AVS WINVote as an example. It was used in three past major U.S. presidential elections on the East Coast and southern U.S. even though the machine is plagued by multiple potential attack vectors. Cracking it required little or no specialized knowledge outside of knowing how to operate a smartphone or a computer.

By diving into the design and the exploits of one of these machines, we explore what goes into building resiliency against ever-evolving hackers. What should next-gen voting machines for upcoming elections look like?

1. Strong Physical Security

The designers behind WINVote took physical security into account, placing the power button, a USB port, and a printer behind a key-locked panel. For power integrity, they integrated a battery system into the voting machine in the case of unintentional power fluctuations.

However, the designers ultimately fell short, leaving two USB ports open on the back, secured by only thin, rubber flaps. This brought the total USB port count to three. These ports allowed us to connect a USB drive, a computer mouse, and a keyboard to give us manual control of the WINVote machine. By hitting CTRL + ALT + DEL, we could access the task manager and open up new tasks, such as Windows Explorer or a Command Prompt. It was so easy that it felt like the designers almost wanted us to hack WINVote.

Next-gen voting machines should take some cues from the cryptographic module world and learn from devices that meet the highest level of tamper resistance by the U.S. government, which is the standard FIPS 140-2 level 4. Meeting such a bar — penetration detection from any direction — means no open ports or screws and protecting the data in a hardened casing resilient from X-ray beams and metal drills. Encrypting the voting data through the use of hardware security modules (HSMs) can serve to lower the voting machine cost versus physically hardening the entire machine.

2. Up-to-date Software Voting Platform

The machine runs Windows XP Embedded as the operating system of choice. To the designers’ credit, they stripped many unnecessary features out of XP, such as the taskbar, games, and most of the accessibility functionalities. Although the designers minimized the attack surface, they opened a new vector by neglecting to update the operating system, leaving it unpatched without the latest service packs or security updates after WINVote’s deployment. Worse still, the default and only account on WINVote is “administrator” with the default password “admin.” With administrator privileges and no patching done once vulnerabilities were discovered, the WINVote machines were and still are left open to thousands of attacks.

Additionally, the voting window that voters see and the administrative window that displays the vote tallies on WINVote are actually all packaged into a simple .exe file with multiple DLLs that run on top of Windows XP Embedded. Due to the nature of how the voting application runs, a hacker can launch their own “homebrewed” voting application on the WINVote machine that looks and operates just like the authentic voting application but fabricates all the votes.

The voting platform on next-gen voting machines should take some cues from what many regard as one of the most secure and widely used platforms on the market–iOS. The operating system should have security features built in, such as sandboxing, and be continuously updated. Administrator or root privileges should be granted only as needed, and the voting application should be verified in its integrity. Furthermore, the voting data should be encrypted and stored according to the latest security practices, including saving the data in secure, trusted memory and employing strong cryptographic encryption practices.

3. Secure Communication/Connectivity

The WINVote machine has a unique network setup with two NICs. One is on the Windows XP Embedded part while the other is located elsewhere within the machine. The latter-mentioned NIC broadcasts an ad-hoc network secured with WEP, a security protocol that can be cracked within a few minutes by brute force, which the former-mentioned NIC would connect to. The short, hard-coded WEP key of “abcde” also does not enhance the security of the network setup for the master/slave communication model.

To make matters worse, the designers behind the WINVote machine left four ports open on Windows XP Embedded: 135 msrpc, 139 netbios-ssn, 445 microsoft-ds, and 3389 ms-term-serv. The lack of regard for the latest network security practices, even during the time of deployment of the device, allows not only those with a Mac, PC, or other computer to hack into the voting machine, but also just about anyone who has a smart device in their pocket. Hacking with an iPhone is as simple as downloading the Fing app from the App Store, launching a network scan to find the IP address of the voting machine target, downloading the Microsoft Remote Desktop app, and remotely accessing the WINVote machine.

To the designers’ credit, they had the foresight to not directly connect the WINVote machines to the World Wide Web. Next-gen voting machines should follow a similar practice, but also employ a firewall with no unnecessary open network ports and, if the communication model so requires a Wi-Fi network, employing the latest Wi-Fi security protocol WPA2. Moreover, the next generation voting machine should employ the latest cryptographic and security practices for network communication, such as end-to-end encryption, to secure the transmission and exchange of data.

Election-Specific Implications

To vote using the WINVote, voters must insert a smartcard that is encoded with some of their details, such as their party affiliation. However, it has been shown that smartcards can be manipulated; in a study on the Diebold AccuVote TS (whose newer version is the TSx and is still in use), researchers found that it was possible for attackers to use homebrewed smartcards, resulting in the ability to vote multiple times without detection. All the attacker needs to know to create an active smartcard is the correct m_ElectionKey, m_DLVersion, and m_VCenter. The first two fields may be the same for all locations and can be undefined, and the last field can be inferred from the values from other polling locations.

The network setup and the insecure USB ports of the WINVote are more than likely in place due to the need to export ballot results as well as import ballot definition files for each election, which outline the names of candidates, the order they appear on the ballot, the background color of the screen, among other features. This file may have been loaded physically on a USB or wirelessly by either connecting to the machine’s network or another network. For the AccuVote TS, researchers found that the ballot definition files were neither encrypted nor checksummed, so attackers could add, remove, or change the order of items on the ballot either by gaining physical access to storage devices or by intercepting the transmission over the device’s network connection.

Similarly, the AVC Advantage (which is still in use) can be hacked remotely by taking advantage of computers installed with its proprietary WinEDS software, which is used to prepare the ballot definition files and tabulate votes on the Advantage cartridges. If one of these computers is connected to the Internet and is used for web browsing (and it was shown that a county computer with WinEDS installed that was provided to a group of researchers in a study on the AVC Advantage had indeed been used for personal Internet surfing), it can acquire viruses that can later affect the cartridges, which will in turn spread to the voting machines. Another way to hack the Advantage is through replacing a ROM chip with fraudulent firmware or manipulating the machine’s cartridges, which have no digital signatures to protect the data contained on them.

However, even if the ballot definition files are uncorrupted and the election goes smoothly, attackers can still change final voting data. For the WINVote, once an attacker has either physical or wireless access to the machine, the attack can access the data. The voting data is stored in Microsoft Access database files and protected by a simple password–“shoup”–which is vulnerable to password cracking techniques such as dictionary attacks. (Also, Shoup was the former name of Advanced Voting Systems, the vendor of the WINVote machines, so it is fairly easy to guess the password for the database files.) The data is thus stored in the equivalent of a plain text Excel file, making the voting data susceptible to tampering by hackers. The Diebold AccuVote TS has a similar issue–all of the data is encrypted using a hardcoded DES key, which is “F2654hD4.” Though more random than “shoup,” it too can be cracked by brute force.

Let’s Do It

The shortcomings of past and current voting machines illustrate what next-gen voting machines should rectify. Resiliency in this ever-digital era means strong physical security, an up-to-date software voting platform, and the deployment of secure communication/connectivity. Even after covering all the bases, every party behind voting machines need to push security on those machines to their limits. Whitehat hackers, such as from the Synack Red Team, should prod these voting machines in ways they haven’t been before. The stakes of democratic integrity are high, especially in the case of voting machines which leave no auditable paper trails to distinguish whether attackers have meddled with the votes or not.

The 2020 U.S. presidential election is a little more than three years away, but democratic elections are happening now abroad. Hackers are not only after America but also after democracy across the globe. We have no time to waste. In the absence of deploying a quick, expansive solution for electronic voting machine vulnerabilities, it seems like paper balloting is much safer. The Netherlands, for example, already transitioned to paper balloting and tallying in its March 2017 election due to fears of hacking. However, traditional paper balloting has its own faults, such as ballot stuffing. Additionally, many counties have dumped their old electronic voting machines for optical scan machines, but even those can be subject to hacks.

Clearly, more research on effective auditing needs to be done to form a comprehensive solution to ensure that democracy is preserved worldwide. Let’s buckle down and protect the integrity of free elections and democracy by first protecting the security of our voting machines.

Special thanks to:

  • Rahul Krishna and David Weinman for sharing their expertise in the creation of the WINVote hacks.
  • Anne-Marie Hwang for demoing at Black Hat 2017 and DEF CON 25.
  • Jeremy Epstein for the WINVote machine.