Like hundreds of thousands of other Virginians, I’ve been casting ballots for over a decade using Winvote voting machines.
I now have physical proof of how catastrophically insecure those machines are.
It’s a tiny key that opens the plastic door hiding the USB port on every Winvote terminal.
This keepsake came my way at an eye-opening presentation about voting-machine security at this past Tuesday’s Usenix Security Symposium in Washington.
Jeremy Epstein, a security scientist with SRI International, has spent years investigating the weaknesses of these and other electronic voting systems.
That’s when the Virginia Information Technologies Agency condemned the security of these machines and banned them from the commonwealth.
Their only remaining use was, literally, as a lesson to others.
Epstein led off his his talk by asking the audience if any of us would like a Winvote key.
(“All the keys are the same for every Winvote that’s ever been made, because that way it’s easier,” he pointed out.)
How about one of the smart cards that poll workers used to administer these machines?
I took one of each.
He also offered us one of the spare Winvote terminals he had stashed in his car, but I passed on that.
- The e-voting gold rush
Among other things, the Act banned punched-card and mechanical-lever voting machines.
That in turn led to a rush to implement digital voting systems such as Winvote.
Outside of Virginia, only a few counties in Pennsylvania and Mississippi adopted Winvote (from the now-defunct Frisco, Tex.-based Advanced Voting Systems).
But Winvote terminals had much in common with other electronic voting machines of that time: They were built to win government contracts.
And they were based on general-purpose Windows platforms that made them needlessly complex and vulnerable to exploits.
On top of that, vendors paid too little attention to configuring those systems for security.
(See, for example, the flaws in Diebold’s voting machines that Johns Hopkins University professor Avi Rubin documented soon after Maryland agreed to spend $55 million deploying them statewide.) The geniuses behind Winvote, however, botched the job worse than anybody else.
It wasn’t just the horrible voter interface.
(My favorite example of that: When you chose a candidate on the Winvote touchscreen, your choice was highlighted in red, with an “X” next to it — which by any normal interface standards looked very much like you were voting against that person.)
The innards were even worse.
As Epstein explained in his autopsy Tuesday:
• Winvote’s machine runs a version of Windows XP that hasn’t had patches installed since 2004 — four years before AVS deservedly went out of business.
• Its wireless network is “safeguarded” with insecure WEP encryption — and the password is abcde.
• The Windows admin password is (no, I’m not making this up) admin.
• Windows file-sharing is left on.
• The machine tracks votes using an obsolete version of Microsoft Access, in which the unencrypted database file is “protected” with a five-character password that a security tool cracked in seconds. (That password — shoup — apparently refers to a voting-machine company with a history of criminal indictments.)
• The system doesn’t log changes to that file.
• You can’t turn off the WiFi; if you remove the wireless card, the device won’t boot.
No comments:
Post a Comment