[BreachExchange] Getting To Know Your Electronic Voting Machine. Friend Or Foe?

Destry Winant destry at riskbasedsecurity.com
Wed Oct 17 09:06:42 EDT 2018


In April 2016, we published a blog on electronic voting machine (EVM)
vulnerabilities titled “To date, Risk Based Security has cataloged
over 260 vulnerabilities in electronic voting machines.” Today, that
number stands at 292. With the midterm elections coming up, the topic
of voter influence, foreign meddling, and EVM security is back in the
news, including another area for concern as pointed out by Andrea

Fundamentally, it doesn’t matter how a vote is lost or changed, be it
from EVM technical failure, voting staff, or computer criminals. As
Kim Zetter reminds us, “When your vote gets lost/stolen because the
voting machine failed to record it or a hacker changed it, there’s no
recovery…unless your county is using optical-scan machines with paper
ballots and performs manual audits of the paper.” Since Risk Based
Security tracks vulnerabilities, that is our primary focus in
examining this topic, while fully acknowledging that the threat of
foreign influence and U.S. politics are as big, or a bigger danger to
election tampering.

Since our last blog post, the biggest news in EVM vulnerability
disclosure is the DEF CON Voting Village being established. Founded at
DEF CON 25 in 2017, the concept is to bring in a wide variety of EVMs
that are currently used in our elections, and let security
professionals and hackers go to work uncovering vulnerabilities in
them. After the convention wraps up, the Village releases a report of
the collaborative findings. After the first village, the published
findings put the fear into EVM vendors as Violet Blue writes. With the
publication of the latest Voting Village report, the resulting news
headlines are not a surprise: “Voting Machines Are Still Absurdly
Vulnerable to Attacks”

As the only company that tracks EVM vulnerabilities, to the best of
our knowledge, the 2017 and 2018 reports from the Voting Village were
of particular interest to us. One challenge with writing such reports
is making them readable to a wide variety of audiences, ranging from
the technical to the policy maker. The reports need to be digestible
equally regardless of technical skills. However, one pitfall we see
from time to time is that critical technical details are left out such
as the version tested or a device model. This type of error often
means that while a report may disclose what appears to be nine issues,
only seven of them may be actionable. At a minimum, we must know the
vendor and product, so a missing model number is bad. Another problem
we often see that popped up in one of the reports, is when a
disclosure withholds technical details out of fear of exploitation.
While we fully understand why some researchers do this, it may make
the disclosed issue too vague to be actionable. If that issue sounds
close enough to a prior disclosure, we run the risk of publishing two
vulnerability entries that cover the same issue. That in turn leads to
skewed statistics, potential confusion, and unnecessary administrative
action trying to remediate the issue. With that in mind, let’s look at
the two reports in a bit more detail.

The DEF CON 25 Voting Village report (PDF) covers three days of
testing six different EVM machines and contained dramatic results,
including an AVS WinVote machine that was “hacked and taken control of
remotely in a matter of minutes”. More alarming is that it was done
“using a vulnerability from 2003, meaning that for the entire time
this machine was used from 2003-2014 it could be completely controlled
remotely, allowing changing votes, observing who voters voted for, and
shutting down the system or otherwise incapacitating it.” That attack
was due to the system running an outdated and unpatched version of
Microsoft Windows vulnerable to MS03-026. Overall, the report outlines
three new vulnerabilities affecting two different machines,
re-discovered two vulnerabilities in the Premier Election Solutions
(Diebold) ExpressPoll 5000 that were previously disclosed, and covered
the Windows vulnerability that impacts the AVS WinVote giving readers
a total of six vulnerabilities.

The DEF CON 26 Voting Village report (PDF) covers three days of
testing seven different EVM devices or components, some of which were
tested in the previous year (includes the AVS WinVote and AccuVote
TSx). While this report garnered a lot of attention and fanfare, it
lacked considerable detail in some areas meaning some potential
findings were not actionable. Ultimately it resulted in just four new
vulnerabilities for us in the database, one of which was previously
disclosed in 2007. Again, there were considerably more findings in
this report, but due to the way they were described, they either
weren’t actionable due to missing information, or weren’t actionable
due to likely being disclosed before.

Risk Based Security encourages the Voting Village to be mindful of
this in the coming years and to consider including an appendix with a
traditional advisory for each distinct vulnerability. We’d also like
to offer our assistance in preparing the report by providing
complimentary technical editing and guidance to help ensure the
findings are the most impactful.

While security researchers have done a good job documenting at least
292 vulnerabilities in EVMs, many of which can be exploited quickly
and covertly, it is important to remember how prevalent these machines
are. Unfortunately, it doesn’t appear that any organization is
tracking precincts by the specific vendor and model of EVM.
Ballotpedia maintains a concise list of the types of voting machines
by state. According to a Huffington Post article, 15 states use the
AccuVote TSx Touchscreen EVM which has at least 10 publicly documented
and unpatched vulnerabilities. Based on a quick search, Mississippi,
South Carolina, and Texas use the ES&S iVotronic machine which has
over 30 publicly documented and unpatched vulnerabilities. It is
interesting to note that Colorado and Oregon vote by mail only,
meaning they are effectively immune to vulnerabilities in the EVMs
used by other states.

One of the most disturbing aspects of these 292 EVM vulnerabilities is
that 274 (93.8%) do not have a known solution. Only two of these
issues have an upgrade available. For the U.S. government, who should
be tracking these, they are in a bad position because a single EVM
vulnerability has a CVE ID assigned.

The other disturbing aspect of the state of EVM vulnerabilities is
that the vendors still do not appear to be putting any effort into
improving their devices. In addition to a lack of solutions for the
issues, none of the EVM vendors publish security advisories, none of
them operate bug bounties, and none appear to make changelogs
available. If there are patches or upgrades to resolve some of these
issues, there has been no apparent push by the vendors to disseminate
that information.

The midterms are only days away. While we’d like to report that the
situation has improved since our April 2016 post, it’s clear that the
outlook isn’t good for resolving this critical weakness in our voting
process without a focused, concerted effort to address the current
state of EVM vulnerabilities by vendors and government officials. For
now, as you cast your vote, be vigilant and review any paper trail to
ensure it correctly captures your selections.

More information about the BreachExchange mailing list