Unsafe US eVoting Machines Exposed In New Report

Forget hanging chads. Damning report highlights shocking security of voting terminals used in American elections

An electronic voting machine used in certain US states has a shocking level of protection from hackers, a new report has revealed.

The AVS WINVote voting terminal is a self contained unit that includes a 15-inch touchscreen and comes equipped with WLAN access, built-in battery backup power, modem, and printer.

Widely Used

The problem with the AVS WINVote machine is that it runs a version of Windows XP Embedded that has reportedly not been updated in over ten years, and it is also hard encoded with very weak passwords and encryption.

AVS WINVote
AVS WINVote

So said a damning new report from the Virginia Information Technologies Agency (VITA), published this week, after errors with some of the machines interfered with vote counting during US elections late last year. The company that made the machines is not longer in business.

The offending voting machine has been previously used in the US states of Virginia, Pennsylvania and Mississippi to register people’s votes. Indeed, the machines have been used in numerous elections in the United States between 2002 and 2014, including three Presidential elections.

“As a result of  the findings included in this report, VITA recommends discontinuing use of the Advanced Voting System WINVote devices,” said the report.

“The security review determined that the combination of weak security controls used by the devices would not be able to prevent a malicious third party from modifying the votes recorded by the WINVote devices,” said the report. “The primary contributor to these findings is a combination of weak security controls used by the devices: namely, the use of encryption protocols that are not secure, weak passwords, and insufficient system hardening.”

Shocking Security

The AVS WINVote machine seems to be guilty of a number of security lapses.

The first is the admin passwords are easy to crack. According to the report, the machine is hard-coded with admin passwords such as “admin” and abcde”, which would be hopelessly easy to crack.

Unbelievably, that password protection secures the Windows admin account, the Wi-Fi network, and even the voting database on the machine.

The second security gaffe is that the machine is Wi-Fi enabled (802.11b) and boasts a shockingly poor level of encryption (WEP or wired equivalent privacy). WEP encryption of course has numerous flaws, and it was way back in 2001 that researchers first showcased how it was simple to crack the key used in WEP. Since then, automated tools such as aircrack-ng, make it easy to crack WEP keys in minutes.

“The devices broadcast their wireless network name (service set identifier, commonly known as the SSID) where it can be easily detected by most devices that have wireless cards,” the report also noted.

Other security gaffes with the machine is that it has no firewall, and on the physical side, its power button, USB ports, are all easily accessible.

Indeed, the researchers were able to easily circumvented the lock and force the voting machine to boot from a USB-connected CD-ROM containing an alternative operating system instead of the internal drive of the voting machine.

The AVS WINVote machine also uses a version of Windows XP Embedded that has not had a security patch since 2004.

“Because the WINVote devices use insecure security protocols, weak passwords, and unpatched software, the WINVote devices operate with a high level of risk,” concluded the report. “The security testing by VITA proved that the vulnerabilities on the WINVote devices can allow a malicious party to compromise the confidentiality and integrity of voting data.”

Are you a security pro? Try our quiz!