Posted: 2 Min ReadElection Security

Someone Got into These Voting Machines. But Who?

BlackHat presentation uncovers evidence of irregularities in WinVote machines used in Virginia for state, national elections

More than 15 years after many states first adopted electronic voting machines, security questions continue to swirl.

Voting machine makers and election officials have all along rejected assertions that the machines can be remotely hacked. Yet many systems were not originally designed with strong security in mind. Even after security features were later included, experts still criticized their poor implementations.

So it is that an academic from the University of Copenhagen has offered more fuel to the debate with the discovery of irregularities in eight WinVote voting machines used in Virginia’s elections for more than a decade.

Carsten Schuermann, an Associate Professor, IT University of Copenhagen, shared his findings at the BlackHat conference in Las Vegas. He supplied data pointing out security weaknesses in the WinVote systems used in Virginia for state and federal elections between 2004 and 2014.

Adding another piece to the puzzle, Schuermann recounted that 3 of the machines used during the 2005 Virginia gubernatorial election dialed out via their modems on Election Day.

The WinVote voting machines, dubbed "America's worst voting machine," ran Windows XP and had by default Wifi enabled. They also used the same password "abcde.”

“That’s not a very secure password,” Schuermann quipped.

The WinVote machines didn’t offer much in the way of evidence production - paper ballots, cryptographic proofs, multiple result paths, or statistical evidence. Schuermann conducted a forensic analysis on the SSD disks in the WinVote machines but was not able to offer evidence adding up to election meddling.

However, he did discover that some WinVote voting machines were used for purposes other than voting; in particular, Schuermann found that one of the voting machines was used to rip songs from CDs and broadcast MP3s, including a Chinese song from 1995. That doesn’t mean they were hacked but it raises unanswered questions about what are clear irregularities.

“It’s kind of strange that there are MP3s installed on these voting machines,” he said.

Adding another piece to the puzzle, Schuermann recounted that 3 of the machines used during the 2005 Virginia gubernatorial election dialed out via their modems on Election Day. There may have been an innocent explanation, including the possibility of a security update. Yet at the same time, Schuermann disclosed that more than 60 files on two of the systems used in the 2013 Virginia state elections had been modified on Election Day before the polls closed.

But did anyone access machines exploiting known vulnerabilities? Did anyone install rootkits or malware? Did anyone use the voting machines for other purposes? Lastly, did anyone muck with the binaries?

Those are questions that remain unknown.

In the meantime, Schuerman said, election authorities should check the veracity of their results to convince their electorates that the vote count was legitimate.

“It’s really, really important if you want to convince people this is a genuine election that you do these kinds of post-election audits,” he said.

(Originally Published 08/13/2018)

You might also enjoy
Election Security3 Min Read

Thinking Outside the (Ballot) Box: Blog #1 Threats from the Inside

State and local governments must continue to think beyond voting boxes, voter rolls, to protect the electoral process

About the Author

Charles Cooper

Consulting Editor

Charles Cooper has covered technology and business for more than 25 years. He is now assisting Symantec with our blog writing and managing our editorial team.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.