Getting To Know Your Electronic Voting Machine. Friend Or Foe?

In April 2016, we published a blog on electronic voting machine (EVM) vulnerabilities titled “To date, Risk Based Security has cataloged over 260 vulnerabilities in electronic voting machines.” Today, that number stands at 292. With the midterm elections coming up, the topic of voter influence, foreign meddling, and EVM security is back in the news, including another area for concern as pointed out by Andrea Matwyshyn.

Fundamentally, it doesn’t matter how a vote is lost or changed, be it from EVM technical failure, voting staff, or computer criminals. As Kim Zetter reminds us, “When your vote gets lost/stolen because the voting machine failed to record it or a hacker changed it, there’s no recovery…unless your county is using optical-scan machines with paper ballots and performs manual audits of the paper.” Since Risk Based Security tracks vulnerabilities, that is our primary focus in examining this topic, while fully acknowledging that the threat of foreign influence and U.S. politics are as big, or a bigger danger to election tampering.

Since our last blog post, the biggest news in EVM vulnerability disclosure is the DEF CON Voting Village being established. Founded at DEF CON 25 in 2017, the concept is to bring in a wide variety of EVMs that are currently used in our elections, and let security professionals and hackers go to work uncovering vulnerabilities in them. After the convention wraps up, the Village releases a report of the collaborative findings. After the first village, the published findings put the fear into EVM vendors as Violet Blue writes. With the publication of the latest Voting Village report, the resulting news headlines are not a surprise: “Voting Machines Are Still Absurdly Vulnerable to Attacks

As the only company that tracks EVM vulnerabilities, to the best of our knowledge, the 2017 and 2018 reports from the Voting Village were of particular interest to us. One challenge with writing such reports is making them readable to a wide variety of audiences, ranging from the technical to the policy maker. The reports need to be digestible equally regardless of technical skills. However, one pitfall we see from time to time is that critical technical details are left out such as the version tested or a device model. This type of error often means that while a report may disclose what appears to be nine issues, only seven of them may be actionable. At a minimum, we must know the vendor and product, so a missing model number is bad. Another problem we often see that popped up in one of the reports, is when a disclosure withholds technical details out of fear of exploitation. While we fully understand why some researchers do this, it may make the disclosed issue too vague to be actionable. If that issue sounds close enough to a prior disclosure, we run the risk of publishing two vulnerability entries that cover the same issue. That in turn leads to skewed statistics, potential confusion, and unnecessary administrative action trying to remediate the issue. With that in mind, let’s look at the two reports in a bit more detail.

The DEF CON 25 Voting Village report (PDF) covers three days of testing six different EVM machines and contained dramatic results, including an AVS WinVote machine that was “hacked and taken control of remotely in a matter of minutes”. More alarming is that it was done “using a vulnerability from 2003, meaning that for the entire time this machine was used from 2003-2014 it could be completely controlled remotely, allowing changing votes, observing who voters voted for, and shutting down the system or otherwise incapacitating it.” That attack was due to the system running an outdated and unpatched version of Microsoft Windows vulnerable to MS03-026. Overall, the report outlines three new vulnerabilities affecting two different machines, re-discovered two vulnerabilities in the Premier Election Solutions (Diebold) ExpressPoll 5000 that were previously disclosed, and covered the Windows vulnerability that impacts the AVS WinVote giving readers a total of six vulnerabilities.

The DEF CON 26 Voting Village report (PDF) covers three days of testing seven different EVM devices or components, some of which were tested in the previous year (includes the AVS WinVote and AccuVote TSx). While this report garnered a lot of attention and fanfare, it lacked considerable detail in some areas meaning some potential findings were not actionable. Ultimately it resulted in just four new vulnerabilities for us in the database, one of which was previously disclosed in 2007. Again, there were considerably more findings in this report, but due to the way they were described, they either weren’t actionable due to missing information, or weren’t actionable due to likely being disclosed before.

Risk Based Security encourages the Voting Village to be mindful of this in the coming years and to consider including an appendix with a traditional advisory for each distinct vulnerability. We’d also like to offer our assistance in preparing the report by providing complimentary technical editing and guidance to help ensure the findings are the most impactful.

While security researchers have done a good job documenting at least 292 vulnerabilities in EVMs, many of which can be exploited quickly and covertly, it is important to remember how prevalent these machines are. Unfortunately, it doesn’t appear that any organization is tracking precincts by the specific vendor and model of EVM. Ballotpedia maintains a concise list of the types of voting machines by state. According to a Huffington Post article, 15 states use the AccuVote TSx Touchscreen EVM which has at least 10 publicly documented and unpatched vulnerabilities. Based on a quick search, Mississippi, South Carolina, and Texas use the ES&S iVotronic machine which has over 30 publicly documented and unpatched vulnerabilities. It is interesting to note that Colorado and Oregon vote by mail only, meaning they are effectively immune to vulnerabilities in the EVMs used by other states.

One of the most disturbing aspects of these 292 EVM vulnerabilities is that 274 (93.8%) do not have a known solution. Only two of these issues have an upgrade available. For the U.S. government, who should be tracking these, they are in a bad position because a single EVM vulnerability has a CVE ID assigned.

The other disturbing aspect of the state of EVM vulnerabilities is that the vendors still do not appear to be putting any effort into improving their devices. In addition to a lack of solutions for the issues, none of the EVM vendors publish security advisories, none of them operate bug bounties, and none appear to make changelogs available. If there are patches or upgrades to resolve some of these issues, there has been no apparent push by the vendors to disseminate that information.

The midterms are only days away. While we’d like to report that the situation has improved since our April 2016 post, it’s clear that the outlook isn’t good for resolving this critical weakness in our voting process without a focused, concerted effort to address the current state of EVM vulnerabilities by vendors and government officials. For now, as you cast your vote, be vigilant and review any paper trail to ensure it correctly captures your selections.