LAS VEGAS -- The insecurity of electronic voting systems has been well-documented. But, so far, there has been no concrete evidence that those systems have been hacked in the field. However, a forensic analysis by security researcher Carsten Schuermann discovered irregularities in eight WinVote voting machines used in Virginia elections for more than a decade.
Speaking at Black Hat 2018, Schuermann, associate professor at IT University of Copenhagen, presented data that showed voting machine irregularities in WinVote systems used in a variety of state and federal elections from 2004 to 2014. In his session, titled "Lessons from Virginia - A Comparative Forensic Analysis of WinVote Voting Machines," Schuermann also pushed for mandated paper ballots and regular audits to mitigate potential threats.
"When you add technology to the voting process, you clearly increase its attack surface," Schuermann said.
Schuermann noted there are actually two problems with insecure voting machines. The first is obvious: The systems can be easily hacked.
"That's a real threat," he said. "But the other threat is equally important and equally dangerous, and that is the threat of an alleged cyberattack -- when people claim there was a cyberattack when there actually wasn't."
Such allegations can disrupt elections and damage the credibility of voting results. And because too many voting machines don't produce paper trails, he said, those allegations can be as damaging as a real cyberattack.
Schuermann had such a voting machine with him onstage -- a decommissioned WinVote system that had a printer, but only printed vote tallies and not individual ballots. He said he obtained eight WinVote voting machines from an unnamed source two years ago and first hacked into one of the machines for a DEFCON Voting Village session last year.
Schuermann followed up with a deeper forensic analysis that uncovered concerning voting machine irregularities, as well as serious vulnerabilities. He told the audience that while he had access to the machines' solid-state drives, he did not have any access to memory or memory dumps, security logs or a record of wireless connections.
But the data that was available showed a number of holes hackers could exploit, including open ports -- 135, 139, 445 and 3387, among others -- and unpatched versions of Windows XP Embedded from 2002 that were vulnerable to a critical buffer overflow attack, CVE-2003-0352.
"Another problem is that this machine has wireless turned on all the time," Schuermann said, adding that the wireless password for the systems was "ABCDE." "That's not a very secure password."
Carsten Schuermannassociate professor, IT University of Copenhagen
Those vulnerabilities in themselves didn't prove the machines had been hacked, but a closer examination of files on some of the WinVote voting machines showed unexplained anomalies. One of the machines, for example, had MP3s of a Chinese pop song and traces of CD-ripping software, and data showed the machine broadcast the song on the internet. That was strange, he said, but there were more concerning voting machine irregularities.
For example, three of the machines used during the 2005 Virginia gubernatorial election dialed out via their modems on Election Day, though the data didn't explain why. Schuermann speculated that perhaps the systems were getting a security update, but one of the machines actually dialed the wrong number.
In addition, two of the systems that were used in the 2013 Virginia state elections had more than 60 files modified on Election Day before the polls closed. And USB devices connected to one of the machines while the polls were open.
"That's really bizarre," he said.
It was unclear whether the files were modified as part of a system update, he said, and there wasn't enough data to explain what those USB connections were for. Schuermann cautioned the audience that the voting machine irregularities weren't necessarily evidence of hacking, but he said the uncertainty about the irregularities should serve as a call to action. Only a few states, he said, have electronic voting systems that produce paper ballots and can be audited.
"I have only one conclusion," he said. "And that is [to] use paper and do your audits."