Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:00 PM
Connect Directly

The ABCs of Hacking a Voting Machine

A hacker who successfully infiltrated a voting machine at last year's DEF CON will demonstrate at Black Hat USA how he did it, as well as what he later found stored on other decommissioned WinVote machines.

It took computer scientist Carsten Schuermann just minutes last year to hack into one of the 30 pieces of voting equipment sitting in a cramped room in Caesar's Palace that housed DEF CON's maiden Voting Machine Village. He fired up his laptop, quickly spotted a WinVote voting machine on the Wi-Fi network using Wireshark, and then typed in a command that launched a Metasploit exploit.

"And, poof, that was it," Schuermann says. He was able to access the Windows XP-based voting machine using the Remote Desktop Protocol (RDP), exposing real election and voting data that was still stored in it. The voting machine's inherent weaknesses made it an easy mark: It ran XP (Service Pack 0), Wi-Fi and RDP were enabled by default, it employed the outdated WEP security protocol, and the majority of WinVote machines he had studied all used the same password: "abcde." 

"The only changes I did was turn off the machines remotely, and we added new files to the directories," he says. His exploit used an old buffer overrun flaw in XP, which apparently had not been patched on the voting machine.

Schuermann had been studying security weaknesses in the WinVote machine back at his home office at the IT University of Copenhagen in Denmark. He now has eight decommissioned WinVote machines that were used in previous elections – four from Virginia – that he's been dissecting and looking for clues of compromise and hacking attempts. He'll be back in Vegas in August at Black Hat USA, demonstrating just how he hacked the machine at DEF CON, as well as sharing some research findings from the WinVote machines he's been studying. 

[See Schuermann's Black Hat USA talk on August 9, Lessons from Virginia - A Comparative Forensic Analysis of WinVote Voting Machines]

"I'm going to bring a machine and show how easy it is to hack ... exploiting the same vulnerability" used in last year's DEF CON contest, he says. Schuermann, an academic expert in election security who has been studying election security for a decade, used a root shell script to control the machine, and says he can change data on the voting machines. The notoriously insecure WinVote machines – which don't include a paper-trail feature – were replaced in Virginia prior to the 2016 election, but some localities, including some in Pennsylvania, still use them.

"Since these machines all have the same access point they connect to, once you know how to get into that wireless network ... and use the 'abcde' password, then you have networking access to the machine and can deploy the exploit. Then you're in," he says. "The scary thing is you could make this automatic: You could drive by polling stations and make changes on all of the totals in the voting machines."

Schuermann has been conducting forensic investigations on the disks in the WinVote machines using the so-called Autopsy tool. "I was trying to understand if everything was OK with the machine or was it hacked," he says.

But because the machine's XP platform doesn't provide system logging, there's no way to track whether someone connected remotely to the machine. "There's no trail of who accessed it," Schuermann says. So the only way to spot a potential hack is the data on the disks.

So far, Schuermann has found traces of MP3 files on the disks of one of the WinVote machines, including a Chinese music file, he says. It appears the machine was used to record songs from CDs and play MP3s.

"But there's no evidence real hacking happened" on the machines so far, he says, and no signs of election-meddling in vote counts. 

Even so, Schuermann says hacking one of the machines would have been fairly simple. "If anyone really knows what they are doing, they could hack those machines in a minute. And once you've hacked one, you know [how] to hack [others]," he says.

The biggest risk overall, he says, is citizens losing trust in an election and the voting systems if hackers are able to break into them and alter or change results. "Now, with the Russia investigation and election interference, people are becoming more aware that this is not only possible but also likely someday. That's the scary part," he says. 

His message for the US midterm elections: "How important [a] paper [trail] is," he says.

Home Page Photo Credit: Monica M. Davey / Epa/Shutterstock  

Related Content:




Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/5/2018 | 7:41:50 PM
Let's fix this problem once and for all, the RIGHT way...!
There are all sorts of people hawking stupid non-solutions to the election security/trustworthiness/auditability problem.  One such nitwit is a radio talk show host, Brad Friedman, who is frustrating because he has such a loud microphone for his ignorance.

Some of the gripes are valid.  Clearly election equipment must not be hackable, especially while it's deployed for an election.  But when Brad mindlessly pushes "hand marked, hand counted paper ballots" as THE solution, he obviously hasn't thought very hard about the problem.

To begin with, there are a LOT of advantages to using smart, touch-screen voting machines, at least as the first stage of the election process.  They prevent overvotes, warn of unintentional undervotes, and don't allow ambiguous marking of ballots.

Once a voter has finished their voting on the touch-screen machine, that machine should print an unambiguously marked, NOT MODIFIABLE, hard copy human-readable (and scannable) version of the voter's ballot.  The voter should then verify that the definitive paper ballot as printed matches their choices.  Then they walk over and slide their approved permanent ballot into a stage two, scanner/counter/lockbox machine.

When the polls close at the end of the night, the election judge and clerks will generate multiple copies of the printed results totals from both the first stage AND the second stage systems.  These should be signed by the judge and each election clerk present.  Here in Dallas County (Texas) we generate five sets of results tapes to give to the County... under my proposal, we would generate SEVEN sets of tapes, from EACH of the first-stage and second-stage systems.  When the election judge drops off the results at the end of the evening, we would give the county the five tapes as we do now... AND hand one set of each stage's tapes to a representative of the Democratic Party, AND a representative of the Republican Party.

This allows the county, and BOTH parties, to independently compare the totals produced reflecting the ballots as printed, AND the totals counted by the ballots as deposited.  Obviously, any discrepancies found would be investigated thoroughly.  It would also allow all three parties to INDEPENDENTLY TALLY the votes, and this would catch (and thus prevent) any changing of the votes by someone in the county, or even at the state level.

Unlike "hand marked hand counted paper ballots", it would be IMPOSSIBLE for anybody to add extraneous marks to ballots after the ballot was cast... whether to create an overvote, or to fill in a voter-desired "no vote".

In addition, some statistically appropriate percentage of the definitive paper ballots would be selected for hand counting, just to verify that the first stage and second stage totals did in fact match the voter-verified printed definitive ballot they were casting.

While we're on the topic of voting integrity, note that generalized mailin ballots, AND online voting, MUST not be allowed... there is NO way to ensure that someone in a position of power over the voter isn't looking over their shoulder to make sure they're voting "the right way", perhaps selling their vote (drugs, sex, alcohol, money...).

Note that with my system, as long as the definitive ballots are printed and voter-verified, and with the verified random hand recounting and parallel tabulation by three parties... hacking of the machines (at the polls, or even at the county and state levels) becomes a non-issue.  This is NOT true with ANY of the other election schemes I've seen proposed by others.  And I haven't heard anybody I've told about my proposed system explain any remotely plausible way that it could be hacked.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...