On April 14, the Virginia State Board of Elections voted to immediately decertify use of the AVS WinVote touch-screen Direct Recording Electronic voting machine. That means that the machine, which the Washington Post says was used by “dozens of local governments” in Virginia, can’t be used any more, though the commonwealth is holding primaries in just two months. The move comes in light of a report that shows just how shoddy and insecure voting machines can be. As one of my colleagues taught me, BLUF—bottom line up front: If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. A hacker wouldn’t have needed to be in the polling place—he could have been within a few hundred feet (say, in the parking lot) and or within a half-mile if he used a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know.
Now for some background. The AVS WinVote is a Windows XP embedded laptop with a touch screen. Early versions of the software actually ran Windows 2000. (An election official told me about playing solitaire on the device.) Later versions ran a somewhat cut-down version, although it’s not clear to me how much it was actually simplified. The WinVote system was certified as meeting the Voting Systems Standards of 2002 and was approved for use in Virginia, Pennsylvania, and Mississippi. Pennsylvania and Mississippi both stopped using theirs a few years ago.
But Virginia used it as recently as the November 2014 election, when voting machines in one precinct were repeatedly crashing. Some suggested that the problem was caused by someone trying to stream music on a smartphone. (There were problems with other brands of voting machines, but I’m going to focus on the WinVote, because it’s the most egregious.) The State Board of Elections invited the Virginia Information Technologies Agency, the agency charged with providing IT services to the state government, to investigate the problem. The report, which was released April 14, includes a litany of problems. (I still don’t understand how the iPhone interfered with the system, but that’s not really important at this point.)
I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me—as bad as I thought the problems were likely to be, VITA’s report showed that they were far worse.
Full Article: AVS WinVote: Virginia voting machine’s password was admin..