WinVote

The AVS WINVote is a model of DRE machine formerly used in several different states including: Mississippi, Virginia, and Pennsylvania. Noteworthy for it’s accessibility via WiFi, it is considered one of the most vulnerable election systems ever deployed and was eventually abandoned by all jurisdictions because of its glaring vulnerabilities. Known problems include:

  • the WINVote machines have Remote Desktop protocol enabled with their networks mean that one can access these machines remotely even from a smartphone.
  • These machine’s USB ports are unprotected. Plugging in an external keyboard and pressing control-alt-delete will get out of the voting program and into Windows XP.
  • WINVote runs a stripped-down version of Windows XP that has not received security updates since 2004.
  • The WINVote’s  wireless networking function cannot be disabled and is intended to be able to be used to program some parts of the election. This network is protected with the password “abcde” and a WEP encryption algorithm which is quite outdated and easily cracked.
  • The machines do not perform any checks on the file containing election results to ensure that they have not been modified and do not log changes to these files.
  • The administrator password on the machines is hardwired to “admin”.
  • while some part of Windows XP have been disabled, others, including command prompt have not, and it’s possible to run other programs in the background which would tamper with votes cast.
  •  Each machine pulls it’s software updates from a server located at ftp.enfocom.com
  • Election results on the machine are stored in an ms access file protected with the password “shoup”
  • In 2003 an error with Winvote machines in Fairfax county Virginia subtracted 2% of the votes from a incumbent candidate for the school board possibly flipping the race. (see here)
  • Winvote repeatedly failed federal certification owing to errors in the paperwork submitted to testing labs (see here).
  • AVS was sued in 2008 by Northampton county PA for breach of contract after it’s machines where declared unusable by the state (see here).

 

How to Hack:

The main vulnerability in the WINVote machine is the USB port located on the back of the machine. One can simply plug in a USB keyboard to the back of the machine to trigger commands. It is important to note that the WINVote runs a custom install of XP, and lacks many of the standard features of the full version. On machines where pushing CTRL-ALT-DELETE does not work, read this article: https://4sysops.com/archives/forgot-the-administrator-password-the-sticky-keys-trick/. Though this is a tutorial for windows 7 it also works for Windows XP, which is the base OS the WINVote runs.

 

Task manager is our main jumping-off point for hacking the WinVote machine. Task manager will allow us to start any program we want including super-administrator command prompt. After the machine boots fully, it hasn’t technically logged into any account, admin or otherwise. So the machine has the same super-user, super-admin privileges as a command line terminal open on any windows machine before being logged in.

With Task Manager, one can click on the “RUN tab and run any program including file explorer and command prompt. To run these type in the run dialog box:

explorer.exe

or alternatively:

cmd.exe

With these two programs, we were able to gain full unrestricted access to the machine. Explorer.exe gives us access to view all the files on the machine, including voter data files which are stored in Microsoft Access files locked with the password: “shoup”, which was the name of the old parent company — one of the many examples of how poorly secured the WINVote machines are.

With command prompt, one can: install external programs, malware, create administrative accounts, and add outside admins.

To show the vulnerabilities of this machine we put solitaire on it, which is the only thing we think this touch screen piece of trash is good for.

Resources:

  • Start with these articles  from Slate and Yahoo tech for background on the machines and there worst flaws.
  • This report lays out the design lessons from the failure of winvote and how one might easily attack one of these machines.
  • After numerous errors with Winvote during the 2014 elections (see here) Virginia commissioned two reports (one and two) which lay out numerous damning errors with the machines and lead to their desertification.
  • A collection of resources on these machines courtesy of Jeremy Epistein.