Download our in-depth report: The Ultimate Guide to IT Security Vendors
Virginia's State Board of Elections recently decertified the AVS WINVote voting system, which had been in use in more than 560 precincts statewide.
Kaspersky Lab reports that the machines have been in use since 2002.
According to a report [PDF] by the Virginia Information Technologies Agency (VITA), one precinct in Virginia reported "unusual activity with some of the devices used to capture votes" during a recent election.
In response, the Department of Elections asked VITA to perform a security analysis.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The security review determined that the combination of weak security controls used by the devices would not be able to prevent a malicious third party from modifying the votes recorded by the WINVote devices," the report states. "The primary contibutor to these findings is a combination of weak security controls used by the devices: namely, the use of encryption protocols that are not secure, weak passwords, and insufficient system hardening."
Among the vulnerabilities VITA found were two USB ports protected by an "easily circumvented" lock, the use of weak WEP security to protect the devices' Wi-Fi access (with the unchangeable encryption key "abcde"), the use of outdated Windows XP Embedded 2002 without recent patches applied, and the storage of voting data in password-protected but unencrypted Microsoft Access databases.
"VITA recommends that the Advanced Voting Systems WINVote devices not be used in future elections," the report concludes.
"The Board and the Department took immediate action to address the serious security concerns identified with this equipment and to protect Virginia's electoral system from potential significant problems in the future," Department of Elections Commissioner Edgardo Cortes said in a statement [PDF].
In a blog post, computer scientist Jeremy Epstein wrote, "If an election was held using the AVS WinVote, and it wasn't hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded."
"Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know," Epstein added.
"I've been in the security field for 30 years, and it takes a lot to surprise me," Epstein wrote. "But the VITA report really shocked me -- as bad as I thought the problems were likely to be, VITA's five-page report showed that they were far worse."