Virginia Regulatory Town Hall
Agency
Department of Elections
 
Board
State Board of Elections
 
chapter
Election Administration [1 VAC 20 ‑ 60]
Previous Comment     Next Comment     Back to List of Comments
4/11/15  9:46 am
Commenter: Jeremy Epstein, Virginia Verified Voting

WinVote is an unacceptable risk and must be decertified
 

Virginia Verified Voting endorses the proposed decertification of the WinVote Direct Recording Electronic (DRE) voting system.  

Our reasons for supporting the decertification include:

(1) Every DRE that has been examined in the US has been found to have significant security flaws, so we are not surprised that the WinVote systems are highly vulnerable.  These vulnerabilities are the reasons that virtually all states stopped purchasing DREs some years ago, and nearly all states are moving towards purchasing optical scan systems which allow for auditing.   The WinVote was decertified in Pennsylvania several years ago due to security concerns.

(2) The WinVote is at higher risk to security attacks than any other DRE in the US, because it is the only DRE that includes WiFi technology, allowing it to be attacked without any physical access to the voting system.  The encryption used, WEP, can be bypassed within a few minutes using an ordinary laptop computer, allowing any attacker within several hundred feet of the polling place to see and potentially modify votes.

(3) There is no way to know whether the WinVote systems have been compromised in the past, nor would there be any way to know if they are compromised in the future.  The WinVote system has no monitors, logs, anti-virus, or other detection mechanisms.

(4) Aside from the issue of WiFi security, votes are stored by the WinVote in an obsolete version of the Microsoft Access database program.  Every WinVote machine sold has the same encryption key (“shoup”) which cannot be changed by the state or localities, and so while the data is nominally encrypted, there is in reality no protection against observation or manipulation of the votes.  An attacker who gains access to any WinVote machine (e.g., via a WiFi attack) can change all votes without any evidence.

(5) The WinVote DRE is based on the Microsoft Windows CE 3.0 operating system, which has not received any security updates since October 9, 2007. Hence, any security vulnerabilities discovered over the past eight years are unpatched on the WinVote.  By contrast, there have been hundreds of security fixes to the Windows operating system over that time period, many of which likely exist in Windows CE, but no fixes are available.  (See http://www.microsoft.com/windowsembedded/en-us/product-lifecycles.aspx)  

(6) The manufacturer of the WinVote, Advanced Voting Solutions, went out of business several years ago.  To the best of our knowledge, no company or individual is maintaining the software to fix any problems in the voting software, even aside from the Windows CE operating system.

(7) The WinVote system was certified against the 2002 Voting Systems Standards (VSS).  The replacement for that standard, the 2005 Voluntary Voting Systems Guidelines 1.0 (VSSG), and the newer VSSG 1.1 (adopted in 2015) both prohibit wireless communications.  Thus, the WinVote clearly does not meet current standards for voting systems security, even if it met the standards at the time it was purchased.

Turning off the WiFi in the WinVote systems will reduce the risk, but the security vulnerabilities are far beyond just WiFi, as the security analyses of every other DRE brand have demonstrated.

There is no doubt that voters appreciate the ease of use of the WinVote DREs.  However, familiarity and ease of use does not equal security.  

The State Board of Elections should decertify the WinVote machines immediately, and prohibit their use in any future elections.

Sincerely

Jeremy Epstein
Co-founder, Virginia Verified Voting
Member of the Advisory Board, Verified Voting Foundation, Inc.

Virginia Verified Voting endorses the proposed decertification of the WinVote Direct Recording Electronic (DRE) voting system.  

Our reasons for supporting the decertification include:

(1) Every DRE that has been examined in the US has been found to have significant security flaws, so we are not surprised that the WinVote systems are highly vulnerable.  These vulnerabilities are the reasons that virtually all states stopped purchasing DREs some years ago, and nearly all states are moving towards purchasing optical scan systems which allow for auditing.   The WinVote was decertified in Pennsylvania several years ago due to security concerns.

(2) The WinVote is at higher risk to security attacks than any other DRE in the US, because it is the only DRE that includes WiFi technology, allowing it to be attacked without any physical access to the voting system.  The encryption used, WEP, can be bypassed within a few minutes using an ordinary laptop computer, allowing any attacker within several hundred feet of the polling place to see and potentially modify votes.

(3) There is no way to know whether the WinVote systems have been compromised in the past, nor would there be any way to know if they are compromised in the future.  The WinVote system has no monitors, logs, anti-virus, or other detection mechanisms.

(4) Aside from the issue of WiFi security, votes are stored by the WinVote in an obsolete version of the Microsoft Access database program.  Every WinVote machine sold has the same encryption key (“shoup”) which cannot be changed by the state or localities, and so while the data is nominally encrypted, there is in reality no protection against observation or manipulation of the votes.  An attacker who gains access to any WinVote machine (e.g., via a WiFi attack) can change all votes without any evidence.

(5) The WinVote DRE is based on the Microsoft Windows CE 3.0 operating system, which has not received any security updates since October 9, 2007. Hence, any security vulnerabilities discovered over the past eight years are unpatched on the WinVote.  By contrast, there have been hundreds of security fixes to the Windows operating system over that time period, many of which likely exist in Windows CE, but no fixes are available.  (See http://www.microsoft.com/windowsembedded/en-us/product-lifecycles.aspx)  

(6) The manufacturer of the WinVote, Advanced Voting Solutions, went out of business several years ago.  To the best of our knowledge, no company or individual is maintaining the software to fix any problems in the voting software, even aside from the Windows CE operating system.

(7) The WinVote system was certified against the 2002 Voting Systems Standards (VSS).  The replacement for that standard, the 2005 Voluntary Voting Systems Guidelines 1.0 (VSSG), and the newer VSSG 1.1 (adopted in 2015) both prohibit wireless communications.  Thus, the WinVote clearly does not meet current standards for voting systems security, even if it met the standards at the time it was purchased.

Turning off the WiFi in the WinVote systems will reduce the risk, but the security vulnerabilities are far beyond just WiFi, as the security analyses of every other DRE brand have demonstrated.

There is no doubt that voters appreciate the ease of use of the WinVote DREs.  However, familiarity and ease of use does not equal security.  

The State Board of Elections should decertify the WinVote machines immediately, and prohibit their use in any future elections.

Sincerely

Jeremy Epstein
Co-founder, Virginia Verified Voting
Member of the Advisory Board, Verified Voting Foundation, Inc.

CommentID: 39903