CSW2017 Harri hursti csw17 final

© 2016 Nordic Innovation Labs. All Rights Reserved.

November 22, 2016

Touch-and-Go Elections How convenience has taken over security, again. Harri Hursti


Presentation Title Goes Here

Why I am talking about this?

u  Started hacking election machines in the summer of 2005 by invitation of Election Supervisor Ion Sancho of Tallahassee, Florida

u  Have participated 3 government sanctioned election machine security studies u  In my opinion, the EVEREST Report commissioned by the Secretary of State Ohio

is the most important – the redacted report was 316 pages u  Written in 2007 so it is old and claimed to be outdated u  Studied around the world about systems used in other countries u  In the recent US Presidential election participated as an expert witness in 3 state

lawsuits and additional Federal suits u  … and those proceedings are not yet closed

… it is a long story



What this talk is and is not about?

u  Not an announcement of a new hack u  Not making claims that the elections were hacked u  This is to provide information and insights what has been going on

… just to make it clear



How it all started ...

u  2005 hack of Diebold machines u  2007 California top-to-bottom review u  2007 EVEREST of Ohio u  … and that was the last wide scale independent

security review in the USA u  After, new systems have been deployed … and never independently reviewed

•  52 models of voting machines were used in 2016 election

…



What kind of system they use ...



This is a simple ballot ...



39,695 ballots



Who is responsible in the government ...

u  NIST drafts The Voluntary Voting System Guidelines (VVSG) u  The Election Assistance Commission (EAC)

u  Independent agency of the United States government created in 2002 (HAVA) u  Adopting voluntary voting system guidelines u  Accrediting voting system test laboratories u  Certifying voting equipment u  … and a lot more with staff of 30 employees

u  2010 the EAC lost its quorum of Commissioners u  preventing many normal operational duties

u  December 2014 the U.S. Senate confirmed 3 out of 4 Commissioners u  Back in business … right ?

u  For a while ...

… on the Federal level



Not so much... … this is not over yet … but may be heading towards the end



Developments elsewhere ...

u  DMCA 6th triennial review & rulemaking 2015 u  The mechanism to get exemptions u  Final ruling grants exemption ”for purposes of

good-faith security research” of voting machines, effective immediately

… DMCA



How to get a real election machine?

l  It used to be l  Still 10 years ago it was very difficult

to get any access to a voting machine l  All these 3 models are still in use in

general elections in USA l  … and some internationally

… That must be next to impossible?



… wait, there’s more!

l  There are companies you’d never imagine!

How about something intersting?




l  There are companies you’d never imagine!





l  And they sell everything you need to secure elections … like secure seals ...





l  Official seals? I am sure they wouldn’t sell those with no questions asked to anyone by just typing in a credit card. Right?




Oh no!

Facepalm!



Before the last year US elections Congressional hearings … explained why elections cannot be hacked

u  ”Citizens cast their votes at a voting machine that is not connected to the internet”

u  ”Because voting machines are not connected to the internet, a bad actor would need to physically access hundreds of voting machines that collect the votes.”

u  So the machines are not connected? Right?

u  Many Local Election Officials certainly believe that there is no ”Network access” even without the Internet



Sauk, WI … reporting their election night results

u  It is a common practice and often required by the law for local jurisdictions to report their results on the official website

u  This is the 1st page of the results published, and the only document available for a long time

u  Weird?




u  There are more votes reported in the individual races than the total ballots cast




u  Down the ballot the gap gets smaller




u  And after the 3rd it becomes normal ...



… fast forward 3 weeks or so … what did the recount say?

u  Minutes of the Board of Canvassers, December 1 : u  Clarification on election night totals was given as:

On election night after several unsuccessful attempts made by the City of Baraboo to modem-in the results from one voting machine, the results from that machine were manually entered by staff in the Sauk County Clerk’s office. When it appeared that the results still were not submitted, staff in the clerk’s office manually entered the results again, resulting in the results being entered twice. The error was count at the county canvass and race results were adjusted accordingly.

u  One machine in a city of 5777 ballots caused 2485 votes extra? u  More importantly : Modem in results?



Meanwhile in Florida … Actually a 1.5 years earlier ...

u  The equipment had been tested. The test had failed. u  The addendum was published to address an issue of failing the test.




u  “Testing conducted for this request was limited in scope to only regression testing of the Verizon C2 modem configuration.”

u  On May 11, 2015 : u  “When the modem process started, a 'Modem Error – Connection Refused by Host' occurred.” u  “BVSC determined that the IP address was incorrect” u  “Both attempts resulted in an 'SFTP Error Login Fail' error message” u  “... the vendor determined that the problem was due to the fact that configuration script in the firewall …

needed to be upgraded ...”




u  On May 14, 2015 : u  ”BVSC received the new firewall” u  ”.. also verifying the connection to BVSC's SFTP server from the vendor's home office ...” u  ”This resulted the vendor discovering that a typo existed in the configuration scripts that were provided with

the new firewall.”




u  On May 18, 2015 : u  “BVSC received the updated firewall firewall from ES&S” u  “The modem transmission went through successfully with no errors.” u  “As a final step, staff verified that the modemed election results yielded the expected counts.”

u  Success! In a week they sorted it out and modem was modeming without errors u  … and there certainly was no word “Internet” anywhere, so we are good. u  or maybe as Penn & Teller remind us, “Elvis didn't do no drugs”



Meanwhile in Florida … Actually a 1,5 years earlier ...

u  Voting machine marketing material says”: “Results are sent over a secure and hardened

network. Static Internet Protocol (IP) addresses are assigned to the modem inside each DS200. These IPs are added to the server’s “white list” while all other incoming IP addresses are blocked for a secure transfer.” u  So, what was this “The Modem” thingie anyways?

u  Footnote says : “Multitech MTSMC-C2-N3-R. 1”




u  Specifications are clear about TCP/IP functions...



Meanwhile in Florida … so what does this all mean?

u  Modem means something goes over TCP/IP and SFTP involving a firewall along the way u  We all know that TCP/IP does not mean Internet, neither does SFTP u  Neither does firewall mean Internet, on docs identified as Cisco ASA 5505 u  And certainly connecting into Verizon or Sprint LTE data service does not mean Internet

u  Netgear Zing and Jetpack 4G LTE MiFi/WiFi dongles are mentioned as alternatives to the 'Modem' regional results

u  … and a bad actor cannot go evil without physical access ... u  There are no specific IP addresses mentioned in those public documents u  FTP software is mentioned for secure FTP :

u  Server : Cerebus 6.0.7.1 u  Client : IPSwitch WS_FTP 12.4.1 u  (Client side system requires RMCOBOL 12.06 runtime =)



Meanwhile in Florida … so what does it all mean?

u  The actual certificate document lists also 3 wireless USB LTE devices: u  USB551L u  Netgear 341U u  Netgear 340U

u  USB memory sticks, CF cards, etc u  Anti-virus software is mentioned as optional

u  (as the computers are not connected to a network, right?)



Meanwhile in Florida … so what does it all mean?

u  Everyone in this room can agree that someone should take a serious look into these newer systems?



At least it's decentralized … and single place can only cause very limited damage

u  ”The Center for Election Systems is a unique project impacting all facets of Georgia's elections. It tests every voting machine used in the state, creates all federal, state and local ballots and houses the voter rolls for every district in Georgia.”

u  Georgia is a single vendor environment u  Central Election Management System servers are supported

by staff from the University. u  … and it is not a unique approach to have a 3rd party

handle a lot of the activities the public assumes are the responsibilities of the officials ...



At least it's decentralized … and single place can only cause very limited damage

u  Across the USA in many cases, the actual programming of the voting machines is done by 10-20 employee shops

u  Literally in a strip mall, and without any basic security

u  … while the Georgia outsource partner is a major university which is well funded and well prepared compared to its peers ...



What are the hot topics going forward? … where is the gold rush now?

u  Internet voting concepts keep on coming back. u  The newest snake oil is blockchain voting

u  Electronic pollbooks are attracting a lot of attention u  Those systems have to be real-time synchronized, and therefore networked u  Some systems vendors are pushing are virtual screen sharing systems from a central location



Housekeeping item, about those recounts … what happened?

u  Wisconsin – Recounted statewide, through not all by hand u  51 counties counted by hand, 9 by re-scanning (!), 12 by a combination u  11,883 votes were corrected (over half of the margin of victory was erased!)

u  Michigan – Halted after 3 days under opposition from state and the winning candidate u  10 counties finished, 12 started but not finished (out of 83)

u  Pennsylvania – Defeated in federal court under opposition from state and the winning candidate u  One county (out of 67) recounted by hand only 143 of its 228 precincts u  No published results. No information available.



Housekeeping item, about those recounts … what happened?

u  There was no evidence detected for an attack. u  Only in Wisconsin the probability to have detected an attack was meaningful

u  part of the votes were recounted by rescanning them and therefore in case of a hack... u  Important information learned about vulnerabilities! u  Fun numbers. The USA has:

u  200 million registered voters u  13,000 voting jurisdictions u  187,000 election precincts u  52 models of voting machines were used in 2016 election



Acknowledgements … to the partners in preventing crimes

u  Alex Halderman u  Matt Bernhard u  Margaret MacAlpine u  Justin Moore u  … and many others


Thank you! Q&A