Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Cylance's Voting Machine Hack Based on 2007 ResearchA Media Stunt Before the Election? Cylance Says No
Late last Friday, security upstart Cylance published a blog post and news release that unsurprisingly has since triggered a handful of news stories: An aging voting machine still used in more than a dozen U.S. states is vulnerable to tampering.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Titled "Cylance disclosed voting machine vulnerability," the short post contained a video showing how a ballot could be manipulated on a Sequoia AVC Edge Mk1, a machine first produced in 1990 that will be used in some states in today's presidential election.
"Greg Singh, director of sales engineering at Cylance who's based in Sydney, denied that the company was making a well-timed play for publicity."
The hack involved removing a PCMCIA card, reflashing the firmware to muddle the candidates and vote tallies and reinserting the card. In a presidential campaign where hacking has played an unprecedented role, the finding is sure to stoke more anxiety (see Clinton, Trump: Head-to-Head Over Purported Russian Hacks).
But the security problems highlighted by Cylance were first outlined in a July 2007 paper by university researchers. It doesn't appear Cylance furthered those findings except to show that the researchers work was accurate, which wasn't in doubt.
Cylance acknowledges the research paper in its blog post, writing that its work instead marks the first public demonstration of those vulnerabilities. The company's media blitz has raised questions as to whether the demo is beneficial right before an election that Republican candidate Donald Trump has already suggested may be corrupted.
"Obviously it's a concern that it's so close timing wise," says Pamela Smith, president of Verified Voting, a nonprofit organization that studies electronic and e-voting. "I think it's good there's been conversation about security, but it's a delicate balance. Nobody wants voters to think 'What's the point? It's all going to be hacked anyway'."
Greg Singh, director of sales engineering at Cylance who's based in Sydney, denied that the company was making a well-timed play for publicity.
"I really don't think that's the case at all," Singh says. "It's a point of interest to a number of parties in the normal realm of media and reporting. Be it presidential election time or not, Cylance would have released this type of finding, as we have with other devices and types of exploits that we've discovered in the past. It certainly wasn't done as a publicity stunt."
Weak Security Controls
Cylance's experiment largely relies on vulnerabilities described on page 31 of the research paper. The AVC Edge's PCMCIA card holds ballot information, such as candidate names. The researchers found the cryptographic and other security measures meant to protect that data from tampering were ineffective.
"Malicious Edge firmware can be configured to record and report incorrect vote data on the Results Cartridge and on the internal Audit Trail," the paper reads.
So that's what Cylance did: It inserted fake candidate names, showing in a mock 2008 election how a John Smith could lead the presidential tally with Barack Obama erased from the ballot. It tampered with both the protected and public vote counters, with the machine regurgitating a paper receipt that verified the bogus results.
There are obvious problems with the AVC Edge that date from the era in which it was made, but there are a couple of defenses: using tamper-resistant seals over the PCMCIA card and educating polling officials to keep unauthorized people away from the machines. There's also another hurdle for an attacker: To successfully modify votes, the machine has to be rebooted after the reprogrammed card is inserted.
No Paper Trail
Verified Vote has a page dedicated to the security problems around the AVC Edge. It is known as a direct recording electronic voting system, and as originally configured had no paper record to consult. A touch-sensitive screen transmits voter selections through software to memory, which is the sole record of voter entries. Such systems often have closed-source code, which doesn't allow for independent security audits.
Sometimes termed black box voting, these systems drew deep concern in the early 2000s. Smith says that Nevada was one of the first states to require that the AVC Edge also accommodate a paper trail, which was added in 2004.
She says having a paper trail is crucial requirement for DRE machines, as it allows the electronic tallies to be verified in audits and for voters to ensure their ballot has been cast correctly. Other states followed in implementing a paper trail with AVC Edge machines including California, Nevada, Arizona, Illinois, Wisconsin, Missouri, Colorado and Washington.
But there are a few places that even today do not have a paper trail for the AVC Edge, including the key battleground state of Florida. Two counties in Florida use the machines for people who for accessibility reasons can't use paper ballots, Smith says.
As in the 2000 election between George W. Bush and Al Gore, the outcome can come down to a relative handful of votes. It's not out of the question that a single county in Florida could swing the election one way or the other. Smith says Louisiana and Virginia also used the Edge with no paper trail as well as one county each in Pennsylvania and New Jersey.
A Brighter Future?
The AVC Edge was made by Sequoia Voting Systems, a company acquired by Dominion Voting Systems in June 2010. Efforts to reach Dominion officials by email and phone were unsuccessful.
Cylance's Singh says that the company notified Dominion of the vulnerabilities but didn't hear back. I asked when Cylance notified Dominion, and the company later said that its "respect of responsible disclosure extends to the confidentiality of communications" and that the timing details couldn't be disclosed. That's a bit out of the norm, as most security researchers who disclose vulnerabilities customarily provide a notification timeline.
Even if Cylance's demo is old hat to security researchers who've analyzed e-voting systems, Smith says this kind of research helps raise awareness around the vulnerability of electronic voting systems and the need to replace vulnerable machines. That movement, she says, has been building over the last decade.
"There's been a turning away from purely electronic systems and turning towards more verifiable systems," she says.
So, even if Cylance's demonstration is a cheeky rehash, perhaps it will spur federal election authorities to pursue more funding for secure voting machines and retire the AVC Edge for good.