Lessons from Virginia - A Comparative Forensic Analysis of WinVote Voting Machines

Conference:  BlackHat USA 2018



The importance of using paper and conducting post-election audits in ensuring the credibility of elections, particularly in the United States.
  • Article 21.3 of the Declaration for Human Rights states that a genuine and credible election is a human right
  • Technology increases the attack surface of voting systems, making them vulnerable to cyber attacks and alleged cyber attacks
  • Post-election audits using paper ballots are a good means of generating trust and confidence in the election result
  • Risk limiting audits, pioneered by Philip Stark, require a secure paper trail and a random sample of ballots to be drawn in order to gain confidence in the election result
  • Only the state of Colorado has implemented risk limiting audits, while some states still use machines without paper evidence
  • Voter-verified paper evidence is crucial in ensuring the accuracy and integrity of the election result
The speaker hacked a decommissioned voting machine and conducted forensics on it, finding that there is no good mechanism to verify if a machine was hacked or not. The paper trail is a better means of verifying the election result. The speaker also emphasized the importance of conducting post-election audits using paper ballots, as they provide a more secure and reliable means of verifying the election result.


The WinVote voting machine was used extensively in Virginia elections during 2004 and 2015. It has been dubbed the worst voting machine ever and that for good reasons. It runs Windows XP, service pack 0. It has by default Wifi enabled. It uses WEP security and all WinVote machines appear to use the same password "abcde". Age old exploits give adversaries administrator level privileges without physical access to the machine and to make matters worse, the remote desktop protocol is enabled by default on each and every machine. All of this is well-known and well-documented, however there are lessons to be learned that go beyond hacking, lessons that effect society as a whole.The single most important concern of any electoral process is the trust of the voters: winners and losers alike must be convinced of the quality of the electoral process so that all are able to accept the outcome. This is a tall order, because, as we all know by now, national elections use election technologies in highly contested adversarial environments, where network, hardware, software, and configuration processes must be assumed to be under the adversary's control. The WinVote can be used as instrument by hackers to influence the election result.Using the WinVote voting machine as an example, I will demonstrate in my talk what threat WinVote machines and machines like it pose to democracy. And I will outline ways to achieve credible levels of election security. The key is evidence production, either in form of paper ballots, cryptographic proofs, multiple result paths, or statistical evidence. The WinVote doesn't implement any of these, hence it is the perfect stealth tool for adversaries.This prompts the question if election meddling took place in Virginia at any time while WinVote machines were in service? After these machines were officially decommissioned in 2015, a number of them were released into the wild. We managed to secure a few of them and forensically analyzes them using standard tools and by comparing the content of their respective drives. A few more machines are on their way. The evidence left on each machine were two SSD drives, one small (32MB) and one large (384MB or 512MB).At the time of writing this report no smoking gun indicating election meddling could be identified. However, we could clearly establish that some WinVote voting machines were used for purposes other than voting: One Voting machine was used to rip songs from CDs and broadcast MP3s, most notably, perhaps, a Chinese song from 1995: 白雪-千古绝唱.mp3.Trust in elections cannot be achieved through technology alone - it can only be achieved by the means of producing evidence and checking it for consistency. After Black Hat 2018, the United States has only approximately 90 days left to get ready for the 2018 midterm elections. By the time of writing this talk proposal, several States still use voting machines similar to the WinVote that do not produce any form of evidence.