Lessons from Virginia - A Comparative Forensic Analysis of WinVote Voting Machines

Presented at Black Hat USA 2018, Aug. 9, 2018, 9 a.m. (25 minutes)

The WinVote voting machine was used extensively in Virginia elections during 2004 and 2015. It has been dubbed the worst voting machine ever and that for good reasons. It runs Windows XP, service pack 0. It has by default Wifi enabled. It uses WEP security and all WinVote machines appear to use the same password "abcde". Age old exploits give adversaries administrator level privileges without physical access to the machine and to make matters worse, the remote desktop protocol is enabled by default on each and every machine. All of this is well-known and well-documented, however there are lessons to be learned that go beyond hacking, lessons that effect society as a whole.

The single most important concern of any electoral process is the trust of the voters: winners and losers alike must be convinced of the quality of the electoral process so that all are able to accept the outcome. This is a tall order, because, as we all know by now, national elections use election technologies in highly contested adversarial environments, where network, hardware, software, and configuration processes must be assumed to be under the adversary's control. The WinVote can be used as instrument by hackers to influence the election result.

Using the WinVote voting machine as an example, I will demonstrate in my talk what threat WinVote machines and machines like it pose to democracy. And I will outline ways to achieve credible levels of election security. The key is evidence production, either in form of paper ballots, cryptographic proofs, multiple result paths, or statistical evidence. The WinVote doesn't implement any of these, hence it is the perfect stealth tool for adversaries.

This prompts the question if election meddling took place in Virginia at any time while WinVote machines were in service? After these machines were officially decommissioned in 2015, a number of them were released into the wild. We managed to secure a few of them and forensically analyzes them using standard tools and by comparing the content of their respective drives. A few more machines are on their way. The evidence left on each machine were two SSD drives, one small (32MB) and one large (384MB or 512MB).

At the time of writing this report no smoking gun indicating election meddling could be identified. However, we could clearly establish that some WinVote voting machines were used for purposes other than voting: One Voting machine was used to rip songs from CDs and broadcast MP3s, most notably, perhaps, a Chinese song from 1995: 白雪-千古绝唱.mp3.

Trust in elections cannot be achieved through technology alone - it can only be achieved by the means of producing evidence and checking it for consistency. After Black Hat 2018, the United States has only approximately 90 days left to get ready for the 2018 midterm elections. By the time of writing this talk proposal, several States still use voting machines similar to the WinVote that do not produce any form of evidence.


  • Carsten Schuermann - Associate Professor, IT University of Copenhagen
    Carsten Schuermann is an academic expert in election security. He has ten years of experience with conducting research in elections. He has written over academic 60 papers, contributed to books, and he has hacked at DEF CON 2017 the WinVote voting machine shortly after the Voting Machine Voting village opened. Schuermann is a member of the computer science faculity at IT University of Copenhagen and leads the Center for Information Security Research. Before, he was a member of the Computer Science Department at Yale University. Schuermann holds a PhD degree from the Computer Science Department at Carnegie Mellon University, and a German Master in Computer Science from University of Karlsruhe. Schuermann has been working with the Carter Center, USA, Council of Europe, Venice Commission, and International IDEA (Sweden).


Similar Presentations: