Old voting machine vulnerability sparks new round of outrage

With just four days separating the American public from Election Day, rising Irvine, Calif.-based cybersecurity company Cylance published an eyebrow-raising vulnerability disclosure report, complete with a video showing researchers hacking into a voting machine used in the United States. 

The company’s real-world exploit demonstration received almost immediate backlash on social media from a cohort of cybersecurity experts — many of whom noted that the vulnerability is old and that popularizing it would only serve to further degrade americans’ confidence in the upcoming election. A video of the hack accompained stories in PCWorld, Fortune, RT and InfoSecurity Magazine.

In an emailed statement to CyberScoop, Cylance CEO and President Stuart McClure wrote: 

“We did not seek [to] push this story and have no agenda other than to ensure the security and sanctity of our election process. Once our researchers discovered a potential new and real world vulnerability, we felt it was our responsibility to report our findings despite the timing of the election, particularly since there was still time for election observers and government authorities to respond with appropriate remedial measures … We contacted the vendor and the appropriate government authorities as soon as we confirmed our internal findings, but we will not comment on additional specifics beyond that.”

McClure declined to say when Cylance spoke with Dominion Voting Systems, the parent company of Sequoia.

To execute the aforementioned exploit, a hacker would need physical access to a machine’s control panel, which requires breaking into a tamper-evident seal. Seals are typically checked by election observers before and after a vote occurs. The likelihood of someone hacking into a voting machine by using this technique is infinitesimal and even so, the potential impact would likely be negligible at scale, according to Capital Alpha Security CEO Matt Tait.

“This campaign has been brutal, and we are at a point where one candidate is pushing a narrative of a ‘rigged election,’ and where the Guccifer 2.0 hacking group — widely attributed to Russian intelligence — has said they and other hackers will ‘monitor the election from inside the system,’ said Tait, “many voters are worried that the integrity of the vote count is at risk, and this cybersecurity company is capitalizing on those concerns.”

The vulnerable machines at the center of Cylance’s report, a model developed by Sequoia named the AVC Edge Mk1, will be used to cast votes in 12 states, over 1000 counties and 22,000 precincts on Nov. 8, according to information gathered by the Verified Voting Foundation.

Source: verifiedvoting.org

“That report is an example of some of the most irresponsible publicity grabbing I’ve seen in recent times,” said Gregory Miller, co-founder of the OSET Institute, an election technology think tank that recently briefed members of Congress.

“Yes – there are a number of these machines in service, but no this is not new news, and it does not deserve any coverage,” Miller said, “the exploit is well known to the election integrity and security communities.”

Sequoia’s AVC Edge voting machine carries a 14-inch LCD touch screen. Voters insert a “smart-card” into the machine and then cast a vote by touching an area on the computer screen. Votes are recorded to internal electronic flash memory. Once the polls close, all of the votes recorded on each machine are transferred to PCMCIA cards. These cards are then typically transported to another physical location where the content is uploaded to a computer network for tabulation.

Source: verifiedvoting.org

States where the machine will be used to cast votes include Arizona, California, Colorado, Florida, Illinois, Louisiana, Florida, Maine and Montana. The AVC Edge Mk1 was recently decertified in Virginia.

“This release is blatantly unethical,” Tait, a former Google security researcher, said, “the question of whether election officials can fix the vulnerability prior to the election at such short notice is pretty much a resounding no.”

Completely patching the AVC Edge Mk1’s vulnerability cited by Cylance would require significant changes to each device and its respective software, security experts told CyberScoop. Testing and deployment of an effective fix alone would likely take several weeks, explained Tait.

“If the company had published the bug weeks or months before the election there would potentially be time to think about fixes or using other types of e-vote machines,” he said, “a release 4 days before the election when election machines are already in the field and election officials are in final preparations for the big day feels less like a good faith attempt to help … secure election infrastructure.”

Broadly speaking, a noticeable trend has manifested itself in the cybersecurity industry writ large in which firms are increasingly leveraging vulnerability disclosure and threat intelligence reports as marketing material, insiders tell CyberScoop. 

Cylance is far from the first — and they likely won’t be the last — cybersecurity company to be criticized for publishing sensitive vulnerability information online. The case at hand is particularly concerning, however, because it substantiates a divisive misinformation campaign that U.S. intelligence officials have since blamed on Russian intelligence services.

“That Cylance blog was a monstrosity, I can’t think of how it is responsible to be re-tooting this old horn,” said John Sebes, a former computer security consultant and the now CTO of the TrustTheVote Project. 

Since being founded in 2012, Cylance has raised more than $170 million from a group of prominent venture capital firms. The highly acclaimed company is known for its application of artificial intelligence, algorithmic science and machine learning technologies in security products. 

“There is no way that a disclosure like this, with this timing, could ever be viewed as responsible by anyone who understands how voting tech is regulated and operated,” said Sebes, “even if this were a new vulnerability, and even if there were what some would claim is an easy fix, it would still require the vendor, not the election officials, to make the fix, and re-do their testing, then the testing by an accredited test lab, and government certification of the test lab’s finding … I expect that it didn’t occur to the Cylance folks that there might be special rules about voting systems that might make 4 days, or even 4 weeks completely impractical for any [disclosure] benefit.”