AVS Sidesteps Wireless Security Issues
Posted on Thursday, February 19 @ 15:35:00 EST by mhamrick

Electronic voting machine manufacturer Advanced Voting Solutions has published a press release touting users positive experiences using their electronic voting system (see Wireless Use in Presidential Primary Draws Positive Reviews.) The press release reads like a news story and is filled with only positive remarks by voters and elections officials who used AVS' products. However, the Cryptonomicon.Net editorial board had a few concerns with some of the statements near the end of the press release:

The WINvote, made by Advanced Voting Solutions, is the first voting technology to use secure wireless technology, known as WiFi.

and

Responding to questions about the security of wireless technology, Mr. Finney of AVS stated, "Our wireless technology has multiple layers of encryption and other proprietary security protections. Importantly, the wireless network is not used to transmit votes, has a limited range of a few hundred feet and is only used for a few minutes at a time."

?

With respect to the "secure" wireless technology known as "WiFi," it is entirely possible to deploy a reasonably secure wireless network with 802.11b, but not all WiFi networks are secure. Some, if not most, are woefully insecure. Many weaknesses were discovered in Wired Equivalent Privacy (WEP), the standard security technology deployed with WiFi. Vendors have been working on enhancing the security of wireless networks, and we are just now beginning to see the fruits of their labors. Technologies such as WPA (WiFi Protected Access) solutions are currently shipping, and 802.11i is just around the corner. Both these protocols will enhance cross-vendor support for wireless security. (See WiFi Security Checklist and the slightly older Overview of 802.11 security problems.)

But to say that WiFi is secure is a bit of a leap.

The next paragraph discusses AVS' use of "proprietary security protections." Time and time again, the market has discovered that proprietary security solutions are frequently inadequate. It is considered a "best common practice" to use security protections that have undergone third party or open scrutiny. We tried to find information about such a review on AVS' web site, but were unable to do so.

The problems with proprietary solutions are somewhat subtle. It seems a prudent precaution to not tell potential hackers what security measures you've put in place. But the primary problem with proprietary security systems is that as a system designer, one must foresee all possible situations in which a product or technology would be used, and how that affects system integrity. An attacker, on the other hand, must only find a single vulnerability to prove your system insecure.

Peer and third-party review of open systems is considered the best practice when developing security components. The idea is to present your plans to your peers, who role-play being attackers. If the only attacks your peers can find are ones whose risks can be mitigated by physical or procedural security measures, then you may have adequate protection.

But this is still not a guarantee that a system which is secure today will remain secure in the future. Modern security development practice calls for security features that can be easily replaced should they be found to be vulnerable. Whit Diffie, the inventor of public key cryptography, explains this eloquently in his online essay, Decrypting the Secrets to Strong Security. (see Whit Diffie Delivers talk at Open Source Conference.

We are pleased to hear that vote data is not transmitted across what could be an insecure network, but without more knowledge of the system it is hard to say that the AVS solution includes adequate protections for even the "non-sensitive" information that is used to configure and track the voting machines. We couldn't help but wonder, if the system designers used any form of security in their wireless protocols, doesn't that mean they believed there was some risk to allowing the information to be transmitted unprotected?

As a closing note, we wish to stress that we have no proof that AVS' systems are insecure. It is certainly possible that their products may possess superior security. The problem is we have no way of knowing. As far as we could tell, there are no indications that AVS products have undergone any third party review. We are also concerned with the use of "secure" and "WiFi" in the same sentence in their press release. We hope they are familiar with the security problems inherent in using WEP networks and have integrated enhanced security features into their products. If they have, we wish they would issue a second press release to indicate which post-WEP technologies they are using. If they are using advanced security technologies, we would be more than happy to help them write their next press release.