Ballot Box Stuffing. ESS Systems & Software.

The year 2020 is special for two reasons. First, it is a leap year. And second, along with being a leap year, it is an election year in the United States. Elections are always hotly contested in the U.S., with this year not being an exception. In fact, given the outside efforts at influencing the 2016 elections through social media, we can reasonably expect an even more sophisticated effort through electronic ballot box tampering by foreign governments, also known as state actors, via their proxies. 

The leading manufacturer of electronic voting machines and supporting management software in the US, with more than a 50 percent market share, is a privately held company, Electronic Systems & Software (ESS). Per their web site; ESS boldly proclaims, and I quote: “Our voting machines, management systems and services enable secure and accurate elections.” 

With such a claim, and such a crucial function – honest elections – we think it appropriate to take a very close look at the cyber security of ESS’s public-facing Internet infrastructure, starting with their web site, and review their claim that they are offering security for their voting machine infrastructure. 

https://www.essvote.com/

Of particular note in their web site is that they have a customer login. This requires extra cyber vigilance so as prevent credential harvesting from Man-In-The-Middle (MITM) attacks. 

For implementing HTTP Headers, the essvote.com site gets a solid “B”. The following HTTP Headers are missing, and with them, the anti-hacking protection they provide.

·        Content-Security-Policy

·        Feature-Policy

 On the surface, one might think this is a good grade. But one of the missing HTTP Headers, Content-Security-Policy, is absolutely essential in blocking cross scripting (XSS) attacks. Net result – the site is vulnerable to cross-scripting attacks for its login, and its search function. The lack of the HTTP Header Feature-Policy leaves the site vulnerable to potential compromise via any APIs being used, as well as other web site program features.  

The site is using Cloudflare for Content Distribution. However, they are either not using a Web Application Firewall (WAF), or it is misconfigured. We suspect the absence of a well-configured Web Application Firewall (WAF) because we can see the HTTP Headers problems noted above, in addition to the exact web server software being used. These can be fixed at the web server software level, or information about their status blocked by a properly configured Web Application Firewall (WAF). Without a properly configured Web Application Firewall, even a web browser can be turned into a weapon to attack the essvote.com HTTP Header security holes. 

(For a complete explanation of Web Application Firewalls (WAFs), please see my LinkedIn article, And the Walls Came Tumbling Down.  Web Application Firewalls, published on September 3, 2019.)  

Also, we disagree with their exposure of their web server information. Even though the web server probe publicly states “Cloudflare”, we prefer to provide “Unknown”. 

 At Quantalytics, we believe that to successfully defend against hackers, the first step is that one must deny them any information at all that might make their efforts easier and less likely to be caught.

 A review of our domain (www.quantalytics.com) will show that the Web Server is “Unknown” and that all the above HTTP Headers are locked down. Quantalytics has no exposure as a result. At Quantalytics, we call this level of configuration and protection “Quantalytics Diamond-Hard?” – and expect nothing less from ESS and its essvote.com site.

 (For a complete explanation of HTTP Headers, please see my LinkedIn article, "Resistance is Futile." - The Borg. HTTP Headers published on September 10, 2019.)

 The essvote.com site is using WordPress for its Content Management System (CMS). As part of our scanning of ESS’s public-facing Internet infrastructure, we took a close look at the WordPress setup. To ESS’s credit, they are using the latest available WordPress version as of the publication of this article. However, they are running an obsolete plugin, wordpress-seo version 12.8. The latest version, as of the publication date of this article, is 12.8.1. 

 ESS uses Flywheel (https://getflywheel.com/) to manage their WordPress web site. Flywheel has failed to keep plugins updated. Our scan shows that seo-plugin is out-of-date, as noted above. We recommend that ESS review its relationship with Flywheel, and that they nudge Flywheel to update plugins promptly, and crucially, start monitoring Flywheel’s site management. 

We took a deeper look at this Flywheel hosting arrangement. The actual URL is 2l9u8tyqi4-flywheel.netdna-ssl.com. A review of this URL, to which essvote.com points, shows multiple problems. With respect to HTTP Headers, it is missing Content-Security-Policy and Feature-Policy. It is accepting http connections on Port 80, and does not automatically redirect to https (Port 443). And it reveals the hosting server: Flywheel version 5.0 and NetDNA-cache version 2.2. 

Looking even deeper at this underlying WordPress site, we found that in addition to the out-of-date wordpress-seo plugin, the site is also running an out-of-date tag-groups plugin and even more seriously, an out-of-date, fully vulnerable plugin, Ultimate_VC_Addons. The version being run as of the date of this article’s publication is fully vulnerable to Authenticated XSS, CSRF, and RCE attacks. For those interested in the details of these vulnerabilities and how to exploit them: 

https://wpvulndb.com/vulnerabilities/8821

https://wphutte.com/ultimate-addons-for-visual-composer-v3-16-10-xss-csrf-rce/

https://codecanyon.net/item/ultimate-addons-for-visual-composer/6892199

 Given how ESS has failed to fully secure their web server through correct and full implementation of HTTP Headers and a Web Application Firewall, plus keep WordPress plugins, including one with published security vulnerabilities, up-to-date, we decided to dig deeper and look at their DNSSec (DNS Security). DNSSec is used for preventing Man-In-The-Middle (MITM) attacks. These are especially worrisome. ESS has an explicit promise of full cyber security, which is absolutely essential the given the site’s purpose, sponsorship, and user base.  

The following is a partial map of the DNS Levels of Trust for essvote.com. It shows the end of the DNS Levels of Trust chain.

 The diagram shows in the middle, how the domain, essvote.com, feeds NSEC3 into the DNS records. (The DNS delegation from com to essvote.com.) This step is insecure. 

DNS Delegation:

The following are the details, including the DNS A record, making the site potentially vulnerable to a Man-In-The-Middle (MITM) attack. This is especially worrisome because the essvote.com site has a login and a search function. So a Man-In-The-Middle attack, if successful, would mean that login credentials are being harvested.

DNS A record:

DNS AAAA record:

DNS NS record:

DNS SOA record:

DNS MX record:

DNS SPF TXT Record:

All of these DNS records are insecure, and lead to the unsurprising conclusion that DNS is completely insecure. This includes the MX and SPF TXT records, making e-mail, in addition to the website, potentially hackable.

 However, there is a more serious potential hacking risk associated with the above DNSSec vulnerabilities. ESS doubtlessly uses VPN connections to help secure its voting machine management and tabulation software. If ESS uses typical practices, the IP addresses for the VPN connections are not hard coded. Instead, they use URLs. Typically, these URLs would be subdomains of essvote.com. This would be the most cost effective approach, and given the admission, per the President and CEO of ESS, Mr. Tom Burt in a Today Show Interview that their profit margins are “thin”, virtually guarantees taking the most economical approach. 

This means that every subdomain URL used for VPN connections is potentially hackable via a Man-In-The-Middle (MITM) attack if their DNS is compromised, which, given the lack of DNSSec, is doable. 

In our view at Quantalytics, ESS’s claim, per their home page, that “Our voting machines, management systems and services enable secure and accurate elections.” and Mr. Tom Burt’s Today Show interview statement that “We protect democracy.” are both laughable and fraudulent. Especially if a state actor decides to take action and hack them. 

This entire report is based on the publicly facing Web infrastructure for essvote.com and its underlying host site. No laws were broken in examining the public-facing Web and Internet settings for essvote.com and its underlying host site. Anyone with sufficient skills, and using publicly available tools, can replicate these findings. 

At Quantalytics, we have a saying we recommend for, among others, ESS: Trust nothing. Verify everything. This is how we create “Quantalytics Diamond-Hard?” network security for our network security appliances, and for our clients.

Arthur Carp | Quantalytics, Inc. | [email protected] | @quantalytics