Last week’s disclosure regarding the North Carolina State Board of Elections’ 2018 leak of touchscreen voting machine passwords just got a lot more confusing.
Well-regarded cybersecurity analyst Chris Vickery happened upon the file full of passwords (used by election supervisors to administer the state’s iVotronic voting machines) just before the 2018 election, while doing what he does for a living: rattling the internet’s doorknobs to find digital doors that should be locked, but aren’t, and discretely reporting those unlocked doors to their owners (who should be, but usually aren’t, grateful for the favor).
In this case, Vickery explained, he found a cloud storage directory (more precisely, an Amazon Web Services S3 ‘bucket’) belonging to the state board of elections, with permissions improperly set to allow anyone on the internet to read or download the sensitive files stored there — including one containing iVotronic administrative passwords.
Vickery’s and the state board’s recitations of events both agree that he confidentially reported the problem to the board in a timely fashion (before the 2018 election) and appropriately avoided disclosing it publicly until the board had been given ample time to correct the problem (about a year). But from there, the two parties’ explanations have now diverged widely.
In an email yesterday in response to my previous report on this incident, the state Board of Elections’ public information officer, Pat Gannon, told me:
The information in question includes encrypted iVotronic password data from Guilford County for the 2010 election.
That data, according to State Board IT staff, was not posted to the State Board’s public FTP site until October 22, 2012, nearly two years after the election. Importantly, the 2010 passwords would have been changed before the 2011 municipal primaries and again each subsequent election, so there is no way they could have been used to affect any election, even if decrypted.
Additionally, the passwords in question were unique to Guilford County and could not have been used to access iVotronics in any other county.
We immediately posted the gist of that message on Twitter:
...eliciting this reply from Vickery:
The first of Vickery’s counter-claims (that the password file itself was not encrypted) is easily confirmed from the redacted screenshot he included in his original announcement, the authenticity of which is uncontested by the state board:
What’s It Got In Its Pocketses?
The second of Vickery’s points — that the passwords themselves were not encrypted — is more difficult to confirm (because he redacted the passwords in conformance with the ethical standards of his profession). But in a conversation with me yesterday he explained:
The redacted rectangles in my screenshot are longer than necessary, to prevent bad actors from attempting to guess at them. Any hashing algorithm that would have been feasibly used would have resulted in strings of, at bare minimum, at least 16 characters and more than likely 32(+) characters. Any "encryption" that results in such short password representations [as the redacted ones] is not worth the time to implement or even develop.
If [...] the relatively short passwords are the result of something like 1-to-1 character substitution (a Caesar Cipher type of thing), then it would be the weakest "encryption" ever and not worth implementing.
Vickery is correct on all points here. Secure hashing algorithms like those routinely used to safely store passwords on internet-connected computers produce nonsense strings of characters much longer than the screenshot’s redactions could possibly conceal. For example, if one was to hide the famed Podesta Password (P@ssw0rd) using the popular and secure SHA3-256 algorithm, the result would be:
ac2d49c943655bc424a5686638db2952f3ebe3248f4381503d84ad942a4bc546
Even the outdated and insecure MD5 algorithm would likewise yield a string that is still far too long to fit within those redaction boxes:
b46f685f85e0af830d82ddbbe795eff3
To be fair, there are encryption algorithms, such as the laughable ROT13, which would yield suitably short strings:
C@ffj0eq
but these have been recognized for hundreds of years now to be hopelessly insecure, requiring no more than a pencil, a minute, and the diligence of an average eighth-grader to crack.
[NB: I apologize to more technically-oriented readers for mixing together “hashing” and “encryption” ...two formally distinct things...in the same context. But for our purposes here that’s largely a distinction without a difference]
In other words, Vickery appears to be correct in asserting that the very short redacted passwords either are not “encrypted,” or else are so poorly encrypted as to be no more secure than plaintext (unencrypted text) would be. As he assured me:
[The passwords] are "random", yes. But "encrypted", not likely whatsoever.
Which, anyway, stands to reason. A little old lady Guilford County poll worker isn’t likely to whip out her laptop to decrypt the passwords she needs during the 17 days of early voting to open and close the polls each day.
Long story short: it seems likely that state board spokesperson Gannon either misunderstood or was misinformed by his in-house IT source regarding the passwords’ encryption.
Who, what, and..when?
As mentioned above, Board spokesperson Gannon asserts that the accidentally revealed file was posted in 2012 (“according to State Board IT staff”). But Vickery’s tweet informs us that the zip file in the open AWS S3 bucket was dated 2016. At first blush it would seem that this disparity hardly matters if these were indeed 2010 passwords expiring that year. But facts do matter, particularly in this era when ‘truth’ is so frequently so well lubricated that it becomes a slippery thing indeed. Only one of these two dates can be a truth. If the reputed 2012 date is in doubt, that leaves the claimed 2010 date of the passwords’ validity (plus pretty much everything else the state asserts in this matter) open to question too. The first rule of good crisis management is to get the facts out, and get them right, in order to defend the organization’s credibility.
I’m personally inclined to believe Vickery’s version of these events, if only because he really doesn’t have a dog in this fight. He has long since made his name and established his credibility in the cybersecurity field frying much, much bigger fish than this small fry, with past finds like his discovery of a leaked Thompson Reuters database of suspected terrorists’ identities, leaked user data from an HIV-positive dating app, a leaked database of personal information regarding 93 million Mexican citizens, and leaks of comprehensive TSA security plans and screening protocols for New York’s Stewart International airport. Vickery was doing the state board and the citizens of North Carolina a favor when he confidentially reported this latest security flaw back in 2018. In return he (and I, apparently) have now been rewarded by being accused, in the state board’s email to me yesterday, of indulging in:
Erroneous, misleading and politically charged attacks on the State Board and its employees.
The Bigger questions
We also don’t know what other (and perhaps even more sensitive) information was publicly exposed in this incident. Nor do we know for how long the digital door was left unlocked. Days? Months? Years? As of publication time Gannon did not respond to my invitation to discuss these and other questions.
But perhaps the most important unanswered question of all is how America’s electoral cybersecurity watchdog, the Department of Homeland Security, managed to miss this. DHS provides state governments (including North Carolina’s) with election cybersecurity assessments. It’s not unreasonable to feel that this affair doesn’t say much for the depth, breadth, and quality of those assessments. The internet is awash with tools to search for unguarded data stores, like shodan.io, which are widely used by both white-hat good guys like Vickery and black-hat bad guys alike...but, apparently, not by DHS.
Hopefully, the silver lining to this incident’s dark cloud will prove to be the shaming of DHS into upping it’s game (which is my personal interest in reporting this story). Because if DHS isn’t at least as good as Vickery at finding the chinks in our electoral armor, it sure as hell isn’t as good as Russia’s GRU.
Perhaps DHS and the state Board of Elections might even consider enlisting Vickery’s help, rather than vilifying his efforts.
EQV Analytics is a campaign data analytics firm with a North Carolina focus, helping progressive Democratic candidates and causes turn North Carolina blue.