It could be one of the most disturbing e-voting machine hacks to date.
Voting machines used by as many as a quarter of American voters heading to the polls in 2012 can be hacked with just $10.50 in parts and an 8th grade science education, according to computer science and security experts at the Vulnerability Assessment Team at Argonne National Laboratory in Illinois. The experts say the newly developed hack could change voting results while leaving absolutely no trace of the manipulation behind.
“We believe these man-in-the-middle attacks are potentially possible on a wide variety of electronic voting machines,” said Roger Johnston, leader of the assessment team “We think we can do similar things on pretty much every electronic voting machine.” […]
Almost all voters in states like Georgia, Maryland, Utah and Nevada, and the majority of voters in New Jersey, Pennsylvania, Indiana and Texas, will vote on DREs on Election Day in 2012, says Flaherty. Voters in major municipalities such as Houston, Atlanta, Chicago and Pittsburgh will also line up in next year’s election to use DREs of the type hacked by the Argonne National Lab. […]
“This is a fundamentally very powerful attack and we believe that voting officials should become aware of this and stop focusing strictly on cyber [attacks],” says Vulnerability Assessment Team member John Warner. “There’s a very large physical protection component of the voting machine that needs to be addressed.”
The team’s video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a “bad guy” virtually complete control over the machine. A cheap remote control unit can enable access to the voting machine from up to half a mile away. […]
This type of attack is particularly troubling because the manipulation would occur after the voter has approved as “correct” the on-screen summaries of his or her intended selections. Team leader Johnson says that while such an attack could be mounted on Election Day, there would be “a high probability of being detected.” But he explained that the machines could also be tampered with during so-called voting machine “sleepovers” when e-voting systems are kept by poll workers at their houses, often days and weeks prior to the election or at other times when the systems are unguarded.
Johnston said the machine is “incredibly easy to tamper with” because all the crucial electronic components are accessible and can be easily modified. The Accuvote TS’ enclosure isn’t tamper resistant so hjackers can work on the machine without leaving visible signs, he added.
“All we had to do was find out what the machine was doing in terms of communication,” Johnston said. “We just had to understand the various components and how the data was being sent. We needed to understand what signal had to be sent to fool the machine into thinking the voter had touched the screen at a particular location.”
The experiment shows that e-voting systems are susceptible to more than just cyberattacks, which get the most attention but are harder to pull off as the perpetrators must have some knowledge of the machine’s software, hardware and firmware.
The so-called man-in-the-middle attacks don’t require knowledge of the voting machine’s proprietary software or hardware, Johnston said. “All you need to do is understand the communication between the different parts of the system. Then you just sit there and listen and do whatever mischief you want to.”.
Although it wouldn’t take a nation-state to pull of a successful attack, he said. Someone with limited computer science knowledge and electronic parts costing about $25 could do it, without needing to even solder anything and leaving no trace behind, according to the researchers.
E-voting systems have been plagued by criticism about security issues, so much so that elections officials in various states have abandoned touch-screen systems over security and fraud concerns.
Dominion Voting Systems, which now owns Diebold and Sequoia, did not respond to a phone call and e-mail seeking comment from CNET this afternoon. E-voting system vendors in general have argued that security problems identified are either overly theoretical or have been fixed with hardware and software updates.
Previous demonstrations of e-voting hacks involved cyber attacks where knowledge of the operating system and hardware were required, according to Johnston. However, that was not the case in these demonstrations, he said.
“It would be pretty easy to pull off,” Johnston said. “The bigger concern is that this attack is so straightforward. It suggests that there hasn’t been much thinking about security in these voting systems.”
While it would be relatively easy to make this type of attack more difficult to do by making modifications to the voting machine, stopping the attack cold would require more effort and a “careful examination of the security protocols used,” he said.
- Robert M Roman - Thursday, Sep 29, 11 @ 6:25 am:
This is a bigger problem than most people realize and it’s been all too easy to dismiss it as a concern of the tin-foil hat people. Election stealing is a grand old American tradition, and computerizing the process simply mean that you needn’t have an organized crew of precinct workers behind you to do it. Just one or two people in the right position suffice.
You could still catch it on audit if the paper trail (the printed votes) didn’t end up matching the count the machine provided. But that is a big if and most of the machines are not audited.
So what can you do…
encourage the use of the paper ballot option (little black circles) if that is an option, it is easier to audit.
You could do a machine inspection before they are sent out (including opening) with party representatives who know what to look for ( a finite list) and close the machine up with multiple seals. You could also put some sort of seal on the connectors (where they middle attack connects) so if the connection has be modified it would be noticeable.
Nothing I propose will solve this, just make it harder to do.
this has been known for some time (in fact, almost immediately after most of these machines had been purchased with HAVA help). the DRE machines have *always* been found to be the most insecure — one pentest analysis back in the early 2000s found them to be less secure than the computer found in most homes. when the security of electronic machines was first tested, sequoia was found to be the most secure, but pentests have since been done that have found holes in sequoia machines (i believe sequoia also had ownership issues that many counties in this country would find difficult). iow, no electronic voting machine in this country has passed a penetration tests — and the flaws are widely known. the only security we have with these machines is the human in charge of them (kind of makes you wonder about the prosser miracle, doesn’t it?).
however, voting is such a low priority for those who provide the money to boards of elections that nothing is likely to change. that’s just a fact. we can hoo and ha all we want, but we’re americans and we want our election results fast (immediately) for the lowest possible cost. we have the voting systems that provide quick results for a really low cost; whether or not our votes are vulnerable to alteration is simply not something we care about…
Security for the voting system has always been predicated on securing people and equipment. Just as an alarm system on your house is worthless if you don’t close your window. Equipment should be stored in a sealed room with video cameras.
A paper trail is critical because it puts a huge barrier to committing fraud and enhances the confidence of the public. Post election audits should be always be done to create an even larger disincentive.
all precincts must be located in old bank buildings and put the unit within a lead lined vault. my hackers can beat your hackers! honestly, it all sounds so true and that we are powerless that one can only laugh. there is no election watch dog group around.
As pointed out by others above, this is old news. The computer trade press has carried stories of this type for many years. Security with almost all of the electronic voting systems are poor. The details differ between machines (make and model) but all of the major brands appear to have one or more security issues. The video points to multiple issues in the hardware of the system being tested. There are probably potential problems with the software in the machines micro processor of the machine shown (but not which were not tested for).
==You could still catch it on audit if the paper trail (the printed votes) didn’t end up matching the count the machine provided. But that is a big if and most of the machines are not audited.
The counts are audited every election in the vast majority of districts so this happens already–the problem comes in if the hacker is switching votes instead of adding votes.
The best option are optical scan ballots. The counting machines can still be tampered with, but you have direct voter actions determining the paper trail to check it with. They also have a lower error rate than touch screens.
Part of the issue why local agencies have moved towards the touch screen is HAVA requires ADA compliance and visually impaired individuals are best served by the touch screens. Some minor tinkering and you could fix this issue though.
It seems like an simple fix, weld the device closed and line it with lead or someting to block radio signals. This way it can not be opened up, and even if it was a radio signal would not be able to penetrate/operate within the device.
Of course tin foil hats help block radio signals as well….
I was looking at a brochure from David Orr’s office last Saturday and noticed that they claim to randomly audit a sample of precincts each election by hand. I understood it to mean they checked the paper votes by race against the machine votes and not a simple count total.
The equipment is turned in pretty quickly after the polls close (by a pair of poll workers - one D and one R).
The added gear inserted into the machines ought to be found when the machines are serviced following the election. The video assertion that the added gear could be removed after teh election and leave no trace is dubious - unless all of the poll workers were involved in the conspiracy and there are no non-conspirator pollwatchers at the polling place.
The level and breadth of the conspiracy needed to pull off stealing an election in this fashion is such that it is unlikely to occur - and if it did, it would be enough of a conspiracy to be able to steal an election regardless of the system used.
The optical scan machines do work well, however, a change in law a year ago or so required the machines to kick out the ballots if undervoting occurred, even though a person can legally cast an empty ballot. This now requires the Election Judge to manually override the undervoted ballot so the machine will accept it…a real pain in a busy election. So, electronic machines have become the favored method in voting because it eliminates the need for manually doing anything, since the touch screens will tell you if you’ve undervoted or overvoted, and allow for correction or casting the ballot as is…which can be hacked…
Another great idea from the fertile mind of Al Gore! Seriously, for all of the complaints leveled against punch card ballots that method of voting was cheaper and more efficient than all of the electronic systems. Pat Quinn may be serving as governor because the computers could not be reprogrammed to remove Schillerstrom from the GOP primary ballot after he withdrew as an active candidate. Maybe Dillard would have picked up a few votes from Du Page that were miscast and Brady would not have been nominated.
The same problem exists for challenges to candidates with faulty nominating petitions. If the legal challenges eat up too much time, the election authorities cannot reprogram the computers and can only “suppress the votes.” This means that voters can enter the polling booth and cast votes for candidates who were either disqualified or withdrawn, but their names are still on the machines. In essence, votes end up being wasted on scratched candidates. Under the old system, a printed label or a piece of electrical tape was all that was needed to fix the ballot book.
You don’t need to line them with lead, just some of the special paint that defeat RFI emissions (it was used on the plastic case of the original PC Jr). Similar paints are part of the Stealth technology; it’s just expensive.
Given the current state of the technology and desire for low cost, multiple seals pre-election and immediate post-election inspections are the way to go.
I’m surprised no one else has asked this yet, but could you provide documented evidence of vote fraud? We always hear about how this is an epidemic, yet never see the actual cases. I’m all for making sure we have secure and valid elections, but rumormongering partisan accusations in no way helps the situation.
Saw Johnston at an IEEE meeting last year where he showed off some of his group’s very creative, but usually quite mundane, hacks on voting machines and other systems. Not surprised by their latest discovery. Are voting system manufacturers required to at least follow the NIST recommendations on voting system security? No system will ever be foolproof, but there needs to be somebody knowledgeable looking over the manufacturers’ shoulders to double-check things to make sure they’re at least putting forth a good faith effort at securing the votes.
Electronic voting machines should be banned, period. Unless there’s a paper trail there’s no way to actually count the votes. The systems that let people darken a circle, then let a machine scan it offers the best of electronic systems, while keeping a physical paper trail.
I have it on good authority that the Cook County Board recently authorized a series of no bid contracts with Radio Shack to purchase universal TV remote controls and miscellaneous electronic components.
@Downstate Illinois - under federal law, each polling place has to have at least one electronic device (for purposes of handicaped accessability in the voting process - the electronic devices have the headphone systems for the blind and the sip & puff systems for the paralyzed)
All the HAVA cash has long been spent. What we’ve got now is what local governments are going to have to live with for a really long time.
And not only that, the costs for all these “electronic marvels” are outlandish.
As it is, with provisional ballots and all the other nonsense, the average election cycle has a minimum potential two week ‘tail’ beyond election day itself.
I’m not near as concerned about the hacking of these machines. First off, you got to get access to the units, and then open up the boxes, and then patch in the components. Sounds simple, but it’s not in most places.
I’m personally much more concerned with somebody using Neodymium Magnets to scramble the brains of a unit on election day (or worse, what if they screw up/MUNGE (Mashed Until No Good) 8-10 units at all different locations).
Can see it now - Homeland Security outlaws Neodymium Magnets as being a National Security issue.
Like most commenters I don’t see what the big deal is. This is why the law also requires a hard copy of the vote, so that it can be double checked and verified the days after the vote, right? If someone “hacked” the system so their candidate would win, it would only take a couple days to realize the fraud, right?
‘Scuse me for a minute while I polish up my tinfoil hat. Ah, yes, fits as tight as I remember.
These machines, and any voting machines that are computerized and that do not involve an actual piece of paper on which a voter physically inscribed their choices, are a massive danger to our democracy and should be forever banned. There are no shortage of examples demonstrating the ability of votes to be hacked on these things. Personally, I would like to see a pure paper ballot system, where the voter marks their choices and then human beings count the results by hand, with representatives of all parties observing the process. Sure, maybe we’d have to wait a few days for results, but that seems a small price to pay.
The head of Diebold sent a fundraising letter in 2004 in which he told Ohio Republicans that he was committed to delivering Ohio’s electoral votes to President Bush. Bush won that state by a squeaker, and we got four more years. Nope, nothing to see here. Right. That should scare the hell out of everyone.
Republicans haven’t seemed to mind these machines much, since any election irregularities caused by these things seem to benefit Republican candidates (Google it). But the message of the corruptability of these machines needs to be shouted out by everyone of all parties, and they need to be sent to the garbage pile. If not, elections won’t reflect how people voted; they’ll reflect who was better that cycle at manipulating the technology.
Equally disturbing is that this hack took place at Argonne Lab, located in DuPage, the same county considered one of the worst places to vote in America according to Black Box Voting.
Prior to the DuPage County Election Commission’s vote of the Diebold TSx touch-screen machines in 2005, citizens showed up in droves to give public statement against the machines. Not a single citizen was in favor of these machines, stating that they were not secure, not accurate, not properly tested, premature and most of all, not transparent. Hundreds of letters were sent from people unable to attend the weekday board meetings. The Election Commission receptionist refused to transfer phone calls from citizens concerned about the Commission’s intentions.
The vote for the Diebold TSx touchscreen passed 3-0. After their vote, the Commission made a statement to the press that our concerns of citizens were based on “rumor and innuendo.”
Dozens of Illinois counties followed DuPage’s lead and also voted for the Diebold touch screen.
Later we learned that the DuPage County Election Commission chairman, Rick Carney, was close friends and crony with the Diebold distributor at that time. This distributor had made campaign contributions to Carney while he was the county recorder, including $9,000 toward Carney’s lavish retirement party held just one year prior to the Diebold vote.