Cracking Democracy – Hacking Electronic Voting Machines
I was born in 1984. I would expect, if I entered a typical office workplace that year, to find various filing cabinets, stacks of paper letters, memos and invoices, and typewriters. Even the state-of-the-art electronic typewriters of that day, such as the ones manufactured by Smith Corona with monochromatic CRT monitors, were designed to print to paper. Maybe the office had a budget for an expensive fax machine. That as well needed paper.
In 2011, most of the documents that go through a typical office are digital. Every desk has a PC, typically connected to an office LAN or WAN. A typical worker has many e-mails a day to attend to, on their PC and on their smartphone. Many workplaces still have corporate intranets for further exchange of information. Most workplaces discourage paper printing when it can be avoided. A few sheets of 8.5 by 11 are more costly to the company than several hundred kilobytes of data!
Online versions of popular newspapers and magazines are easy to access, and generally have all kinds of content that gets updated daily, or even hourly. Sales of print publications on the newsstand have been decreasing in recent years.
Hard copy distributions of movies, music and other entertainment formats are sold on optical media, but people are getting digitally distributed entertainment a lot more frequently, either via P2P piracy, or through legal means.
So why have I had to mark an ‘x’ on a paper ballot for all of the municipal, provincial and federal elections I’ve ever voted in? The most recent election I cast a paper ballot in was just over a week ago.
Well, municipalities and nations around the world have used digital technology for casting and counting votes. But, think of the power someone could have if they could rig an election! The possibilities are endless. Tampering with the democratic process has certainly been tried before.
In recent years, Digital Recording Electronic (DRE) devices have been used in many polling stations across the United States. A voter has to physically visit their polling station, as is conventional, but instead of casting a paper ballot, they have to record their vote in a DRE device.
The advantage of that system is that it saves all of the time and effort that’s required when people manually read ballots and tally the votes accordingly. The disadvantage is that those technologies introduce security vulnerabilities that election officials may not be accustomed to.
The Vulnerability Assessment Team (VAT) at Argonne National Laboratory has identified many ways that DREs can be tampered with, through studies that they’ve done.
Manufacturers of DREs used in the United States included Elections Systems & Software (ES&S), Diebold Election Systems, Sequoia Voting Systems, and Hart InterCivic. Diebold’s DRE subsidary was acquired by Premier Election Systems, which was sold to ES&S in 2009. Sequoia was acquired by Dominion Voting in 2010.
The VAT investigated the security of the Diebold TS Electronic Voting Machine in 2011, and the Sequoia AVC Voting Machine in 2009, both have been used in many American elections.
They found a man-in-the-middle attack can be done easily on both devices. These attacks require no knowledge of any software source code, no programming skills or advanced understanding of electronic engineering. Small, simple printed circuit boards with inexpensive microprocessors can be inserted in various locations when the machines are tampered with.
The parts VAT used to hack the Diebold TS Electronic Voting Machine were purchased from an electronics retailer for $10.50, $26.00 if one wants to include an optional RF remote control. The main circuit board of the Diebold DRE can be accessed by picking a simple lock or using a hotel minibar key. The alien electronics can be inserted in the bus between the circuit and the touchscreen via wires. The alien microprocessor can then modify the data going to or from the screen. VAT was able to enter numbers into the Diebold DRE’s program via RF remote, as if a touchscreen user were doing so. They were also able to change the vote a user may be entering, with the screen being briefly blanked out while the alteration is made.
A study conducted by Ariel J. Feldman, J. Alex Halderman and Edward W. Felton at the Center for Information Technology Policy and Department of Computer Science at Princeton University, published on September 13th, 2006 also found software vulnerabilities with that Diebold DRE. Malware can be used in the Diebold BallotStation software the DREs run.
The Sequoia DRE uses a system with physical buttons and electronic panels, instead of a touchscreen connected to a circuit board with firmware and a CPU like the Diebold DRE. The VAT were able to access the panels using a common screwdriver. By entering a similar homebrewed piece of alien electronics with a microprocessor in the panel wiring, they were able to switch the signal registered by pressing one of the buttons with the signal that would be registered with another button.
The DREs are often stored in churches and public schools before election day. Physical security is minimal in those types of locations. The VAT also identified possible lax physical security during transport of the machines. They found it possible to physically tamper with the two models of DRE devices without any external evidence.
The VAT have published a paper with their suggestions for security with electronic voting.
DREs often aren’t properly inspected for tampering. Seals on the exterior of the DREs have been ineffective in detecting tampering because elections officials often don’t receive the necessary training needed to know what to look for. The VAT also believes that seals can be spoofed by amateurs.
The possibility of insider threats is another vulnerability. The VAT recommends that elections workers who work with the machines and vote counting receive criminal background and reference checks. They also recommend that those workers take oaths and are reminded of the criminal penalties of election tampering.
Election workers who inspect seals on DREs should receive at least ten minutes of training per seal type used. The number of officials authorized to order the seals should be kept to a minimum, and seal manufacturers should verify the authority of the ordering parties and report all unsuccessful ordering attempts to the officials of the pertinent election district.
Locks on machines should use unique keys for each of them. The locks should be inspected each time they’re used legitimately. The VAT also recommends that the DREs are escorted while in transport.
Another way elections have been conducted electronically is with online voting.
Online voting was introduced to the city of Markham, Ontario, Canada in 2003. Toronto consumer research firm Delvinia has studied voter participation in online voting in Markham’s 2003, 2006 and 2010 municipal elections. According to Delvinia CEO Adam Froman, 80 percent of Canadians would choose to vote online in a future election. Delvinia’s report suggests that online voting increases voter turnout. Canadian voter turnout has decreased in recent years, at all three levels of government. Only 49.2% of eligible electors voted in the most recent Ontario election on October 6th, 2011. The previous Ontario election in 2007 had a 52.8% turnout.
Computer scientist J. Alex Halderman, cited in the Princeton University study on the Diebold TS Electronic Voting Machine, testified that crackers from Iran and China attempted to break into an online voting system to be used by military and overseas in the November 2010 mid-term elections. He testified to D.C. City Council on October 8th, 2010.
Halderman’s own team did a penetration test of that voting system. The password for the pilot system was a four letter default password that could be found in an owner’s manual. The default was left unchanged. Halderman’s team obtained access to two security cameras in the data centre easily because the cameras were on the same network with no password protection or any other means of authentication. Halderman could then watch the network operators configuring and testing the equipment via his desktop PC at the University of Michigan.
Halderman’s team then found the intrusions by crackers from Iran and China. Halderman’s pen testers blocked the foreign access attempts, added rules to the network’s firewall, and changed the master password to one which is more secure.
The team also found that election administrators tested the system using files that were different file sizes than the PDF ballots the system were designed to register. Those test files remained on the server, despite lacking the digital signature of a legitimate PDF ballot. One of those test PDFs was a 937 page document of the 937 invitation letters that were sent by the D.C. Board of Ethics and Elections to voters, each letter containing a voter’s name, voter ID number, and unique 16 character PIN required to vote in the system.
Halderman testified that he believes this critical security lapse was evidence of incompetence of the system’s network administrators. Critics of online voting are concerned that elections officials are often untrained in computer science or IT security.
Lawrence Livermore National Laboratories computer scientist Dr. David Jefferson also found vulnerbilities in the D.C. Board of Ethics and Elections online voting system.
Jefferson tested the system by casting a vote using D.C.’s test-bed. He saved his PDF ballot as a file on his hard disc and then sent the completed ballot to the election server, according to directions given to voters. He then opened the file on his computer and found that it was blank, without the vote he recorded.
Jefferson found that the only way to retain the user entered form data in the PDFs was to use Adobe Reader, not web browser PDF plug-ins or other PDF clients. The directions didn’t specify to use Adobe Reader. Hundreds of blank ballots could have been submitted into the online system that way.
Online voting systems are subject to a multitude of security vulnerabilities. Jeremy Epstein, a computer security expert who works with Verified Voting said during Halderman’s testimony, “What we found in forty years of experience is you can penetrate and patch, and then you penetrate again and you patch again, and you penetrate again and you patch again and you penetrate again and you patch again and it never ends. If it ended, Microsoft would have succeeded. We wouldn’t all be having to reboot our computer and install patches once a month for the past ten years. This is not something that we can just say ‘Please, BoEE, fix the problems and then we can do it.’ This isn’t a solvable problem that way.”
Halderman said to D.C. City Council, “I’d like to stress that attacks like this are a common Internet phenomenon and I do not believe that these attackers were specifically targeting the D.C. voting system. But this is a large part of why Internet voting is so dangerous. The servers are going to face attacks from powerful adversaries anywhere in the world. All of the specific vulnerabilities that we exploited to do this are relatively simple problems and easy to fix, but it would be vastly more difficult to make Internet voting secure. Web security generally tends to be brittle. That is, one small mistake can completely compromise the security of the system. This is part of why even the Pentagon and Google can’t keep their networks secure. So unlike applications like online banking, where, an Internet voting system just can’t keep accounting records of how every single voter voted, because we have a secret ballot.”
There is plenty of incentive to rig elections at each level of every democratic nation in the world. The elections systems used in most of the developed world were designed for traditional paper ballots. But electronic voting devices eliminate the manpower and expense of manually counting paper ballots. Online voting makes life easier for electors, and may increase voter turnout. Diminishing voter turnout is a growing problem in Canada and the United States. Low voter turnout harms democracy, with fewer people having a say in which officials represent our interests in public office.
But, as I’ve noted, security vulnerabilities have been found in electronic voting systems that have already been used. In addition, elections officials often have little if any training in IT security. Like the digitization of our other everyday communications in the 21st century, inevitably paper ballots will be totally obsolete in near time. It’s crucial that election districts around the world test their systems with experienced pen testers, and train their officials for 21st century realities.
- Diebold voting machines can be hacked by remote control
- Suggestions For Better Election Security Argonne National Laboratory: http://www.ne.anl.gov/capabilities/vat/pdfs/Election%20Security%20Suggestions.pdf
- Election Security Argonne National Laboratory: http://www.ne.anl.gov/capabilities/vat/election-security/
- Election Systems & Software: http://www.essvote.com/HTML/home.html
- Hart InterCivic: http://www.hartic.com/
- Dominion Voting:http://www.dominionvoting.com
- Security Analysis of the Diebold AccuVote-TS Voting Machine: https://jhalderm.com/pub/papers/ts-evt07-init.pdf
Online voting increases voter turnout: study
eDemocracy and Citizen Engagement: The Delvinia Report on Internet Voting in the Town of Markham
Voter turnout calls for changes
The Journal, Queen’s University
Iranian, Chinese Computers Also Discovered to Have Been Hacking D.C. Internet Voting System
J. Alex Halderman Testimony to D.C. City Council on Internet Voting Hack, 10/08/10