back to article California e-voting machines have more holes than Swiss cheese

Hackers hired to evaluate the security of e-voting machines used in California found serious flaws that could allow for vote tampering in all three systems studied. The defects included the ability to overwrite firmware, install malicious applications, forge voter cards and gain access to the inside of voting machines by …

COMMENTS

This topic is closed for new posts.
  1. Iamfanboy

    An "undisclosed account"?

    Does anyone else find this particular part ESPECIALLY worrying?

    "Testers found an undisclosed account in the Hart software that an attacker could exploit to gain unauthorized access to the election management database."

    Does this mean what I think it does? That Hart INCLUDED a hidden account that just allows anyone outright access to a database, hopefully without any kind of accountability? What kind of things could a person do once they had access to this database?

    And WHY was it included in the first place? It had to have been intentional and planned. What uses were they planning for this?

    I do not like the idea of e-voting. It's practically designed for fraud and unaccountability, and to have something like an extra account that just la-dee-da lets someone, ANYONE, straight access to a database... could they tamper with the database? Change, say, a thousand votes for the Republicans and fifty thousand for the Democrats into fifty thousand for the Reps and one thousand for the Dems?

  2. Anonymous Coward
    Anonymous Coward

    This is not surprising

    This is not surprising. Back during the Jones administration an employee of the Sec. of States office was challenged by the then manager of the IT project management section to try and penetrate the firewalled security system that surrounds the election database. When he was successful he was promptly fired. He exercised his return rights and ended up leaving state service. Nothing has changed.

  3. Anonymous Coward
    Anonymous Coward

    Press Release

    100:1 odds Election Systems & Software publishes a press release in the next 45 days stating none of it's systems were found vulnerable in the test.

    10000:1 the press release won't say anything about their products not being in the test.

  4. Anonymous Coward
    Anonymous Coward

    Election Officials Needed

    "Unfortunately, since no one on the testing team had experience in security procedures and protocols used in California, your team was deprived of having someone with hands-on experience running an election."

    Yes! Better yet, bring in election officials from Florida and Ohio -- the real experts -- and let them have a go at tampering with these machines.

    Seriously though, the complaints of the manufacturer(s) show they aren't concious of the critical nature of these systems. Making these devices secure from tampering only under purportedly controlled, special conditions isn't acceptable. They should be secure from tampering while being transported to or from polling places for instance. Any potential connection with other digital devices needs to be tightly restricted -- physically and through strong, secure digital protocols. Wireless technologies should not be included in any of these -- no matter how convenient it may seem. Furthermore, exploitable software configuration defects such as the unadvertised accounts are simply not acceptable. Such defects represent easy-to-use mechanisms by which culprits could quietly impact election results.

    After all, without violating rules, how can officials know a voter isn't tampering with the device? Video cameras (violates the rules I think)? Metal detectors? Are polling places going to be the next airports of our increasingly-security concious times? Or are we simply going to set a very high standard for polling devices?

    What we have here is an attitude problem -- an attitude held by the manufacturers that we must accept whatever defecation the manufacturer leaves on our government's doorstep.

  5. Brett Brennan

    An election without gerrymandering is like a California day without Sunshine

    Paper ballots, punch cards, mechanical voting machines and now electronic voting machines. Every one of these has been subverted, and will continue to be so long as Humans attempt to hold secret elections.

    There is NO secure way to conduct elections. There is always the possibility that someone or something will skew the results. The best we can hope for is an election where the errors and crimes are on such a small scale that the totality of the election remains unchanged, and that the perpetrators can be caught and possibly punished in the end.

    America has a long history of election fraud: terms like "ballot-box-stuffing" and "registering the graveyards" herald back to an earlier time of voter intimidation, corruption of election watchers and giving free booze to voters to insure an outcome. Why should the addition of computers make it any different?

    We should look at the positive side of this: new terms for history like "vote hacking", "back-door balloting" and "rootkit registration" could become the parlance of future generations of political journalists.

    Kidding aside, if you want someone to build a secure voting machine, there are plenty of companies that specialize in making secure machines that are designed to work when surrounded by thieves. They're called gambling machines - slots, video poker, keno - all designed to be effectively hack-proof, or at least so difficult to get into that someone will notice.

    If the states and national government were serious, they'd drop the bidding process cold and just go hire Bally's or IGT and have them revamp a keno or poker machine for voting. It would beat the hell out of the situation they had in California...

  6. Anonymous Coward
    Anonymous Coward

    Ha!

    These guys are classic...

    "This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation's democracy that our customers - and all election officials - carry out every day in their very important jobs of conducting elections in California and throughout the United States."

    Well, in case you have been in a cave for the last 10 years, this level of know-how, determination, and skill is not that unusual. It is just insulting for companies involved in the US voting process ONLY TO MAKE MONEY should try and pull some b.s. about the supposed democracy we live in. These devices MUST BE airtight and as secure as possible since they are what decide the politicians in this country. There are enough doubts about our corporate, er...I mean, democratic states and the people we 'vote' into office. I wonder if the hope is that there is so much disgust that citizens quit voting. It is ideal to haveonly 10% turn out and have all of them be your friends if you are running for a political position.

    The voting machines must be scrutinized carefully, picked apart, and constantly evaluated to ensure the security and integrity of the elections. Most that are not in the IT security world have no idea about these things and do not fully understand the consequences of outdated windows installs, access to system level accounts, or physical security lapses. Is it any better in the EU??? :)

  7. Anonymous Coward
    Anonymous Coward

    What if...

    ...these were the machines that controlled the lottery drawings (Powerball, big game, stc.) around the country? If the lottery players thought the game was fixed or there would be a predetermined outcome, would there be a bigger uproar than this? It is sad but true.

  8. John

    Remember the old maxim...

    Vote early and vote often.....

  9. Tam Lin

    Yum. More Red Herring, please.

    While I completely agree with the article, keep in mind that Ohio, Florida and other jurisdictions have proven over the last dozen or so years that election officials--with the full backing of the press and the police--can simply shoot voters if they get too uppity about this legacy 'rights' crap. [1]

    Besides, whether by paper ballot, e-vote or role call, it's not who votes, it's not even who counts the votes, it's all who gets to say exactly who gets to say what the count is.

    [1] Although I don't know of any cases where a voter has been shot, how would I as I don't imagine it would get any play on, say, Meet the Press[idential PRopaganda Show].

  10. Chris Miller

    @Iamfanboy - undisclosed accounts

    "WHY was it included in the first place? It had to have been intentional and planned."

    Not necessarily. It was most likely a default account that the developers forgot or didn't know about. This is one of the most common vulnerabilities that are found during many types of security testing.

    Cock-up? Certainly - if I was attempting to subvert the system, I wouldn't do it by inserting a 'secret' account, and I'd at least give it an obscure name.

    Conspiracy? Only if you're a fan of that sort of thing.

  11. Anonymous Coward
    Anonymous Coward

    Voting?

    "hire Bally's or IGT and have them revamp a keno or poker machine for voting"

    Why revamp them? Given the crop of self-serving incompetents that we have in high office today, Keno or poker is probably as good a way as any of choosing a government. At least they'd be able to claim they were lucky...

  12. Alan White

    Real-world blah blah

    "This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation's democracy that our customers - and all election officials - carry out every day in their very important jobs of conducting elections in California and throughout the United States."

    It becomes a real-world scenario as soon as the exploit is discovered, surely?

  13. Pascal Monett Silver badge

    unrealistic worst case scenario ?

    Just exactly what is unrealistic in imagining someone "subverting" the server before installing a logging application ?

    Just what is unrealistic in imagining an agent training himself in unscrewing the lid to insert some tampering device and rescrewing the lid on in record time ? He wouldn't have to be all that quick either - there is no time limit on voting, and no one will dare open the privacy screen in less than five minutes, especially not if you talk back and state you're having trouble deciding.

    I find all these tests quite realistic, and I despise the current state of electronic voting machine technology. If you make a machine to count my vote, you had better prove to me that it is totally secure from tampering, and I mean totally. And that rules out using Windows to run it for starters.

    By the way, I don't know about all of Europe, but in France we don't have machines to vote. It's the good ol' paper ballot in the voting urn, and it works fine. There was a trial of a few machines for the Presidential vote that brought Sarkozy to power - but it was badly timed for a first try and generally not appreciated by the public. No word on efficiency or security, although a few civil rights organizations declared that they were unsafe and unfit for duty.

    I don't suppose that'll be enough to keep the machines from coming, though.

  14. heystoopid

    Say

    Say , are these the same type of machines used in suspected voter fraud in both the states of Ohio and Florida back in '04 to cause a positive swing to the Republican side of the fence irrespective of real votes lodged at that time !

    Further ,as with everything submitted and sold by the lowest bid tenders that many US State Governors prefer due to the widespread implementation of California's Proposition 13 tax limiting laws from the Ronnie Reagan era as state governor across the new Union of the Soviet States of Amerika (the new recent attempted US Immigration Act sponsored by George W. Bush and all his cronies , to register 13 million undocumented (mostly underpaid almost slave labour like working conditions) citizens and key component of the US Economy , included a separate requirement for all US citizens to have a formal Identification Papers to be carried at all times and produced on demand , very similar to those issued in the former Stalin era Soviet Union and Nazi Germany Further all US states and territories would be required to implement at their cost , from state taxes) . Further , you can't really expect security to be a high priority along with buggy imperfect code! , due to rush delivery dates!

    The ease at which these machines can be opened with a simple readily available key and then doctored with a bias along with the lack of setting up a proper audit trail has been well documented , by many researchers!

    Oh well , such is life!, and the Peter Principle rocks on in the new 21st century!

  15. A J Stiles

    Scrap voting machines altogether

    It is beyond belief that any government would consider the democratic process subordinate to a corporation's interests, yet that is exactly what happens when voting machines are built using proprietary technology. There have been calls for the blueprints, schematics and software used in voting machines to be published; and while the arguments are compelling, such measures do not go nearly far enough.

    I contend that voting machines should be scrapped altogether, and every truly democratic state should require in its Constitution that elections be conducted using pencil, paper and manual counting.

    The paraphernalia used in any election *must* be Universally Comprehensible. The first requirement of any voting system is that it can be verified by any of its users, and one cannot verify a system without understanding it. Purely mechanical or electro-mechanical voting machines *may* be *almost* Universally Comprehensible, but there still exist failure modes (moving parts are subject to wear) and there will always be some people unable to understand some important concept.

    Elections have been conducted the old-fashioned way since ..... well, forever. All the failure modes of manual voting systems are understood, and procedures have been established to minimise their effect. (Probably the simplest method is to ensure that all candidates' representatives are present at the count: the natural tendency for everyone to mistrust everyone else will help to ensure against cheating.)

    The use of any technology only enables new failure modes; and the use of proprietary, secret technology enables the creation of "special" failure modes that only the manufacturers know about.

    The processes of democracy are more important than that.

  16. Anonymous Coward
    Anonymous Coward

    Voting in EU? At least in Germany ...

    we have still have paper ballot, but politicians want evoting machines. The only advantage of these machines would be getting results half an hour or less earlier, big deal.

    Today there teams of citizens (differnt parties, social groups etc.) who run the voting at the different locals. After closure of the voting, they open the sealed urns and count the votes. The later is public, everyone could watch - at least in principle a mean of control through the citizens. The ballot are kept to enable a later recounting, revision etc. if there any doubts.

    Because many citizens want the possibility to control and check the voting, there's a movement against the machines

  17. Steve Sutton

    @Chris Miller - undisclosed accounts

    "Not necessarily. It was most likely a default account..."

    Yeah, but the password was "joshua"

    ...now where did I leave my coat?

  18. Anonymous Coward
    Anonymous Coward

    I agree...

    I agree with the person who said 'hire Ballys or IGT' to create these... Companies that make gambling machines have indeed "seen it all" when it comes to tampering with equipment, and know at least how to make a physically secure machine. These are the companies that should be building these--although you'd think that Diebold would have done a little better job, as they've built ATMs forever... These machines are more mission critical than anything else on Earth. Whoever successfully tampers with a vote controls the future of the world. An e-voting machine MUST be foolproof, whatever the conditions it is tested or used under. Not that I'm an advocate of wasting trees, but cash registers of old had a journal printer to allow easy audits--why is this missing from e-voting machines? Combine the journal entries with an encrypted serial or some kind of verification number for each transaction (or encrypted barcode), and I think you're on the right track. And Windows is just too riddled with holes to make a secure OS for these. A proprietary, simple, dedicated OS (possibly a stripped-down *NIX variant) I think is called for here </rant>

  19. Anonymous Coward
    Anonymous Coward

    Learn a lesson from Brasil, bunch of re****ecks!

    We have successfully installed an automated voting system here.

    The machines themselves cannot be accessed without breaking any seals in the screws (if there are screws closing it, the thing looked like a sealed brick to me). The machines are carried around, to voting places and back, in armored trucks, just like if they are worth their weight in gold. Even if you manage to steal any machine, tampering would be evident.

    There are no wireless access, whatsoever. You have to bribe the election official if you want access to the voting machine, like any other paper ballot system, so it is not the system's fault. Even if you successfully bribe a election official, to get a box tampered, the sum of votes must check with the expected number of voters, so no graveyard voting... you would have to bribe the whole chain of command all the way up... and that's the only way out for a cheater, the human side.

    There is a different number for each voter, just like a social security number, and each number can only be entered once. THE SOURCE CODE IS OPEN FOR INSPECTION BY THE ELECTORAL JUSTICE. There you go, bribe the entire Electoral Justice!

    Every machine prints its result, and it is stored in a sealed bag, should the electronic part ever get damaged, or malfunctioned, which is more likely. The printed result is treated just like the paper ballots, and it is cross-checked with the electronic results upon conference in the Electoral Justice. (you don't have 50+ pieces of paper, you only one with the results, so the manual adding would be faster.) Should the machine fail before the end of election (dropped out of the table by wire tripping is not unheard of), there are paper ballots as backup.

    In every voting place you have inspectors from each party, and we don't have just Republicans and Democrats, we have some 15+ different parties in some places.

    No matter how broad the election is (Mayor, President, whatever) the results are counted within 48 hours, not 48 days...

    There is no Linux or Windoze on the box, so even if you manage to hack into it, it wouldn't talk to anything else. Not to mention that the election official can only input the "social security" number of the next voter in a special keypad close to the voting machine, allowing him to vote. If the cable to this keypad is broken or disconnected, the machine craps out. Plus, the machine isn't entirely covered, it resembles an ATM machine where only the keyboard is covered, so everybody (looking impatiently at your back) would notice you crouching on the floor trying to reach the cable anyway.

    PS. I used the term Electoral Justice in translation for "Justiça Eleitoral" because I don't know the equivalent US name for it.

    The system works great, instead of the shameful Florida recount that put that moron in the US govt.

  20. Steven Hunter

    PR speak translation

    "Sequoia argued in a press release. 'This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation's democracy that our customers - and all election officials - carry out every day in their very important jobs of conducting elections in California and throughout the United States.' "

    Translation: "We're really angry that you found all the bugs we worked so hard to obfuscate in our horribly flawed and shitty product. But instead of, you know, *fixing* them, we're just going to bitch about your testing methods. As a bonus, here is some bullshit patriotism in the hopes that you'll just forget about the whole thing and give us some more money."

    Frankly, I don't trust electronic voting machines at all. How the hell do I know that Diebold, or Sequoia or whomever doesn't just ignore my vote and do whatever the hell it wants? When we used punch cards, at least I knew that if somebody wanted to commit massive vote fraud they needed time, equipment, and money. Now all they need is a Torx driver and a few minutes alone with the voting machines (which I'm betting isn't very difficult to obtain).

  21. Michael

    Not Gerrymandering

    http://dictionary.reference.com/browse/gerrymandering

    ger·ry·man·der

    To divide (a geographic area) into voting districts so as to give unfair advantage to one party in elections.

    This is not an example of Gerrymandering. It's an example of complacency and defensiveness on the part of the voting machine manufacturers.

  22. Brett Brennan

    Re: Not Gerrymandering

    True. However, gerrymandering is another of the favorite "old school" ways of altering the outcome of elections. Texas showed gerrymandering in full force a couple of years ago, when the Democratic state representatives ran away to Oklahoma to avoid a vote that would screw around with their district borders.

    Besides, you can effectively "gerrymander" an election by the creative placement of the polls. For example, move the polling place from a civic center (on bus routes, lots of parking, easily found) to the living room of someone's house (blocks from the bus, no parking, restriced access - all causing inconvenience and long lines). This occured in my old district in Long Beach, California when I lived there. (And Republicans - the residents in the neighborhood - came out in greater numbers than Democrats that lived a long walk away.)

    Besides, it made for a catchy title...

  23. Mike

    Gaming and Elections

    While it is true that IGT and Bally could probably do a lot better than the current crop of [ft]ools, they are by no means infallible, and part of their previous behavior had to do with the Nevada Gaming Commission taking security _very_ seriously. Even so, a few years back a slot-rigging gang that included a gaming-commission employee was uncovered. Add to that the fact that Gaming is no longer a "Nevada thing", but has spread in the U.S. to Atlantic (Who cares if the games are rigged, look at those tax dollars) City and every Indian reservation with a reliable supply of electricity, and you'll see that the level of inspection overall is quite a bit lower today.

    For completeness, I'll mention that "in the old days", the casino owners were not totally dependent on the gaming commission to enforce "fair" (to the casino) games. Of course, today's clients of Diebold et al. may have some blackjacks and cement overshoes at their disposal, too.

  24. Demian Phillips

    Diebold

    The Diebold voting machines are made by a company that Diebold bought when they wanted to get into the voting racket.

    Unfortunately none of the ATM division management seem to have any say or input into the company they bought.

    The sadist thing is it uses a MS access database for vote data. No password either I hear.

  25. Andy Bright

    Missed Opportunities

    You mean we could have reprogrammed all those voting machines to elect the gay Teletubby as President?

    Don't you see the possibilities if we insist they keep using these machines, and in fact force every State to use them?

    We'd control everything.. we could force Congress to write proper p2p friendly laws, re-name Holidays after WoW event weekends, we could threaten them all with election melt down.. unless they pay us one meeelion dollars.. bwahhahahahaha...

  26. AgentDuke

    Man of the Year, revisited?

    If anyone had seen the movie (though a hollywood-hype blowout of a voting-software company with this same attitude) shows a good example of how ignorance and lack of humility against hacking can just outright destroy your credibility.

    As a software developer on multi-platform, you have to admit that mistakes can be made. Code reviews, audits, testing - they all serve the purpose to make a secure and reliable system. Shooting down the results of a firm, whether the extreme or not, is simply counter-productive.

    I'd personally feel for them (and not laugh out loud at them) if they had come back with a response something like this:

    "We acknowledge that testing under the conditions reported, while a worst-case scenario and extreme, have shown that additional review and auditing could be performed. Tests prior to this external audit have proven a certain level of reliability and security, and we welcome the external input provided and are working with election experts to review which conditions could be repeated under voting circumstances. Any and all known holes will be closed."

    Humility can go a long way into voter confidence. And I tell you what - without the confidence of the voters, which they are NOT earning with such a blanket statement, they will die on the vine (ie never reach the production release phase) like so many others...

  27. A J Stiles

    Amusement machine manufacturers

    It's all very well to say "get amusement machine manufacturers to make the voting machines, on the basis that they are used to building secure systems", but this is not necessarily so.

    The security of amusement machines depends as much as anything on the nature of the relationship between the amusement machine operators and the players: each is trying to make money out of the other.

    If you make an amusement machine that can somehow be tricked into paying out when it shouldn't, the venue (casino / amusement arcade / funfair / theme park / chippy) will be liable for the losses. No operator is going to buy machines like that once the word gets onto the street. Conversely, if you make a machine that doesn't pay out as often or as much it should, punters will begin shunning it and eventually, again, no operator is going to dare buy your machines. When both false negatives and false positives count against you, it's in your own interest to be fair.

    If the voting machines are to be made by amusement machine manufactures, then the roles of arcade operator and punter would be taken by the returning officer and voter respectively. But the practical relationship between returning officers and voters is nothing like the relationship between arcade operators and punters, and can't be exploited in the same way.

    The nearest thing that exists in the election environment is the relationship between the candidates: the Labour candidate does not trust the Conservative candidate, the Green candidate doesn't trust the Labour candidate and the Independent candidate doesn't trust any of the others. And although the candidates themselves don't choose the voting machines, there's a way that they could *be* the voting machines -- and that is manual counting. For something that happens once every four years, and when the only alternative is the death of democracy, it's well worth it.

  28. Daniel Ballado-Torres

    Paper voting? E-voting?

    I wish I could trust as much in the electoral system as the Brasil dude does. I really wish I could.

    Even with paper-voting, our own Mexican elections were subverted; the only ones who still believe the 2006 elections were clean are the current "president" supporters, and even they are in some state of denial. Software tinkering by the contractor (Hildebrando, owned by the first lady's brother) and dodgy laws governing recounts (not very different from Florida 2000) may have been able to skew the results by a low but sufficient margin to change the results. While paper does leave a trace, the ballots themselves are only counted once, the boxes are then sealed and the number of votes is put into a separate certificate, which is then placed in front of the sealed box.

    So even with a recount, if the certificate itself was rigged, we still get screwed. So much for paper voting...

    PD: I read *Windows* in voting machines? So much for security... I'm just waiting to see the report for "e-voting machine spits out BSOD in primaries" ... that will be priceless...

  29. Anonymous Coward
    Anonymous Coward

    Hackers?!?

    I don't normally moan about The Register's use of the Queen's English. But, today has to be an exception.

    You cannot possibly use the word 'hacker' to refer to a 'professor'

This topic is closed for new posts.