Just how vulnerable are voting machines to hackers? More than we realized, it turns out. As we enter an election year, it’s time we take a closer look at recent evidence proving how easy it might be for a hacker with the right incentives—political or monetary—to break into voting machines and skew the vote.
In 2008 the state of New Jersey was sued for not guaranteeing the security of its electronic voting machines. The judges’ summary (pdf) from that case was released this year. Experts noted the only security on newer voting machines is the (woefully insufficient) physical seals on them.
But once a hacker is past the seal, how can he or she manipulate the vote count itself?
In 2004 about 29 percent of U.S. voters used Direct-recording electronic (DRE) voting machines, and that percentage is steadily increasing. To start the machine, election workers insert a flash memory card in order to set the ballots. A hacker could install a virus on a card that alters the recording of results. Or a hacker could replace the software that controls how the computer interprets the touch-screen presses on the user interface, then direct the machine to miscount votes based on an algorithm he or she creates.
The privacy of the ballot choice protects the hacker since voters cannot be interrogated later on about how they voted. Optical scanning voting machines may be vulnerable as well. But in those older-style machines, at least there is a paper trail: Voters complete the ballot card before it is fed into software that detects the darkest mark on the card. And in the U.S. presidential election of 2000, manual voting machines meant that counters have actual hanging chads to evaluate.
But one might wonder how does a hacker get access to a voting machine to actually hack into it?
Well an expert witness in the 2008 case against New Jersey, Andrew Appel, chair of the department of computer science at Princeton University claims it’s not out of the question for insiders and outsiders to gain access to these machines. Election workers who have access to the warehouses in which machines are stored have continuous access to the machines. Plenty of outsiders also have access since the machines are often left unattended in polling locations like schools and community centers.
To add to his or her expertise a would-be hacker might be able to purchase old voting machines on the Internet as Appel himself did to perform the experiments that supported claims made during the 2008 trial.
From his account of how he purchased five Sequoia AVC Advantage voting machines:
I purchased one lot of 5 machines, for a price of $82 for the lot. Registering to bid at govdeals.com is just like registering to bid on e-bay--no questions asked except name, address, e-mail, and telephone number. The government had no information about me or my motives in obtaining the voting machines at any time before or after the auction and delivery of the voting machines to me. I paid for the machines by cashier's check. I had these machines shipped to me in Princeton by commercial carrier, where they arrived on February 2, 2007. … The machines arrived in operating order. The machines, originally sold to Buncombe County in 1997 for $5200 each, appear to be almost identical to machines used in Mercer County, New Jersey, where I vote. The only difference that I discerned is that instead of a green "x" to indicate a vote, there is a green arrow. This difference is very minor and does not, for example, mean that the internal software is different.
He goes on to tell how he was able to dissect the internal firmware:
I was surprised at how simple it was for me to access the ROM memory chips containing the firmware that controls the vote-counting. Contrary to Sequoia's assertions in their promotional literature, there were no security seals protecting the ROMs. Indeed, I found that certain information in the "AVC Advantage Security Overview" (from Sequoia Voting Systems, Inc., 2004) was untrue with respect to my machine. Sequoia's document states,
The vote counting instructions in each voting machine are written into integrated circuit chips during the manufacturing process. These chips are incorporated into each machine's circuit boards. Access to the machine should be limited by administrative procedures and is also limited by the physical design of the machines. Design features include door locks and a numbered seal on the CPU cover.
I found this to be incorrect, with respect to the machines delivered to me. I did not have to remove any seals, whether of tape, plastic, or wire. The sheet-metal panel covering the computer circuit board is the only component I found that could possibly be described as a "CPU cover", and it had no numbered seal. (If there ever was a numbered seal holding the CPU cover down, then Buncombe County's technicians would have to remove it and replace it every time they change the four AA batteries on the motherboard!)
Increasing spending on elections might improve security. But elections, surprisingly, tend tend to be run on the cheap, so machine makers stick to budgets and leave little money for testing.
[via Technology Review]