2008: The year of hack the vote?

2008: The year of hack the vote?

Summary: The state of Ohio has released a comprehensive study of voting machinesecurity and the report will have you longing for paper.A 334-page PDF report from the Ohio Secretary of State reveals insufficientsecurity, poor implementation of security technology, lax auditing and shoddysoftware maintenance.

SHARE:

The state of Ohio has released a comprehensive study of voting machine security and the report will have you longing for paper.

A 334-page PDF report from the Ohio Secretary of State reveals insufficient security, poor implementation of security technology, lax auditing and shoddy software maintenance. The report, which covers voting systems from Election Systems and Software (ES&S), Hart InterCivic and Premier Election Solutions formerly known as Diebold, was conducted by Ohio's EVEREST (Evaluation and Validation of Election-Related Equipment, Standards and Testing) initiative in conjunction with research teams from Penn State, University of Pennsylvania and WebWise Security.

The EVEREST report was released Dec. 7 and I found it via Slashdot. Overall, the report really raises questions about election systems. Buffer overflows, leaky encryption, audit problems and firmware issues abound. One machine, the M100, from ES&S accepts counterfeit ballots. The Premier AV-TSX allows an unauthenticated user to read or tamper with its memory. The Hart EMS has audit logs that can be erased.

In fact, the first 17 pages of the report--essentially the table of contents--is an indictment of these systems. To make matters worse, these machines don't run constantly. That means malicious software could be planted and not turn up until election time. These machines aren't patched regularly either.

The report is too massive to detail completely here, but at a high level here are the takeaways from the EVEREST report:

  • Systems uniformly stunk at security and "failed to adequately address important threats against election data and processes."
  • A root cause of these security failures was "pervasive mis-application of security technology." Standard practices for cryptography, key and password management and security hardware go ignored.
  • Auditing capabilities are a no show. "In all systems, the logs of election practices were commonly forgeable or erasable by the principals who they were intended to be monitoring." Translation: If there's an attack the lack of auditing means you can't isolate or recover from the problem.
  • Software maintenance practices "of the studied systems are deeply flawed." The EVEREST report calls the election software "fragile."

Why would these machines be so enticing as a target? You could swing an entire election, produce incorrect results, block groups of voters, cast doubt on an election or delay results. And it may not take a brain surgeon to alter these systems. The EVEREST teams reported that they were able to subvert every voting system and not be detected "within a few weeks." Meanwhile, the EVEREST teams found the issues with only limited access since vendors weren't exactly cooperative (Section 2.4 of the PDF has the details).

The researchers say:

Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact.

As for the attackers, EVEREST ranks the following folks in ascending order of capabilities:

  • Outsiders have no special access to voting equipment, but could affect equipment to an extent that it is connected to the Internet. All of the systems reviewed run Microsoft Windows and occasionally connect to the Internet. In addition, an attacker could create a counterfeit upgrade disk and mail it to install malware.
  • Voters have limited and partially supervised access to voting systems while casting a vote.
  • Poll workers have extensive access to polling place equipment, management terminals before, during and after voting. They can authorize who votes and who doesn't and opportunities to tamper with equipment abound.
  • Election officials have extensive access to back-end election systems and voting equipment. Access is only loosely supervised if at all. One possibility: Bad software prompts election officials to "correct" results.
  • Vendor employees have access to the hardware and source code of system during development. Employees may also be on site to assist workers and election officials. "Some vendors use third-party maintenance and election day support whose employees are not tightly regulated," according to EVEREST.

Add it up and any hack the vote opportunities will most likely be an inside job of some sort. The attacks may or may not be detectable.

Topics: IT Employment, CXO, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

60 comments
Log in or register to join the discussion
  • One word: Duh.

    I remember getting a letter from my governor during the last midterm. It told us that it was out with the good ol "pull the handle, turn the knobs and yank the handle back" voting machines and onto the future of electronic voting.

    It, of course, attempted to answer the security issue. It used, and I do not kid, this as an example of security:

    "ultra-secure WEP wireless encryption"

    ... WHAT?!

    At that point, having Xenu win an election was running through my mind.

    Then I learn that some of these machines (by many manufacturers) are backended in ACCESS. Again... WHAT?!

    There's NO security. None!
    Sabz5150
  • Time for open source

    With the problems rampant in the private source model for voting systems, it may be time for some input from the open source community. I think we all know that valid elections are required. Open requirements for requirements, design and implementation of the system could lead to some systems that would be accepted globally. The current crop of providers work in secret and are extremely defensive. Perhaps open source competition would help them see the error of their ways. It is clear that political pressure will not work, politicians are typically non technical.
    cholzwarth
    • It's only the free world at stake

      Step (A) Open source, then step

      (B) Test, retest, test ongoing, test until the end of time and

      (C) Use the damn manual ballots until the system is infallable...

      Not infallable yet?

      Repeat steps (A) and (B).
      distantrhythm
    • What about support?

      The blog mentioned serious problems with certified support, certified update procedures and unauthorized access to management terminals etc. Open source will not solve the personnel issues. I know of no company or organization that can support every polling place in a national election. Don't get me wrong at first blush open source would solve many problems but it will not solve all of the problems mentioned in the blog.
      clareJ
    • I have to agree

      It's not that I think open source is necessary to make it right, but open source does mean that engineers on the left/righ and middle can all look it over and point out the flaws. everyone wants to make sure it's right, because they don't want any of those other bastards stealing the election ;)
      notsofast
  • RE: 2008: The year of hack the vote?

    In Canada, we vote by writing an X on a piece of paper. We count the papers and the Xs. The voting, and the counting is scrutinized by representatives of the candidates, and their political parties. Spoilt ballots can be seen and discussed, re-counts are clearly based on the paper documents, and can be done by a judge if necessary.

    Computers votes can be erased, changed, lost, destroyed, faked, etc. The votes cannot be seen without technology - unless a paper ballot is used. Validation of votes can be next to impossible.

    Frankly, I think 'counting' the ballots is as much a part of democracy as 'voting'. Deomcracy needs to be participatory - not just punching something into a computer once very four years.

    Attempts to computerize voting and counting subvert this democracy.

    To be honest, I do not see the appeal of 'computerized democracy'. Is the goal to save money?

    A democracy that costs real people, real time, real money, is worth more than a democracy based on the 'lowest cost' model. You get what you pay for.
    tracychess@...
    • Only in Canada...

      ...would that work; here in the US, we don't know what "X" means, much less who we're voting for, even more so where that particular name is on the ballot... wait a minute, who gave me the septuple-lingual ballot again? I told them I wanted ENGLISH this time!!

      Seriously, though... so long as more people care about voting for American Idol than they do for their elected representatives, this is going to be a circular issue of "Let's Pretend to Do Something About [fill-in-issue-here]".
      GoodmanCPA-IT Tech
    • RE: In Canada

      We used to have this rather simple system based on punching out a hole in a card. Until the 2000 election, where the inability (or stupidity) of the voter to cleanly punch [b]OUT[/b] the card led to Florida to becoming a [b]national embarrassment.[/b] I only all to well "discussions" of 'hanging chad', 'dangling chad', etc. Then you have to deal with voter stupidity - like two punched holes - when there was supposed to be only ONE. Remember, you are dealing with the general public, and many of them are not very attentive.
      fatman65535
    • Counting vs voting

      You're so right about the counting. I'm in Washington State. Our 2004 Governor's race was so close that it forced more than one recount, at a big warehouse in Seattle. My wife and both my boys (18 & 19 at the time) volunteered to count votes (I was traveling, couldn't). They were impressed that the process was very well managed, and had observers from both parties for every several counters. I think the final difference was something like 130 votes, and of course the loser was a sore one. But yes, manual counting should be the default condition, not the exception.
      alieninvader@...
    • Was an issue in my area.

      In my area of Ontario Canada, there was an issue of debate over the use of electronic voting machines AFTER the former Mayer lost the election by a very slim margin. He contended that there was an error in count and asked for a manual recount of all ballots via court order. Ironically it was under his council that voting machines were introduced. The controlled media propaganda machine spun the issue as the former Mayer being a sore loser and wasting tax payers time and money by only broadcasting that message from local area residents.

      The recount of the paper ticket produced by the electronic voting machine did confirm his narrow lose. Therefore there was no human error in counting the paper ballot produced by the electronic voting machine but did this did not resolve the issue of potential machine error.

      When I brought up this issue to a newly elected member of council he reassured me there was no way for the machines to register a vote other than the one cast and that the machines were tested a head of time. When I explained the several means by which the machine could be tampered with without effetely revealing this during testing, he was not interested in discussing the issue further.

      It was clear to me that a poor education system and/or a society which is uninformed and too trusting of autocrats and technocrats breed a compromised democracy. It is the responsibility of people to question and the duty of those in charge to listen and respond to our concerns until we are satisfied; after all we are all members of our community.
      mario@...
    • Canadian Advisors

      In 2000, I was thinking we should have hired Canadian advisors to handle recounts...
      in 2001 I thought we should have hired Israeli advisors on plane security.
      Jkirk3279
  • Being a Luddite isn't enough

    Elections are too important to leave to uncertainty or bad software. But honesty is even more critical and paper ballots miss the point. If you want to know where this problem is coming from, simply watch and listen for who attacks this issue the loudest. Their mouthpieces are found AM radio and their henchmen have the majority on the FCC.
    alieninvader@...
    • A healthy dose of skepticism ...

      The opportunity for democracy to be subverted - intentionally (by beneficiaries of the current political systems, or by "hackers") or otherwise (e.g., faulty software) - is simply too great under current conditions.

      I'm rarely a neo-Luddite - in fact I'm usually one to promote the productivity and innovation benefits of new technology - but given the importance of the voting & counting processes, the cost associated with running a traditional "mark X" election (yes, I too am Canadian!) are more than reasonable when compared with the cost of any suspicion falling upon the electoral system.

      Putting my techie hat back on, it seems to me that if (that's a BIG IF) the open source software approach described above were to be taken, coupled with G8/developed nation governments embracing ubiquitous strong encryption technology for citizen/resident identification, some real democratic benefits could ensue:
      - lowered cost for elections (not a benefit in and of itself, but an enabler for referenda between election cycles)
      - online voting (recognizing that my "signed" vote provides a means to identify my heretofore anonymous selection - and thus creating a need for another control mechanism to ensure anonymity is retained)
      - engagement of larger percentages of eligible voting populations
      James McC.
      • networked voting: no way

        There's no way I'd trust voting over the net. You need to get a little more
        paranoid.

        Have any of the discussion participants volunteered to work at a polling place,
        either checking registrations and IDs and handing out ballots, minding the
        machines, or as poll watchers?
        Professor8
        • I haven't, but...

          ...I guess I'm going to have to consider it. I work from home 3 weeks out of 4 and given that Utah uses touch-screen voting machines, it would be useful to have some more tech-savvy poll watchers.
          John L. Ries
    • Not Luddite

      Ned Ludd and his followers were motivated solely by economic self-interest; there was no question that the new machines were more efficient and reliable than hand-weaving (the problem for the craft weavers was that they couldn't afford the new equipment).

      There *is* a real question as to whether machine voting is more reliable than properly monitored hand-balloting and there are serious questions as to whether computer-based voting machines, as presently designed can be secured at all.
      John L. Ries
    • Sorry alien... , but you're wrong.

      Casting ballots in a way that prevents recounting the original ballot is a priority of the liberals and supported by the Democrats. Their mouthpieces are found in the print and video media, not on AM broadcasting media.

      These are also the people who oppose all attempts to insure against multiple ballots being cast by one individual and who oppose American English as the official and only language used on official records.

      Paper ballots are the only way to insure that a recount of the original vote is possible.
      Update victim
      • Electronic voting part of a liberal plot?

        Then why has electronic voting been largely implemented by Republican officials in states where elections tend to be close and in ways that do not allow recounts. After the Florida travesty, caused by a Republican ballot official, there was a move to implement electronic voting machines to prevent similar problems. Nobody said that such systems should not generate paper ballots on the back side of selection, which is evidenced by the fact that every such system has a provision for such ballot printing. It was not-so-liberal Republican ballot officials who chose to not include those printers in the process. Now that such machines have been shown to be unreliable at all levels, it is Republicans who are resisting an ironclad requirement for generation of paper ballots. That's an interesting "liberal" approach.
        rett@...
  • Only in Politics

    Yes, after spending tens of millions of our Federal, State and Local tax money on new electronic equipment to prevent a 'hanging chad' problem, we then spend $1.2 million on this study. And what do they recommend?? Scrap all the new voting equipment and go to a punched card. The vote would then be tabulated at a few central locations around the state. We have local control over elections, which is something that the new Secretary of State is not happy with(note: control being the key word). Instead of electronicaly communicating the voting results, we get back to paper. I see armed guards transporting hanging chad ballots to a central location (new seasonal employment), and the news media, and the country for that matter on edge for days waiting for days to find out the results. Progress vs Politics as usual!! Funny part is that the major problem area in the last few elections has been in Cleveland, which is of the same political persuasion as the Secretary of State! Yeh, they are bickering.
    Buckeyeguy
    • seasonal vs. year-round voting

      I remember attending a speech which was a summary of constitutions around the
      world and he said that in Switzerland they vote about every other week-end.
      The president there can eat out or got to movies without a flock of security guards
      because he has little power and is closely constrained by the plebiscite.

      The only solution to all of this is to have complete cross-checking with multiple
      people of different party affiliations overseeing the arrangement of the ballots,
      making sure votes for Abe aren't counted for Ben, making sure the machines and
      boxes of examined ballots are then sealed before delivery to the polling places,
      checking those seals by several people at the polling place... creating an audit trail
      and chain of custody. Some counties try to do that.

      The South Florida -- SOUTH Florida, not the whole state -- foul-up included duly
      appointed count-watchers being ejected because they tried to do their jobs of
      raising objections to questionable actions.
      Professor8