As I write this on election eve, the presidential race between Obama and Romney is shaping up to be a real nailbiter with squads of lawyers readying their legal pads and briefcases. No one wants a repeat of 2000 and Bush vs. Gore, but the vulnerability of electronic voting machines should be enough to give one pause.
Roger Johnston is head of the Vulnerability Assessment Team at Argonne National Laboratory. He and his colleagues recently launched security attacks on electronic voting machines to demonstrate how easy it is to steal votes. Conclusion: It’s really easy. And cheap.
We can do this because most voting machines, as far as I can tell, are not encrypted. It’s just open standard format communication. So it’s pretty easy to figure out information being exchanged. Anyone who does digital electronics–a hobbyist or an electronics fan–could figure this out.
The device we implanted in the touchscreen machine was essentially $10 retail. If you wanted a deluxe version where you can control it remotely from a half a mile away, it’d cost $26 retail. It’s not big bucks. RadioShack would have this stuff. I’ve been to high school science fairs where the kids had more sophisticated microprocessor projects than the ones needed to rig these machines
All that stands between a free and fair election and a stolen one is a teen-age hacker with $26 in electronics? Our founding fathers would not be pleased. Maybe we should all go back to the butterfly ballot.
[via Popular Science]
34 thoughts on “How to Hack an Election: A Cautionary Tale”
I have a problem with this post. First of all it is not new. It was posted to You Tube on Sept 19, 2011. In that video they show that they can hack the voting machine by placing a less than $26.00 (worst case) device in between the touch screen and the rest of the system, The picture shows the device being plugged directly into a ribbon cable that comes from the touch screen and the article implies that the added board is a microprocessor of some kind.
To do this you need to know an number of things. First you need to know the pin out of the cable that you are plugging into. You also need to know:
o How the touch screen is scanned
o If it is your board that is creating the scans or
o If the new board is just passing the scans along or
o The scan hardware is between the touch screen and the main board where the new board is connecting.
This all means that you will have to have access to a voting machine to reverse engineer and ideally have a schematic available.
Once you solve all the above problems, you need to know what a touch on the screen means in terms of who was voted for rather than just coordinates, which is what is returned from a touch screen. Then you have to have access to the voting machines on a large scale as 1, 10 or a hundred machines were unlikely to modify the vote enough to be an issue.
Very unlikely to happen. Oh, that $26.00 dollar cost? Multiply that times a 100,000 or so, as that is the number of machines one would need to hack to even come close to changing some election, especially a national one. Might get away with a local election though. But then the hacker risks years in prison if they are caught.
From the video (8:20): “Spare subpanels can be obtained for a few dollars on EBay.” That addresses your reverse engineering concerns.
By your estimate, $26 x 100k machines = 2.6 million dollars, to buy the results of an election. For reference, both presidential candidates’ campaigns have raised (and by tomorrow will have spent) close to a _billion_ dollars on this election (http://elections.nytimes.com/2012/campaign-finance). The costs to monkey with the machines are negligible.
There are fairly straightforward ways to ensure votes are accepted and tallied fairly, and in a way that is re-countable in the event that is necessary, for example, printed receipts that can be validated by a voter before being deposited in a secure box at a polling site. Electronic machines with unencrypted databases and easily changed software (http://www.salon.com/2012/11/05/ohio_republicans_sneak_risky_software_onto_voting_machines/) are not the answer.
You’re under the impression of a 15 year old kid doing it for a prank our something… Just because the article said children could do it doesn’t imply that they think children would do it. It’s just illustrating the point that it’s simple. Ever heard of ACORN? Or CVP? There’s known unscrupulous organizations that have been caught committing fraud on a large scale. And a huge difference can be made with just a few machines in the right counties of swing states on an election this tight. http://www.breitbart.com/Big-Government/2012/11/05/philly-activist-group-shreds-gop-registrations
Our voting machines here are capable of printing out a paper result to verify your selections, which you turn in as you leave, but this has only been used once since they began using these electronic machines. I early-voted again this year, entered my selections, and walked out of the booth without any confidence that my votes were registered as they should have been. My lack of confidence is only reinforced given that I’m in a heavily GOP-controlled state, complete with the new GOP-backed voter ID law, their solution to a non-existent problem, while fully ignoring the known fraud possibilities of absentee ballots. I know that my vote for president won’t mean much here thanks to the electoral college, but it’s my vote for the other congressmen which I hope to affect. Whether that vote went to who I actually selected, though, is anyone’s guess.
As enlightening as this is concerning the lack of security thinking among voting machine manufacturers, I think a lot more damage is done to democracy (by both Red and Blue political machines) by demogoguery, distortion, and misdirection in political campaigns.
I do find it interesting that both comments that mention one party over another assume that Republicans would be responsible for any tampering. Does this reflect a prevailing presumption in the maker community, or just random chance?
When you take into account the debacle in Florida in the year 2000, heavily GOP-controlled, and just so happened to have George Bush’s brother as governor, it’s kind of impossible to not question the legitimacy of that race. It’s even worse when you really dig into the details of that election, and see all the ballots thrown away or improperly handled. Then let’s consider all the robocalls, which happen just about every election, usually telling democrats to vote in the wrong places (and happened again this year). Or the mostly GOP-backed voter ID laws getting passed in certain states, which are a solution to a non-existent problem, unless your problem is poor and black people who are likely to vote democrat. In my state, we’ve had a mere 14 cases of voter impersonation since the year 2000. Does that imply the need to change voting laws for the entire state and hinder a portion of the population from voting? Then let’s consider that the president of a huge voting machine company like Diebold makes large contributions to GOP campaigns, a complete conflict of interest. Then factor in the cases of confirmed voter fraud usually being attempts by republicans (like one going on in Virginia right now). And last but not least, churches breaking the law and openly endorsing republican candidates, and/or convincing their members that their salvation is in jeopardy if they vote democrat.
In other words, if democrats are engaging in serious voter fraud, then they’re either really bad at it and it never happens, or so good at it that nobody can ever find out.
(cough) ACORN (cough) CVP (cough)
P.S. It’s intellectually dishonest to claim both: there’s no voter fraud so no voter ID laws are required, and… republicans are committing voter fraud.
P.P.S. when 14 more people register to vote than there are people in the state, that doesn’t mean there are only 14 cases of voter fraud, it just means that despite the fact that there’s no reasonable way to catch a fraudulent vote because there’s no enforcement system in place, it’s provable that at least 14 people committed fraud… as many as hundreds of thousands.
I wish people who continue to use examples like ACORN would actually look further into the subject rather than just the claims made by disreputable criminals like James O’Keefe. ACORN was cleared of all wrongdoing, with the “video evidence” of O’Keefe’s found to be entirely based on deceptive editing. They found this out when they threatened to send O’Keefe to jail unless he released his original unedited footage. But the damage was already done to ACORN by that point and had shut down, which made republicans happy regardless of whether it was justified. Meanwhile, James O’Keefe is still currently under probation for attempting to wiretap a democrat senator, which was his next criminal act after the ACORN debacle.
While I agree no one is likely to turn the tide in a national election, voters still have the right to cast a vote without wondering if someone is going to tamper with it. Electronic voting still has a long way to go before it is proven to me. I do however, fear the social engineering versions of voter disenfranchisement far more. The last minute wackiness taking place in Ohio and Florida are more likely to ‘throw’ the election than any other threat in the immediate future.
wanna stop this?
– find a suspected poll.
– get the list of those who voted.
– ask if each person if they would sign an affidavit they voted for Obama.
– if the number of people who will step up is greater than the number of Obama votes from the machines then get notaries.
There is your proof…
It has been demonstrated that a system claimed to be “SECURE” is “NOT”
The discussion ought to be around “fixing the security hole”
Why is the discussion around whether or not fraud or fixing is/did/isn’t/didn’t occur?
If the hole is in the roof, FIX IT do not argue about “it’s not raining now”
We *demand* fixes for Windows, why not for Voting?
>wanna stop this?
>- find a suspected poll.
>- get the list of those who voted.
>- ask if each person if they would sign an affidavit they voted for Obama.
>- if the number of people who will step up is greater than the number of Obama votes from the machines then get notaries.
>There is your proof…
That is a basic misunderstanding of our voting system- we have SECRET BALLOTS for a very real reason, as demonstrated by retaliation against voters in other countries.
Easiest solution. My state mails ballots to registered voters which allows early voting by mail. Use the “old fashioned” printed ballot that comes in that package. I assume other states allow this, too.
The best election hack is to count votes :P
[…] the piece How to Hack an Election: A Cautionary Tale, Tommy Phillips […]
My candidate won, so I know no voter fraud was committed this year! If they had lost, for sure it would have meant that the other side cheated!
Comments are closed.