Hacking US Voting Machines Is Child’s Play

May 16th, 2017 by Steve Hanley

Thanks to the embarrassing incompetence of Humpty Trumpty and his virulent assault on America’s political institutions, many people are already looking forward to the 2018 elections as a way of throwing the Trump supporters out of Congress and putting America back on the path of being a true world leader and not a pale imitation of a banana republic. Much of the public anger focuses on deep cuts to programs like the Affordable Care Act, Medicare, and Social Security, but others are equally motivated by Trump’s obdurate ignorance about climate change.

There is a problem with relying on the ballot box to restore order in a time of chaos. It assumes the voting process actually works. A recent article in Think Progress suggests it very well may not, thanks to last-century technology that is almost an invitation to hackers. No less a personage than Josef Stalin, who knew a thing or two about stealing elections, said, “Those who vote decide nothing. Those who count the votes decide everything.”

J. Alex Halderman, a computer science professor at the University of Michigan, and Ph.D. student Matt Bernhard have assembled a number of reasons that they say render US voting machines susceptible to outside interference that could affect the accuracy of their tallies. In 2002, after the chaotic presidential election two years before, Congress passed the Help America Vote Act. The legislation provided funding for several private electronic voting machine manufacturers, including Diebold.

Voting Machine Companies Are Not Impartial

In 2003, Diebold CEO Walden O’Dell sent a fundraising letter to Republicans saying, “I am committed to helping Ohio deliver its electoral votes to the president.” Republicans predictably pooh-poohed the comment, calling it a free speech issue, but such a clear political preference from the person in charge of making electronic voting machines is inappropriate if not illegal. Today, the industry is dominated by three companies — Dominion Voting Services of Toronto, which acquired Diebold, Hart InterCivic headquartered in Austin, and Election Systems & Software of Omaha.

Voting machines today fall predominantly into two categories. Optical scanners can be small, like the ones used at local polls or huge, or like the ones used at central voting centers to read absentee ballots. Direct Recording Electronic machines are touch screen devices that may or may not have a printer attached that makes a hard copy of the votes cast so they can be verified. According to Verified Voting, more than 20% of the DREs in use in the United States lack printers, making it impossible to detect fraudulent activity.

Voting Machines Fail To Pass Muster

“These machines are just so poorly engineered, the only real way to secure them is to destroy them and start over,” says the University of Michigan’s Matt Bernhard. In fact, their operating systems are often based on obsolete platforms such as Windows 98 or Vista.

In 2007, independent investigators audited the voting machines used in California (Premier/Diebold, Hart InterCivic, and Sequoia) and in Ohio (ES&S, Premier/Diebold, and Hart InterCivic). In all cases, the machines failed to provide the most basic security against tampering. “Every current e-voting system has serious, exploitable vulnerabilities,” said the University of Pennsylvania’s Matt Blaze and Sandy Clark at the 2008 Hackers on Planet Earth conference. “Serious, practical, undetectable attacks can be carried out by individual voters and poll-workers.”

Every attempt that Blaze and Clark made to breach the ES&S optical scanner succeeded. They were able to pick the locks with paperclips. “Tamper proof” seals were removed and reapplied using liquid nitrogen, lighter fluid, or steam. Replacements could also be purchased online. Blaze and Clark found that no passwords were required to recalibrate touchscreens to make some areas of the screen inoperable, preventing a vote for certain candidates.

The memory cards in each machine, which are removed and transported to voting headquarters at the conclusion of voting, used data that had not been encrypted. The data cards were not password protected, meaning that anyone could alter the firmware and introduce a virus into the electronic voting system for an entire county or even an entire state. “Every current e-voting system has serious, exploitable vulnerabilities,” says Clark. Blaze summed up the findings this way. “There was a pervasive lack of quality in the implementation (coding and manufacturing) of these systems. Failures were present in almost every device and software module we investigated.”

The reviews caused the companies to attempt fixes to the voting machines, but Mark Graff, formerly the chief information security officer for NASDAQ told Congress, “I have no confidence that they’ve mitigated enough threats that we can consider the machines safe.”

Does A Paper Trail Solve The Problem?

Surely having a paper trail improves security, doesn’t it? Halderman suggests the security a paper trail might offer is largely illusory. “Most states never look at the paper,” he says. “You have a great way to defend against an attack, but you never use it. If even in 2016, we’re not going to look at any of the paper. It might as well not be there.” Even after the allegations of rampant interference by a foreign power in the 2016 election, virtually no election officials have verified the results by tabulating the paper records. “Based on how messy our election system is, even if someone tried to carry out an easily detected attack, we still might not notice it,” Bernhard says.

Congress has reacted to the information about how insecure the US voting system is. In February, the Committee on House Administration approved H.R. 634, the Election Assistance Commission Termination Act. Committee chair Greg Harper, a Republican from Mississippi, said the Election Assistance Commission, brought into being by the Help America Vote Act, was “an agency that has outlived its usefulness, mismanaged its resources, and cost taxpayers millions. Bottom line, the agency does not administer elections and the time to eliminate the EAC has come.” He said the agency’s budget of $11,000,000 a year was a waste of money.

“The EAC sets federal guidelines for certification of voting systems,” said Lawrence Norden, deputy director of the Brennan Center’s Democracy Program. “A critical part of those certification guidelines has to do with security. Forty seven states rely on the federal certification program in some way.”

Testing and certification of voting systems used to be done by a consortium of state election directors, explains Pamela Smith, president of the Verified Voting Foundation, a non-profit dedicated to “safeguarding elections in the digital age.” That testing used to be done by a coalition of state voting commissioners but the EAC “really professionalized it,” Smith says. “They made it much more stringent and rigorous. There’s a lot of transparency there.” The law to terminate the EAC makes no provision whatsoever to transfer testing and verification of voting machines to another agency. Testing and verification will simply disappear.

’90s Technology In A WannaCry World

All of this should be sounding alarms all across Washington DC and in every state as the worldwide WannaCry ransomware attack showed the vulnerability of virtually every computer system on earth last weekend. The US government has yet to determine the extent to which Russia and other foreign actors interfered with the last election, but it seems foolish to ignore that voting machines relying on 30 year old platforms are wildly susceptible to outside meddling. In fact, most teenagers today have the skills needed to alter the way our voting machines operate.

Couple that with the conservative hysteria about alleged voter fraud that has lead to aggressive campaigns to suppress voting by anyone who is not a right thinking, God fearing, certified white Republican. The result is that lots of people of good conscience may be disenfranchised at the polls soon, if they have not been already. The right to vote is being hemmed in, abridged, limited, and circumscribed in every way possible today as conservatives plot to consolidate their grip on power. Closing polling stations in Democratic precincts and limiting voting hours are all signs of a concerted, coordinated effort to prevent some members of society from exercising their right to vote.

What Can One Person Do?

It is not too early to begin making plans for the next election before it is too late. Volunteering for voter registration drives, becoming a poll watcher, or offering assistance for those who need help getting to the polls are all ways that we as individuals can resist the effort to prevent certain Americans from voting.

But the best way to resist is simply to vote. It is time to get out and go to the polls. No more hiding behind the illusion that one vote won’t make a difference. If the Trump fiasco has done nothing else, it should have convinced every American that voting is not only a privilege but also a duty.

Source: Think Progress | Illustration by Diana Ofosu











Appreciate CleanTechnica’s originality? Consider becoming a CleanTechnica member, supporter, or ambassador — or a patron on Patreon.

Sign up for our free daily newsletter or weekly newsletter to never miss a story.

Have a tip for CleanTechnica, want to advertise, or want to suggest a guest for our CleanTech Talk podcast? Contact us here.

Latest Cleantech Talk Episode

About the Author Steve Hanley Steve writes about the interface between technology and sustainability from his homes in Florida and Connecticut or anywhere else the Singularity may lead him. You can follow him on Twitter but not on any social media platforms run by evil overlords like Facebook.