Electronic Voting---How Safe are the 2008 Elections Going to Really Be?

The following article is a good example of what we face in the future of elections as we steadily move towards electronic voting during our elections. Beyond the chances of these machines being compromised by politicians and their circle of friends we also face problems regarding the software of the machines themselves. As many companies continue to insist that it would be impossible to compromise a machine during an election this article goes to show that an Obama v. McCain election could very well be compromised with the use of electronic voting. I will be the first to admit that something like the following is not the easiest of things to do and that we most likely will not face a plague of hacked voting machines but a couple machines in a couple of key counties in a couple of key states could prove to be more than enough as elections are becoming tighter and tighter races. Also I think it is a fair assumption to think that if voter fraud were to become a major problem during a presidential election that this election would be a large target. With a black presidential nominee with possibly a female vice president, if he so chooses, and a republican nominee who currently is slightly lagging in polls and has issues with the public because of his close ties to the current president, many organizations may find that their only hope of winning is to tamper with a voting machine. Now I know that voter fraud has existed for years and that to think that elections are completely and 100% free of any tampering is naive and irresponsible, but with the advent of electronic voting the tactics used become harder to trace, harder to prove, harder to fix, and easier to do. Please read the following article with a lens that will shed insight into the possibilities of our upcoming election. Then ask yourself; What can we do about this?, Is electronic voting really worth the risk of implementation?, is there a better way to improve the voting procedure?

What it Means to Be A Hacker:

My most recent confrontation with what it means to be a hacker started in March of 2006, after I went to vote for the local council of Amsterdam. At the polling station, I had to use a brand-new electronic voting machine that the city was renting from a company called Sdu. In fact, Amsterdam had contracted the entire election as a turnkey service, Sdu was even training the poll-workers. This "voting machine" was in fact a computer with a touch screen running Windows. To make maters worse: inside each computer was a GPRS wireless modem that sent the election results to Sdu, which in turn told the city. I had not been blind to the problems of electronic voting before, but now I was having my face rubbed in it, and it hurt.

Perhaps I should quickly introduce myself. My name is Rop Gonggrijp and I'm a dutch national that lives in Amsterdam, The Netherlands. Some of you will know me as I have been mentioned in this magazine as well as been a regular guest on Off the Hook for almost as long as the show exists. I'm one of the main organizers for these Dutch hacker events. Between 1989 and 1993 I published Hack-Tic, a magazine not unlike 2600 except that it was written in Dutch. During the late Hack- Tic years I co-founded XS4ALL, which still is one of the larger ISPs in The Netherlands.

I guess I became part of the hacker community sometime during the early 1980s while playing with my fathers 300 baud acoustic modem, although arguably I was hacking before when I was soldering FM- transmitters together with a friend at age 12. But after reading Steven Levy's book 'Hackers, heroes of the computer revolution', I knew what I was and that I was to be part of a global community, even if I could only knew a few other hackers around me.

Imagine my relief when I went to Hamburg for the 1988 Chaos Communication Congress to find a few hundred other hackers. After that I was hooked, and by 1989 I was one of the organizers of the first European hacker event: the Galactic Hacker Party. Long and formative years of exploration, mayhem and mischief followed, during which, among many other things, we found and shared many new and interesting ways of making free phone calls.

And when we got our hands on the keys to the nuclear bunkers that underlied some subway stations in Amsterdam, we promptly organized tours there for all our friends and their friends. But even behind the greatest mischief was the motivation to educate, to sharpen the minds of fellow hackers and of the population at large.

XS4ALL, the Internet provider, was much more a political statement than anything else. The Internet back then would never make any money: way too difficult and freaky for the general population. I left XS4ALL in 1997 and started a computer security consultancy, and then after that a company that builds voice encrypting mobile phones, but I kept going to hacker events and co-organizing our own event every four years.

Fast forward to 2006 and the local elections. I was angry because I felt my election had been stolen: there was no way to observe a count, one just had to believe that this wireless-equipped black-box Windows machine was counting honestly. I knew a little bit too much about the risks associated with computer technology to go along with that. I wasn't the only one that was angry: my longtime friend Barry came home from that March 2006 election with the exact same story that I had come home with: trying to reason with poll-workers that clearly felt that only the medically paranoid would distrust such a wonderful shiny box. When we met later that day we vowed to not only get mad, but to do something about it.

Which wasn't going to be all that easy. By the time Amsterdam had gotten electronic voting, it was pretty late in the game: Amsterdam (pop. ~750k) was the last city in The Netherlands (pop. 16.5M) to get electronic voting. Some cities were renting the same system as Amsterdam, but the vast majority was using an older system made by a company called Nedap. While I studied the legal requirements for electronic voting, I became even more convinced that all of these 'machines' (that were all in fact computers) needed to go if we were to have transparent and verifiable elections.

The regulations treated these systems as if they were indeed mere 'machines': they worried about the amounts of humidity and vibration they could withstand and they made sure nobody would get shocked from touching one. Computer security wasn't even mentioned. But the biggest problem wasn't the lack of security, it was the lack of transparency. We got together a small group of like-minded people and started planning a campaign.

There had been previous attempts to raise the question trustworthiness in relation to voting machines, but the ministry of the interior was used to painting the opponents of electronic voting as technophobe luddites. Given that half our group consisted of hi-tech-loving hackers this was an approach that wasn't going to work this time.

During the next year and a half we managed to get the attention of the media. (((Believe it or not, this has always been a hacker specialty.)))

We claimed that the Nedap 'machines' were computers and not 'dedicated hardware' (as the manufacturer claimed) and that they could just as easily be taught to play chess or lie about election results. The person selling these computers in the Netherlands wrote wonderful long rants on his website, and in reaction to our claim he said he did not believe his 'machines' could play chess.

So we caused a true media frenzy when we got hold of a Nedap voting computer and made it play chess. (We also made it lie about election results.) There was a debate in parliament, during which the responsible minister promised to appoint two committees. That next election, an international election observation mission studied the problems with electronic voting in the country which until then had always been the example country for uncontroversial e-Voting. In their report, they advised that this type of voting computers "should be phased out" and the two committees also wrote very harsh reports about how these 'machines' came about and how they should not be used in the future.

A lot more happened: we threatened to take the government to court on several occasions, and we even won a case in which the Nedap approval was nullified. But by then the ministry had already decided to throw in the towel, retracting the legislation that allows electronic voting. The next elections in The Netherlands will be held using pencils and paper. (Which is really quite OK since over here we've only got one race per election, so counting by hand isn't all that hard.)

One of the things that struck me about this campaign is that in order to win, we've needed almost every hacker-skill imaginable. (((The converse to this interesting statement is that there isn't a single political skill which can't be hackerized.)))

Imagine all the stuff you can learn from this magazine, or from going to (or helping organize) a hacker convention. From general skills such as dealing with the media or writing press-releases to social engineering (getting hold of the system), lockpicking (showing the mechanical locks were bogus, the same 1 Euro key was used all over the country), reverse engineering (modifying their 68000 code without access to source) and system administration (website). Having published a hacker magazine and done the ISP, I was no stranger to conflict: at XS4ALL we had had serious issues with the infamous 'church' of Scientology as well as with the German government. Also the international contacts I got from growing up in the hacker community paid off: the hack was very much a Dutch-German project, and we're still working together tightly to also get rid of these same 'machines' in Germany. At certain moments I had the funny feeling that somehow this was the project that I had been in training for all these years.

So I guess what I'm saying is that if you are a hacker, if you're going to hacker conventions, if you like figuring stuff out or if you are building your own projects.... Please realize that, possibly by accident, you may also possess some truly powerful skills that can help bring about political change, and that these skills will become more and more important as technology becomes a bigger part of ever more political debates. So if you don't like the news: go out and make some of your own!

(This Article was taken from the 2600 Magazine and written by Rop Gonggrijp)

More on Security of Electronic Voting Machices in 08

Also taken from the Princeton review of the Diebold voting machines the following information was provided regarding the flaws and security vulnerabilities with the Diebold Machines. I must say that this review was done in 2006 and I am currently looking to see what updates have been made to the machines. For the whole .PDF you can go to the .PDF directly by Clicking Here.

Main Findings The main findings of our study are:
1. Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.
2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.
3. AccuVote-TS machines are susceptible to voting-machine viruses—computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and postelection activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.
4. While some of these problems can be eliminated by improving Diebold’s software, others cannot be remedied without replacing the machines’ hardware. Changes to election procedures would also be required to ensure security.

Injecting Attack Code
To carry out these attacks, the attacker must somehow install his malicious software on one or more voting machines. If he can get physical access to a machine for as little as one minute, he can install the software manually. The attacker can also install a voting machine virus that spreads to other machines, allowing him to commit widespread fraud even if he only has physical access to one machine or memory card.

Boot Process
When the machine is booted, the bootloader copies itself to RAM and initializes the hardware. Then it looks for a memory card in the first PC Card slot, and if one is present, it searches for files on the card with special names. If it finds a file called fboot.nb0, it assumes that this file contains a replacement bootloader, and it copies the contents of this file to the bootloader area of the on-board flash memory, overwriting the current bootloader. If it finds a file called nk.bin, it assumes that this file contains a replacement operating system image in Windows CE Binary Image Data Format [22], and it copies it to the OS area of the on-board flash, overwriting the current OS image. Finally, if it finds a file called EraseFFX.bsq, it erases the entire file system area of the flash. The bootloader does not verify the authenticity of any of these files in any way, nor does it notify the user or ask the user to confirm any of the changes that it makes. As Hursti [14] suggests, these mechanisms can be used to install malicious code.

Stealing Votes
Figure 4: Our demonstration vote-stealing control panel Several of the demonstration attacks that we have implemented involve installing code onto AccuVote-TS machines that changes votes so that, for a given race, a favored candidate receives a specified percentage of the votes cast on each affected machine. Since any attacks that significantly alter the total number of votes cast can be detected by election officials, our demonstration software steals votes at random from other candidates in the same race and giving them to the favored candidate. The software switches enough votes to ensure that the favored candidate receives at least the desired percentage of the votes cast on each compromised voting machine. Election results (i.e., the record of votes cast) are stored in files that can be modified by any program running on the voting machine. For the currently running election, the primary copy of the election results is stored on the memory card at \Storage Card\CurrentElection\election.brs and a backup copy is stored in the machine’s on-board flash memory at \FFX\AccuVote-TS\BallotStation\CurrentElection\election.brs. Our software works by directly modifying both of these files.

I dont know about you but just knowing this little bit scares me and I can tell you that if you look at the .PDF there is even more when it comes to Security Issues and even storage issues. Think about all of this information before you go in to VOTE this year and remember that you can always request to vote on a piece of Paper instead. Make sure your Vote Counts this year, Make Sure your Voice is Heard. Learn what you are using and don't believe everything your told when it comes to these machines. Sure it is HIGHLY unlikely that anything would happen but when it comes to my freedom and my democracy I can guarantee that knowing as much about this as possible is what or Founding Fathers would want us to do.

Electronic Voting: The Future of Elections in 08

Here is just a little information regarding some of the new ways in which somebody can now cast a vote. Is this what we are heading towards or does another look need to be taken in terms of security and User Interface? Find out for yourself. Here are specs on just a few of the new electronic voting machines that will be at your disposal around the country.

Diebold AccuVote TS-X Voter Information Sheet

Name/Model: AccuVote-TSx Vendor: Diebold Election Systems How To Vote On This Machine: After confirming the voter is registered, he or she is handed a “smart card." The voter then inserts the smart card into the slot on the right side of the screen. Card should be face up with the arrow pointing forward. Touch the "Start" button on the bottom, middle part of the screen to access the ballot. Follow the on screen instructions to make selections on ballot. After all selections have been made, a summary screen will appear. This screen should be carefully check to ensure that all choices were recorded correctly. If the choices DO NOT match, the voter can touch either the race in question or "Review Ballot" on the lower-right portion of the screen. If the summary screen matches the voter's intent, the the voter should then touch "Cast Vote." REMEMBER: You have the right to ask for assistance from a poll work during the voting process. If the poll worker is unable to resolve any machine-related problem you might have, do not cast your ballot on the machine. You can demand to vote on another machine or by paper.

Name/Model: ELECTronic 1242

Vendor: Guardian Voting Systems, Inc. (a division of Danaher Controls, Inc.)

How to Vote on This Machine:

1. When voters enter the precinct, poll workers confirm that they are properly registered to vote. The poll worker then uses an operator’s panel on the back of the machine to choose the ballot style appropriate for that voter.
2. The voter enters the curtains (see pictures at left above) and only the races for which they are permitted to vote are activated.
3. The voter then votes by pressing a numbered box beside each choice in each race on the ballot. It is very important that the voter does not push the large, green "Vote" button until done voting; a vote inadvertently cast may not be redone.
4. Flashing lights on the left-hand side of the ballot indicate races for which the voter has not yet voted. If the voter tries to choose more than one choice in a given race (over-voting), the machine will ignore the second choice. If the voter makes a mistake, they can press the numbered box again to deselect their choice; the indicator light will go out. The voter may then select the correct choice.
5. When done voting, the voter presses a large green “Vote” button in the lower-right corner of the voting machine.

REMEMBER: You have the right to ask for assistance from a poll work during the voting process. If the poll worker is unable to resolve any machine-related problem you might have, do not cast your ballot on the machine. You can demand to vote on another machine or by paper.

Name/Model: WINvote

Vendor: Advanced Voting Solutions, Inc. (formerly Shoup Voting Solutions, Inc.).

How To Vote On This Machine:

1. After checking in at the polling place, the voter will approach one of the terminals. An election official will activate the machine. The voter will touch the "Click Here to Start" button on the welcome screen, and the ballot-marking process will begin.
2. The screen will display one race at a time, with available choices listed below the race name. Write-in candidates can be selected by touching the "Write-In" button at the bottom of the choice list. After making a selection, touch the "Next" button on the bottom of the screen.
3. When all selection have been made, the voter will be taken to a summary screen that lists that name of each race and the option that was selected by the voter. If the voter wishes to change any of these races, he/she should simply touch the name of the race and make another selection.
4. When the voter is satisfied with the summary screen, he/she should touch the red "Next" button on the bottom-right part of the screen. The next screen has a large red "VOTE" button. After touching that button, the ballot has been cast.

REMEMBER: You have the right to ask for assistance from a poll work during the voting process. If the poll worker is unable to resolve any machine-related problem you might have, do not cast your ballot on the machine. You can demand to vote on another machine or by paper.

Here is just a brief comment in the Summary of the findings of an independent study just examining the Diebold machines in the summer of 2006. Remember that these were ready to use and approved for use prior to this examination.

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities—a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures.

Center for Information Technology Policy and Dept. of Computer Science, Princeton University
†Woodrow Wilson School of Public and International Affairs, Princeton University