Ah, here is some details how someone using the most popular Electronic Submission voting machine in the USA can hack it:
Quote:
* The Ohio Compuware report describes how to turn a voter card into a supervisor card, which can then be used to cast multiple votes, delete votes, or shut down the machine, using a PDA with a smartcard attachment.
* In order to use a supervisor card to access the AccuVote, you must first enter a four-digit PIN. In version of the machine that was in use as late as 2003, the exact same supervisor PIN was hard-coded into every single AccuVote TS shipped nationwide. That PIN was 1111. (I am not making this up.) This is still the default PIN for these machines, although the county can change it on a machine-by-machine basis if they have the workers and the time.
* All of the AccuVotes have the same lock securing the PCMCIA slot that contains the Flash card with all the votes on it. When I say the "same" lock, I mean the exact same key opens all of the machines. But even if you don't have one of the tens of thousands of copies of this key that are floating around, the lock can be picked by an amateur in under 10 seconds. The Princeton video has a nice demo of this. Once you have access to the PCMCIA slot, you can do all kinds of great stuff, like upload vote-stealing software (a simple reboot will cause the machine to load software from whatever you've put in the PCMCIA slot), crash the system, delete all the votes on the machine, etc.
* Some localities have taken to securing the PCMCIA slot with security tape or plastic ties. The idea here is that a cut tie or torn tape will invalidate the results of that machine, because poll workers can't guarantee that it wasn't compromised. There are two things wrong with this scheme:
1. If you want to invalidate all the results stored in machines in a precinct that favors your opponent, just cut the tape or the ties on those machines. If the election supervisor sticks to the rules, then he or she will be forced to throw out all of those votes.
2. According to author, security researcher, and Maryland election judge Avi Rubin, one would almost have to have a CIA background to be able to tell if the security tape applied to the AccuVotes in the Maryland primary had been removed and reapplied.
|
Now, naively, that only gives you the ability to swing a single machine. And if you recorded 10,000 votes on that machine, someone might notice.
Really, why think small scale? Get a copy of the Princeston virus:
Quote:
|
Ed Felten's team at Princeton was able to quickly upload a vote-stealing Trojan to the AccuVote via the PCMCIA slot in less time than it would take many people to complete an electronic ballot. Furthermore, they also created a viral version of the Trojan that could infect any card inserted into the PCMCIA slot with vote-stealing software that would then infect any machine into which the tainted card was inserted. The newly infected machines would in turn infect other cards, which would infect other machines, and so on. In this way, the vote stealing "Princeton virus" could travel across an entire precinct or county, given enough time.
|
Install a Princeton virus, and you can easily turn an entire voting location's machines into voting for whatever candidate you want.
Every smart card that is used gets infected with the Princeton virus, which infects every machine at the location.
If that seems like too much work (I mean, you only get to swing the election by a few thousand votes!), you could try hacking the vote counting machine:
Quote:
|
Many GEMS servers are connected to a modem bank, so that the accumulators can dial in over the phone lines and upload votes. One team of security consultants hired by the state of Maryland found the GEMS bank by wardialing, discovered that it was running an unpatched version of Windows, cracked the server, and stole the mock election. This great Daily Show segment, in which one of the team members describes the attack, states that they did this in under five minutes.
|
But why hasn't this happened?
I did explain that this is nearly impossible to detect. Here is a less credible report on some evidence if it actually happening -- not proof, because there is no way to provably detect this kind of intrusion:
Quote:
Evidence from election official declarations and discovery documents obtained in litigation over a recent election using Diebold machines reveals that:
* Illegal and uncertified Lexar Jump Drive software was loaded onto the Diebold GEMS central tabulator, enabling secretive data transfer on small USB "key chain" memory devices. This blocked election transparency and raises questions as to whether hidden vote manipulation may have taken place.
* Other uncertified software of various kinds was loaded onto the system and, according to the event logs examined, was used. This opened the door for hand-editing of both vote totals and the reporting of election results.
* Evidence of actual attempts to manipulate election reporting results exists. The evidence available wouldn't record successful manipulation, only attempted manipulation, due to software failure. The logs show repeated failed attempts to use an HTML editor.
* According to Shelby County elections officials, they opened the central vote totals repository to widespread network connections. The dispersed nature of access to the central tabulator would prevent finding the perpetrators, even if documentation of manipulation could be achieved—a difficult feat, since the type of hacking enabled by the GEMS program tends to erase evidence.
In an on-site inspection of the network connections conducted by Jim March, elections department lead computer operator Dennis Boyce pointed to a location on a network interconnection plug panel where the Diebold-supplied GEMS central tabulator is plugged in. No extra security such as a router or firewall was present at the interconnection. This appears to open up access by anybody in county government to the central tabulator.
* At the same on-site inspection, the Diebold-supplied GEMS backup central tabulator had more uncertified software than could be quickly documented—but observers did spot Symantec's PC Anywhere utility. This program would allow opening the machine to outside remote control—the PC Anywhere program allows a remote computer across a dial-up or networked connection to see the screen of the "zombied" computer and operate its keyboard and mouse. To call this a security breach is an understatement.
* At the primary GEMS central tabulator station, all of Microsoft Office 2000 Professional application suite was loaded and working. According to Windows, MS-Access was a frequently used program, the only component of the overall MS-Office suite that was so identified.
|
Anyone want to make the state of Ohio have a huge happy face in the election results?