Security Firm Shows How To Hack a US Voting Machine

An anonymous reader writes: "Three days before the US Presidential Election takes place, California-based security firm Cylance showed the world how easy it is to hack one of the many [electronic] voting machine models that will be deployed at voting stations across the US on Election Day." Bleeping Computer reports that "The machine that Cylance researchers chose for their test was the Sequoia AVC Edge Mk1, one of the most popular models... The technique researchers created modifies the Public Counter, but also the Protective Counter, which is a backup mechanism that acts as a redundant verification system to ensure the first vote results are valid." Physical access is needed to hack the machine, but the hack takes a short time to perform.
FBI Director James Comey said in September that America's voting machines would be hard to compromise because they're not connect to the internet, but these researchers simply used a PCMCIA card to reflash the machine's firmware. Comey also made the reassuring point that it's hard to "hack into" America's voting system because "it's so clunky and dispersed. It's Mary and Fred putting a machine under the basketball hoop at the gym."

physical access to machine?

[OffTheLip]

How do bad actors accomplish that on a large scale?

Re:physical access to machine?

[Zak3056]

They and a few hundred of their friends could register to vote?

Guaranteed physical access to at least one machine per person involved in the conspiracy. Flipping a few key precincts is all you need to have a high probability of changing a US presidential election outcome.

Re: physical access to machine?

Given the Wikileaks' revelations, if I had to guess which part vote rigging could ever come from, I would definitely opt for Clinton. If a person is financed by Goldman Sachs, Qatar and Saudi Arabia, surely ethics isn't really a big deal for her, not to mention that we've just discovered that the same person is allowed to illegally process classified information on a private computer, which used to be a federal crime until few months ago.
I would feel safer and more reassured if voting count was performed by Cosa Nostra, at least they have some sort of "honor" to preserve.

Re:physical access to machine?

[TheRaven64]

You don't need to do it on that large a scale, especially for the Presidential elections. In 2012, which wasn't a particularly close election, flipping 63 electoral college votes would have let the Republicans win. Either Washington State or Colorado and California turning red would have changed the election outcome. Changing California red (by one vote) would have required changing 1,507,164 votes. Los Angeles alone had enough votes for Obama that compromising it and making it around 80% Romney would have been enough to flip California. It would probably be quite suspicious if polling were that wrong, but scattering a few attack devices throughout Democrat-voting areas and reducing the majority there would probably not have been picked up, and if it's only two states where the polling is particularly different from the eventual outcome then people won't be too suspicious.

2000 was a lot closer. Changing only 5 Electoral College votes would have changed the outcome. If Al Gore had carried his home state, no one would have been particularly surprised and that would have ensured that he won with a fairly large margin. Rigging the voting machines so that 40,115 Republican votes across the state were counted as Democratic wouldn't have raised any eyebrows, but would have inverted the outcome of the national election. The election was hotly contested because Bush won Florida by a mere 537 votes, giving him all of the state's 24 Electoral College votes. A single compromised voting machine could easily have moved 269 votes from Bush to Gore and changed the election outcome. Of course, some will claim that compromised voting machines did flip around that number in the opposite direction...

Re:Bullshit defense

[dywolf]

its not ignorant just because you don't understand the point being made.

theyre making the point that because we don't have a uniform centralized system controlled from the top down anyone who actually wants to attack the electoral process would have to expend a tremendous amount of resources to have any affect.

my county uses paper ballots, that go into a scantron type scanner permanently attached to a large pelican case. the scanner is non-networked. the next county over still uses punch cards (hopefully of a better quality than Florida's). in both cases the final tally is only accessibly by authorized personnel who must physically transcribe the number, with multiple person verification, onto a form that's reported to the sec state.

the clunky and dispersed nature of the system IS a form of security, rather than a lack of it.
an attacker might be able to exploit a flaw in the machines or even the people used by one county, but that's it. the attack can't proceed any further than that one county. to scale up requires an equal level scaling up in the size of the conspiracy and it simply becomes unworkable and unreasonable to actually pull off.