Security Firm Shows How To Hack a US Voting Machine

An anonymous reader writes: "Three days before the US Presidential Election takes place, California-based security firm Cylance showed the world how easy it is to hack one of the many [electronic] voting machine models that will be deployed at voting stations across the US on Election Day." Bleeping Computer reports that "The machine that Cylance researchers chose for their test was the Sequoia AVC Edge Mk1, one of the most popular models... The technique researchers created modifies the Public Counter, but also the Protective Counter, which is a backup mechanism that acts as a redundant verification system to ensure the first vote results are valid." Physical access is needed to hack the machine, but the hack takes a short time to perform.
FBI Director James Comey said in September that America's voting machines would be hard to compromise because they're not connect to the internet, but these researchers simply used a PCMCIA card to reflash the machine's firmware. Comey also made the reassuring point that it's hard to "hack into" America's voting system because "it's so clunky and dispersed. It's Mary and Fred putting a machine under the basketball hoop at the gym."

physical access to machine?

[OffTheLip]

How do bad actors accomplish that on a large scale?

Re:physical access to machine?

[Zak3056]

They and a few hundred of their friends could register to vote?

Guaranteed physical access to at least one machine per person involved in the conspiracy. Flipping a few key precincts is all you need to have a high probability of changing a US presidential election outcome.

Re:physical access to machine?

How do bad actors accomplish that on a large scale?

For example, there are Democratic Party's employees in every single town in the US, they are very well funded and organized, and even an 80 year old drunkard can simply insert and remove a pre-configured PCMCIA card, there's no need for "hackers"...

Re: physical access to machine?

Given the Wikileaks' revelations, if I had to guess which part vote rigging could ever come from, I would definitely opt for Clinton. If a person is financed by Goldman Sachs, Qatar and Saudi Arabia, surely ethics isn't really a big deal for her, not to mention that we've just discovered that the same person is allowed to illegally process classified information on a private computer, which used to be a federal crime until few months ago.
I would feel safer and more reassured if voting count was performed by Cosa Nostra, at least they have some sort of "honor" to preserve.

Re:physical access to machine?

[rmdingler]

For the most part, they'd need to be registered in each precinct. Registering with a fake address is one of the easier forms of voting fraud to detect.

Yes. There is also little need to rig the precincts because the two-party system itself dominates the electoral landscape.

Here are your "choices", voters! Aren't you grateful you live in a free Republic?

Re:physical access to machine?

[dohzer]

Kinda like the could by switching good paper with bad paper ballots?

Re:physical access to machine?

[ArchieBunker]

Break into the warehouse where the machines sit for 4 years...

Re:physical access to machine?

[Geoffrey.landis]

How do bad actors accomplish that [physical access] on a large scale?

Voting machines are stored when they are not in use, and in general, the places they are stored are not guarded by armed guards. (And, more to the point, are not guarded by pairs of armed guards.)

To get physical access to the machines, you just need to get a key to the warehouse that they're kept in. Try the janitor.

There are a large number of people associated with each voting precinct. You just need to insert one person. And you don't need to alter all the machines-- just a few.

Re:physical access to machine?

[TheRaven64]

You don't need to do it on that large a scale, especially for the Presidential elections. In 2012, which wasn't a particularly close election, flipping 63 electoral college votes would have let the Republicans win. Either Washington State or Colorado and California turning red would have changed the election outcome. Changing California red (by one vote) would have required changing 1,507,164 votes. Los Angeles alone had enough votes for Obama that compromising it and making it around 80% Romney would have been enough to flip California. It would probably be quite suspicious if polling were that wrong, but scattering a few attack devices throughout Democrat-voting areas and reducing the majority there would probably not have been picked up, and if it's only two states where the polling is particularly different from the eventual outcome then people won't be too suspicious.

2000 was a lot closer. Changing only 5 Electoral College votes would have changed the outcome. If Al Gore had carried his home state, no one would have been particularly surprised and that would have ensured that he won with a fairly large margin. Rigging the voting machines so that 40,115 Republican votes across the state were counted as Democratic wouldn't have raised any eyebrows, but would have inverted the outcome of the national election. The election was hotly contested because Bush won Florida by a mere 537 votes, giving him all of the state's 24 Electoral College votes. A single compromised voting machine could easily have moved 269 votes from Bush to Gore and changed the election outcome. Of course, some will claim that compromised voting machines did flip around that number in the opposite direction...

Re:physical access to machine?

[hey!]

Except the US government does not have custody of or access to the machines. The machines are owned, operated, and secured by local governments.

Thus an effort to by the US government to hack the machines would entail clandestine physical access to the machines -- a "black bag job". And to throw the electoral college you need to do a lot of burglaries in a big state, or a lot of burglaries distributed across multiple small states. In 2000 it could have been done by hacking a single precinct (about 2500 voters in FL), but nobody could have known it would be quite that close; so you'd really need to hack a lot of machines to be sure, and if you're doing something like that you want to be very sure. It's a cost/benefit calculation: hack too little you risk getting caught and undermining a legitimate victory; hack too much and your risk of getting caught goes up rapidly as more people and places are involved. Nobody could know in 2000 that the margin would come down to 537 out of eight million registered voters.

And in 2016 the risk/benefit math is dominated by this fact: if you add up all the safe states for each candidate, Clinton has to win just 18 EVs from the remaining contended states; Trump needs to win 107. If Clinton wins just one of the five largest contested states she wins the electoral college; this amounts to five rounds of single elimination for Trump. On top of this there is a massive disparity in ground game. Trump only started to organize get-out-the-vote (GOTV) infrastructure in the final weeks of the campaign, making it difficult for him to score upsets over polling. Clinton has been preparing her ground game for years.

So it makes no sense for Clinton (supposing she had friends in the FBI or CIA to help her) to risk undermining the legitimacy of an election she is very, very probably going to win.

All that said, voting machines DO pose a serious threat to the legitimacy of local elections. Also, voting machine malfunctions could well throw the presidential election one way or the other.

Re: physical access to machine?

[budgenator]

And that is different from the other candidate being sponsored by loans from other foreign countries? How? Should the USA get rid of foreign sponsorships for its national leader, should be the more appropriate question, and work for America!

We did make that illegal a while ago; now they have to launder the money through charitable foundations and speaker's fees.

Re:physical access to machine?

[Archangel+Michael]

Electronic voting doesn't solve any "fraud", it just opens up new avenues. And since there is no way to validate the vote afterwards, it is an easy point to attack.

And this is why you see "calibration" error videos where picking one candidate actually selects the other. It isn't "fraud" without intent, and you can't prove intent with a machine. And since it is a machine, any fraud actually happened elsewhere.

Bullshit defense

[geekmux]

"Comey also made the reassuring point that it's hard to "hack into" America's voting system because "it's so clunky and dispersed..."

Did the FBI just use "clunky and dispersed" as an excuse to dismiss the lack of security surrounding the very core of our democratic process?

What kind of ignorant fuckery is this shit?

How about we properly mitigate security risks with a common sense approach that's a bit better than relying on Mary and Fred under the basketball hoop.

Did he recently meet someone out on a tarmac or something? Just curious...

Re:Bullshit defense

[dywolf]

its not ignorant just because you don't understand the point being made.

theyre making the point that because we don't have a uniform centralized system controlled from the top down anyone who actually wants to attack the electoral process would have to expend a tremendous amount of resources to have any affect.

my county uses paper ballots, that go into a scantron type scanner permanently attached to a large pelican case. the scanner is non-networked. the next county over still uses punch cards (hopefully of a better quality than Florida's). in both cases the final tally is only accessibly by authorized personnel who must physically transcribe the number, with multiple person verification, onto a form that's reported to the sec state.

the clunky and dispersed nature of the system IS a form of security, rather than a lack of it.
an attacker might be able to exploit a flaw in the machines or even the people used by one county, but that's it. the attack can't proceed any further than that one county. to scale up requires an equal level scaling up in the size of the conspiracy and it simply becomes unworkable and unreasonable to actually pull off.

Re:Bullshit defense

[jez9999]

Comey is the guy who's come out and said Hillary Clinton is basically innocent of any criminal wrongdoing. You'll forgive me if I don't have too much faith in his opinion.

Best solution I ever heard

[MikeRT]

Apparently a company in Maryland actually builds these...

1. Paper scantron ballot with a serial number.
2. You press down hard and get a carbon copy of your ballot to take home.
3. When the machine scans the ballot, it scans the serial number and the choice.

If we mandated a system like that, validation would be simple. We'd dump the results into a database on Nov 9th and let people compare their serial # to the data that shows up. Instant voter fraud protection because if your vote mysteriously goes from Clinton to Trump or vice versa, you go to law enforcement and show the carbon copy. At that point, it's all but "guilty until proven innocent" on the data entry side.

Re:Best solution I ever heard

[Joe_Dragon]

and your boss can force you to vote their way with that as well.

Re:Best solution I ever heard

[CajunArson]

Scantron is fine since it combines a simple, reliable, non-networked and relatively hard to hack scanner at each polling location with easy to read paper ballots as a backup in case of mischief. That combines the basically instantaneous and accurate results of a machine with the

The receipt of who you voted for is a disastrously bad idea though. First of all, there's no way that receipt could ever be used in a recount for obvious chain-of-custody reasons so it doesn't reduce fraud at all. Second of all, it makes it so that a black voter in Philly better show that he voted for Hillary or else -- or that a white voter in rural Alabama better show he voted for Trump or else. Nobody (ok, nobody with any integrity) wants that.

Re:Best solution I ever heard

*Sigh* - the voting system shouldn't have a receipt you can use to prove who you voted for. This leads to (a) vote selling and (b) coercion. This is a simple basic requirement of the voting system. Please don't make recommendations until you learn the basics.

Worst solution I ever heard

[Zak3056]

"Vote for $CANDIDATE or your daughter has an accident. Bring me your ballot receipt on Tuesday night and we can forget this conversation ever happened."

We have secret ballots for a reason.

Future statement by FBI Director James Comey...

... some months from now, regarding the alleged vote-rigging through hacked voting machines during the 2016 presidential elections:

"Although we did not find clear evidence that Hillary Clinton or her colleagues intended to violate laws governing federal elections, there is evidence that they were extremely careless in the handling of voting machines...".

Following the above statement, and after riots and protests in the streets, the FBI reopens the investigation, analyzing 650K contested votes in Florida which proved to be decisive for the outcome of the elections. After one week only, the FBI Director releases a new statement confirming that:

"Based on our review, we have not changed our conclusions that we expressed previously, the reasons not to prosecute stand".

And they lived happily and rigged ever after.

What is not mentioned in the article. . . .

Is wireless access to the machines. A machine does not have to be connected to the internet to be hacked remotely. How many of these machines have wireless cards? Then, all a hacker (or insider) needs to do is pull up to the voting location with a laptop that has a wireless connection and all the right passwords and . . . . code adjusted! There are reports of this happening in Virginia when Mitt Romney went up against Ron Paul in 2012. It was a very close election at one precinct that was going up and down between the two candidates up to a certain point. Then all of the sudden near noontime, it quit going up and down but flat-lined to a 60/40 Romney/Paul split for the rest of the day. How likely is that?

Whoever your candidate is, do you really want that kind of voting situation - where you can never be sure who really won? This is what the Bush push for "accurate electronic voting machines," was all about. They no longer wanted it to be possible for a non-insider to be able to win a major or critical election. I suspect if Gore had won, he would have pushed for the same thing. Most Republican and Democrat candidates at the top are usually on the same team, anyway.

Paper...

[JasterBobaMereel]

The paper and pencil voting system with manual counting is even more unhackable, and easily verifiable whilst still being anonymous and immune to vote selling ad coercion ...and is used all over the world with no real issues ....

Re:Paper...

[kilfarsnar]

The paper and pencil voting system with manual counting is even more unhackable, and easily verifiable whilst still being anonymous and immune to vote selling ad coercion ...and is used all over the world with no real issues ....

Yes, this is correct. As Stephen Spoonamore says, "Paper ballots, please".

These touch-screen voting machines cannot be trusted. If for no other reason than their code is proprietary. If they can't be independently audited, they can't be trusted. In some cases machines have been observed to flip votes and count backwards. Why would a voting machine need to be able to subtract or process negative numbers? In short, they shouldn't.

Paper ballots, please.

Re:Paper...

[Durrik]

Even if their code was open source, you still can't trust them. Especially if the people rigging the machines is the people who own the machines.

Who is going to be able to verify all the lines of code? Even if you had a million programmers looking at it, something will probably still slip through, after all there are contests every year on making code that looks legit but is actually nefarious.

Who makes the compiler? Can you trust them? Has the code for the compiler been checked into? There's a legend (real or not) that when AT&T was going to commercialize UNIX that they asked the programmers if there were any obvious security holes. Dennis Ritchie spoke up about a backdoor he made in the C compiler. If it noticed it was creating the login program that it would automatically insert code for his username and password so that he'd always have root access. This was not in the login code, but the compiler itself. So you can't trust the compiler.

Are you using signed binaries? Well who signs the binaries and calculates the hash (see the point about the compiler).

What about what downloads the code to the voting machine? Can you trust that?

And that's just the voting machine itself, what about the thing that collects all the results from the voting machines and gives you the final results? Who's checked all that? Do you trust the people doing that? Do all the interested parties trust that?

There are so many points of failure and compromise with this that its scary. Especially when they want to go paperless, with no paper backup, and trusting it all to the machines. Some electronic voting machines are still this way.

The only voting machines that I see being any close to secure are the ones with the cardstock ballot that the voter fills in a line with a black marker to indicate who they are voting for. That can be machine counted for quick results. But to certify the election each ballot should be counted by a human official, with the concerned parties watching. That way if the vote can be called into question the ballots can be looked at.

Machine counted for initial (fast) results, Human counted with observers for certified results. In the case of US elections that would be at least 3 people counting each ballot: one independent election official, one republican and one democrat.

Re:Paper...

[Trailer+Trash]

The paper and pencil voting system with manual counting is even more unhackable, and easily verifiable whilst still being anonymous and immune to vote selling ad coercion ...and is used all over the world with no real issues ....

Agreed. And in most of the rest of the world they require 1) a photo ID and 2) dye a finger. Put all that together and elections are are pretty easy to do. It's odd that there's one party that is against common-sense voting laws.

Re:Paper...

[sbaker]

The "dye a finger" thing has some concerns. In some elections, you really want a certain class of person to just not vote. The dyed finger is proof that you voted - and it's hard to wash off (intentionally, obviously). So the bad guy can threaten to beat the crap out of people who voted and still gain an edge. This isn't a theoretical problem.

Of course, you can achieve a similar effect by simply hanging out outside the voting location and noting which people went inside.

But the easier you make it, the more chance of abuse.

Re:Trump ask Putin for help securing the vote

[gsslay]

If surveillance is peace, then Trump could build new relations with Russia by giving them access to all the domestic surveillance data to show we have nothing to hide.

I just choked on my sandwich. Is this a comedy routine you're putting together? Because that's hilarious. You should suggest that to Trump immediately, it is stupid enough for his next speech.

Coins for Hillary

[Geoffrey.landis]

This woman won 6 of 6 coin tosses to beat Bernie in Iowa.

That is incorrect information that was pushed by the media in initial frenzy of reporting, but completely debunked. Here's the Iowa Register story, which I would the most accurate source for information in Iowa: http://www.desmoinesregister.c...

According to the Register, the report of Hillary winning six coin flips came from social media. Of the seven coin flips to break ties that were actually officially reported through the voting app, Sanders won six, and Clinton one. http://www.cnn.com/2016/02/02/...

Here's a more interesting question: since Clinton did not in fact win a majority of coin tosses, what are the statistical chances that coin flips that happened to get reported in on social media would suggest that she did?

Another link: http://www.theatlantic.com/pol...

Secret ballot is important

[Geoffrey.landis]

An abusive spouse is just one of thousands of scenarios of voting coercion.

The U.S. adopted secret ballots for a reason: to make it harder to implement vote buying and coercion. Maybe you're thinking that in modern times when everybody is trustworthy and nobody had bad motives, we don't need this safeguard.
But nevertheless, there is a reason for the secret ballot, and we shouldn't undermine it.

Re:Thank you for correcting the record.

[Geoffrey.landis]

Thank you for correcting the record.

You're welcome.

Did you read the leaks where the rest of the Clinton staff scorns CTR?

I don't particularly care about the campaign's click-through rate (CTR).