Security Firm Shows How To Hack a US Voting Machine

An anonymous reader writes: "Three days before the US Presidential Election takes place, California-based security firm Cylance showed the world how easy it is to hack one of the many [electronic] voting machine models that will be deployed at voting stations across the US on Election Day." Bleeping Computer reports that "The machine that Cylance researchers chose for their test was the Sequoia AVC Edge Mk1, one of the most popular models... The technique researchers created modifies the Public Counter, but also the Protective Counter, which is a backup mechanism that acts as a redundant verification system to ensure the first vote results are valid." Physical access is needed to hack the machine, but the hack takes a short time to perform.
FBI Director James Comey said in September that America's voting machines would be hard to compromise because they're not connect to the internet, but these researchers simply used a PCMCIA card to reflash the machine's firmware. Comey also made the reassuring point that it's hard to "hack into" America's voting system because "it's so clunky and dispersed. It's Mary and Fred putting a machine under the basketball hoop at the gym."

Re:physical access to machine?

[Zak3056]

They and a few hundred of their friends could register to vote?

Guaranteed physical access to at least one machine per person involved in the conspiracy. Flipping a few key precincts is all you need to have a high probability of changing a US presidential election outcome.

Re:Bullshit defense

[dywolf]

its not ignorant just because you don't understand the point being made.

theyre making the point that because we don't have a uniform centralized system controlled from the top down anyone who actually wants to attack the electoral process would have to expend a tremendous amount of resources to have any affect.

my county uses paper ballots, that go into a scantron type scanner permanently attached to a large pelican case. the scanner is non-networked. the next county over still uses punch cards (hopefully of a better quality than Florida's). in both cases the final tally is only accessibly by authorized personnel who must physically transcribe the number, with multiple person verification, onto a form that's reported to the sec state.

the clunky and dispersed nature of the system IS a form of security, rather than a lack of it.
an attacker might be able to exploit a flaw in the machines or even the people used by one county, but that's it. the attack can't proceed any further than that one county. to scale up requires an equal level scaling up in the size of the conspiracy and it simply becomes unworkable and unreasonable to actually pull off.

Re: physical access to machine?

Given the Wikileaks' revelations, if I had to guess which part vote rigging could ever come from, I would definitely opt for Clinton. If a person is financed by Goldman Sachs, Qatar and Saudi Arabia, surely ethics isn't really a big deal for her, not to mention that we've just discovered that the same person is allowed to illegally process classified information on a private computer, which used to be a federal crime until few months ago.
I would feel safer and more reassured if voting count was performed by Cosa Nostra, at least they have some sort of "honor" to preserve.

Re:Best solution I ever heard

*Sigh* - the voting system shouldn't have a receipt you can use to prove who you voted for. This leads to (a) vote selling and (b) coercion. This is a simple basic requirement of the voting system. Please don't make recommendations until you learn the basics.

Paper...

[JasterBobaMereel]

The paper and pencil voting system with manual counting is even more unhackable, and easily verifiable whilst still being anonymous and immune to vote selling ad coercion ...and is used all over the world with no real issues ....

Coins for Hillary

[Geoffrey.landis]

This woman won 6 of 6 coin tosses to beat Bernie in Iowa.

That is incorrect information that was pushed by the media in initial frenzy of reporting, but completely debunked. Here's the Iowa Register story, which I would the most accurate source for information in Iowa: http://www.desmoinesregister.c...

According to the Register, the report of Hillary winning six coin flips came from social media. Of the seven coin flips to break ties that were actually officially reported through the voting app, Sanders won six, and Clinton one. http://www.cnn.com/2016/02/02/...

Here's a more interesting question: since Clinton did not in fact win a majority of coin tosses, what are the statistical chances that coin flips that happened to get reported in on social media would suggest that she did?

Another link: http://www.theatlantic.com/pol...

Secret ballot is important

[Geoffrey.landis]

An abusive spouse is just one of thousands of scenarios of voting coercion.

The U.S. adopted secret ballots for a reason: to make it harder to implement vote buying and coercion. Maybe you're thinking that in modern times when everybody is trustworthy and nobody had bad motives, we don't need this safeguard.
But nevertheless, there is a reason for the secret ballot, and we shouldn't undermine it.

Re:physical access to machine?

[hey!]

Except the US government does not have custody of or access to the machines. The machines are owned, operated, and secured by local governments.

Thus an effort to by the US government to hack the machines would entail clandestine physical access to the machines -- a "black bag job". And to throw the electoral college you need to do a lot of burglaries in a big state, or a lot of burglaries distributed across multiple small states. In 2000 it could have been done by hacking a single precinct (about 2500 voters in FL), but nobody could have known it would be quite that close; so you'd really need to hack a lot of machines to be sure, and if you're doing something like that you want to be very sure. It's a cost/benefit calculation: hack too little you risk getting caught and undermining a legitimate victory; hack too much and your risk of getting caught goes up rapidly as more people and places are involved. Nobody could know in 2000 that the margin would come down to 537 out of eight million registered voters.

And in 2016 the risk/benefit math is dominated by this fact: if you add up all the safe states for each candidate, Clinton has to win just 18 EVs from the remaining contended states; Trump needs to win 107. If Clinton wins just one of the five largest contested states she wins the electoral college; this amounts to five rounds of single elimination for Trump. On top of this there is a massive disparity in ground game. Trump only started to organize get-out-the-vote (GOTV) infrastructure in the final weeks of the campaign, making it difficult for him to score upsets over polling. Clinton has been preparing her ground game for years.

So it makes no sense for Clinton (supposing she had friends in the FBI or CIA to help her) to risk undermining the legitimacy of an election she is very, very probably going to win.

All that said, voting machines DO pose a serious threat to the legitimacy of local elections. Also, voting machine malfunctions could well throw the presidential election one way or the other.