Schneier on Security
A blog covering security and security technology.
« Security Cartoon |
| Status Report: Liars and Outliers »
October 5, 2011
Insider Attack Against Diebold Voting Machines
This is both news and not news:
Indeed, the Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. It was carried out by inserting a piece of inexpensive "alien electronics" into the machine.
It's not news because we already know that if you have access to the internals of a voting machine, you can make it do whatever you want.
It is news because it's so easy. The entire hack took two hours, start to finish. The attacker doesn't have to know how the machine works, he just needs physical access. (And we know that voting machines are routinely left unguarded, and have locks that are easily bypassed.)
I find this all so frustrating because there are a gazillion ways to hack electronic voting machines. Specific attacks get the headlines, and the voting machine companies counter with reasons why those attacks are not "valid." And in the noise and counter-noise, no one hears the general truth: these systems are insecure, and should not be used in elections.
Posted on October 5, 2011 at 6:58 AM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What needs to happen is for a major election in the first world to get hacked so blatantly that no one believes the results.
Voting machines are mostly useless, because vote counting is highly parallelizable. You can divide ballot boxes amon as many counting teams as you want. That's how it's done in many countries outside the US.
Yeah, I'm with anon and with nixar. The solution for this is to elect Matt Damon with 100% of the votes from various hilariously compromised districts, so obviously that nobody doubts the paper ballots are the way to go.
If (in the US) you have the legal right to a secret ballot and you live in a state where you have no fall back (being able to vote via paper if you demand it) Why don’t you (you the collective not you Bruce) launch a law suit not against the machine makers but the state (who I assume bought the machines). I’m sure you could find someone to help with the lawyers (the EFF or American Civil Liberties Union). State's tends to be more scared of law suits and have less access to high price lawyers (esp. currently) and a law suit that went to court would attract national press attention.
It hinges on both the legal right and the lack of fall back and I don't know enough of US law (I'm from the other side of the pond) to be sure such a cross over exits but if you do I'm sure you'd have no shortage of expert witnesses (Bruce himself for example).
@other-anon: Are you kidding me? We need to vote in Homer Simpson with 110%! Or wait, no - we vote in Sidekick Bob!
There are companies spending tens of millions of dollars trying to thwart potential attacks from North Korea, while thousands of their employees have physical and administrative access to most of their systems -- all of them aware that all root passwords have been set to "root123."
In my opinion we are pitifully short of having an acceptable election system. If voting machines were secure, even that wouldn't be enough. We need them to be visibly secure to everyone but the most cynical and paranoid in order to inspire confidence in our elections and our system of government. For example, proprietary software in voting machines is unspeakably outrageous and open source code is clearly a no-brainer.
If "security theater" has any proper and useful place at all then it's in our voting system in the form of careful, exaggerated, and open scrutiny over the system itself and those who implement it.
So, how many more flaws, vulnerabilities, weaknesses, back doors, and $25 hacks will be needed before electronic voting machines are declared unconstitutional.
People who are hacking the vote are attacking a much weaker point, the voter registration and absentee ballot systems. We need to lose the fascination with technology weaknesses and focus on process flaws. The amount of shenanigans going on with absentee ballots and bogus registrations is outrageous and is barely covered because it's not sexy. It's just old-fashioned vote stealing.
I see voting machines as being useful for the disabled and as prevention for spoiled ballots. But voting machines should only be ballot markers, not tallys. Ideally the voter goes into the booth, uses the touch screen or whatnot to select/enter the candidates (using audio for blind, etc), then prints a human-readable ballot (which is also computer readable). The voter then takes that ballot and feeds it into another machine, ideally made by a different manufacturer which validates the ballot for the voter. If the voter approves, the ballot is stored, or returned to the voter to be given to the precinct workers. If the voter disapproves, machine invalidates the ballot in an obvious and permanent way and the voter takes the ballot back to the precinct worker as a spoiled ballot to get a new one for another attempt.
When power over other people is denominated in money, bribery will occur.
When power over other people is denominated in votes, voting fraud will occur.
The only solution is to eliminate the power in the first place, and thus the need for bribery or voting fraud.
And yet there are also lots of different *kinds* of voting machines, and it doesn' help when an attack on one is put forth as proof that nothing electronic can ever be as secure as anything physical. Does this attack work on setups where what's in the booth itself is a dumb terminal, and the actual computer is sitting behind the table with the pollworkers, for instance?
The butterfly ballot didn't lead to calls for all physical ballots to be banned; it led to a discussion about a specific flaw to be avoided in the future. It would really, really help if there could be more discussion about specific problems, and the types of voting machines that are susceptible, rather than "A computer was hacked! All computers are bad!"
Also, what AnthonyF says about paying attention to process. Lost in all the excitement about butterfly ballots and hanging chads in 2000 was the fact that hundreds of people in Florida were essentially disenfranchised by polls opening as much as 4 hours late because the pollworkers didn't show up. It doesn't matter what your voting technology is if your system doesn't even allow people to try to vote in the first place.
(Full disclosure: I know people who have worked on electronic voting machines-- no system you've ever heard of, because it's never had a huge embarrassing security problem revealed-- and I was once paid to proofread the manuals for some voting software.)
Voting in Matt Damon / Homer Simpson / Sideshow Bob won't get the problem taken seriously. You'll be branded a terrorist *and* a slacker.
To have even the slightest chance of getting the right kind of attention, 100% of the hacked votes need to be for the candidate "Paper Ballots."
"You can divide ballot boxes among as many counting teams as you want."
...or as many as you can find, if you want volunteers, or as many as you can afford, if you have to pay them.
Here in Oregon, the two big reasons elections are all-absentee are (1) cost savings, and (2) it was getting hard to find enough people to run all the polling places.
Yes, this means that electronic voting machines are essentially banned here. This doesn't stop there being potential security flaws in the voting process.
Assertiveness about the right to a secret ballot is actually one of the pressures toward electronic voting. It's really hard for a blind person to vote in secret with paper ballots.
" hard to find enough people to run all the polling places."
A problem that voting machines makes worse. It's easy to find little-old-lady volunteers to tick your name off a list and give you a ballot card. Now tell them that they are responsible for a big computer machine that they don't understand, will have to fix (reboot) if it goes wrong, and will be blamed if there is a problem and suddenly you have a problem.
We used to have people signing up the dead. Until records could be verified easier.
We had voter boxes left in the back room. (wink wink) Before they where counted, until people noticed those rooms where being accessed on a regular basis by those who where not suppose to be there.
Now we have the computer. Because of its mystic power to the masses, it is considered secure. What insecurities are minor to the masses.
Conspiracy: The elected know that these systems can be 'tinkered', but they want to be able to 'tinker' with them, just like every other voting system that we had. It is only when said system exhibits problems that the masses see, does the system change and only if there is a new system to take its place that can be 'tinkered' with.
"It's easy to find little-old-lady volunteers to tick your name off a list and give you a ballot card."
Except it isn't. Oregon had no polling-place computers, no plans to bring them in, and still had a problem finding pollworkers.
I'm completely with AnthonyF. Yes, voting machine security is terrible, and I think it would be remedied (preferably with a voting system that is manually verifiable by the voter without relying on the machine. The Diebold machines spit out that card that's supposed to allow verificiation, but a hack to the voting machine can report the same hacked total on the cards and the machine), but the entire process is so flawed that fixing that machines probably aren't the weakest point. I'm not going to spend time figuring out which would be the easiest swing state to hack but optimally you would want a state with day-of-poll registration and weak id requirements or someplace with weak absentee registration.
The answer seems obvious to me. The only good reason to use voting machines is to prevent incorrect voting (over-voting, illegible ballots, etc.). Why don't we use machines for only that purpose and not for counting votes. The machine would present a user-friendly on-screen ballot, and then just print a nicely formatted, human-readable ballot (like the optical scan cards you fill out by hand). The voter could then look at it the paper ballot, verify it is correct, and drop it the ballot box the old fashioned way. You get all the benefit from the machine without the problems.
The last time I voted in Ohio the ballot had over 60 decisions, some for offices with up to ten candidates. Not just federal and state offices, but also county offices even including positions such as coroner, and municipal offices down to the level of animal-warden. State and federal district boundaries did not respect municipal boundaries, so my ballot was different from my neighbor's.
With permutations and combinations like that, I think it is quite helpful for accuracy to have computers involved.
The Diebold voting machines have been proved to be critically flawed since 2006. I guess they will stay in place until such a time that lobbyists for some big corporation can convince the right people in Washington that there is credible evidence that terrorists will exploit these flaws to get Obama re-elected. And then suggest an alternative device of their own making that not only is more secure but also contains a number of built-in backdoors to be used at the government's discretion.
If my understanding of the Diebold DRE's is correct, they record voting data and ballot images in memory components. The electronic voting system we've got here is a bit different. The machines used are really old x86 pc's with a card reader, a pen and a touch screen. They are stored at the Ministry of the Interior, set up and tested at voting stations by a contractor company the day before the election.
Since voting is compulsory, all citizens aged 18 are summoned to a voting station located in their vicinity on election day. Upon presentation of invitation letter and identity card, their name is checked against the list of expected voters. Subsequently, you get a card with a magnetic strip which you have to insert into the voting machine. When your vote is confirmed, it's written on the card which you then deposit into a separate, non-connected ballot box. At the end of the day, the boxes are carried away for counting and processing to the Ministry of the Interior.
I'm not saying these can't be hacked, but the system's security IMHO could be seriously increased by having a nameless verification receipt printed when depositing the ballot card into a collection box reading the card again, thus confirming for yourself that indeed the data on it are correct.
AnthonyF: Do you have any good citations on voter registration fraud? When I've read about this in the past most articles seemed to indicate that they actually found very little fraud.
AnthonyF is right about the place in the chain that voting is being attacked, but wrong about the direction. The levels of government that determine who gets to register to vote, who gets ballots sent to them, and who gets allowed to vote at polling places have been widely subverted by people with an interest in minimizing turnout.
(Accusations about bogus voter registrations, btw can act as a useful litmus test for the reality-orientation of complainers. For rather obvious reasons, almost all states require organizations collecting voter-registration documents to turn every filled-out registration form to the election authorities, no matter how invalid they may claim to believe it appears.)
@Dirk - isn't compulsory electronic voting the worst case? The system you describe ensures that who you voted for is immediately logged by the Interior Ministry
At least with paper ballots MI5 have to put some legwork into checking up on people voting for the wrong party.
There was a Diebold voting machine at Defcon19 this year. It was fun. I think the real root of the problem with the Diebold fiasco isn't the easy hackability or the lack of a paper trail and other problems, but the fact it was pushed through for use as a buddy favor by some politicians. This is really a (black) comedy of errors stemming from rampant campaign contributions. Logic and honesty be damned in the process.
@ Nobody Special, I don't think that Dirk said that one's name is on the voting card. My interpretation is that one submits one's identification to the poll clerk who checks you off as having voted then gives you a card for the actual vote. That's what happens in Canada too except that we use paper ballots. That's federally and provincially, municipal voting may be different. In Toronto, we use ballots on which you make a solid line of a broken one for each post for which there is a vote and then the card is run through a counting machine. If there is a problem with the ballot, the machine rejects it and you get to do it over.
@ NobodySpecial, Frances
There is indeed no name on the voting card. And I also meant people 18 and over, not 18 only.
@Dirk: "having a nameless verification receipt printed when depositing the ballot card into a collection box reading the card again, thus confirming for yourself that indeed the data on it are correct."
In general, all such things are troublesome, since they would allow you to prove how you voted to a third party.
"The people who cast the votes decide nothing. The people who count the votes decide everything."
(Loose translation of a speech by Josef Stalin -- not known as a leading exponent of free democracy but as a cynic/realist he's spot-on!)
@dirk But you don't know your id isn't written onto the card stripe, in fact if it isn't you can't prove that your vote was recorded.
In general it's very difficult to design a system where you can detect your vote was recorded without also recording who you voted for.
@Frances - Canadian and UK elections do link your ballot with your id, the ballot number is recorded on the voter list. It's just a lot of work to link them.
@Gopiballava - The best book I've read on voter fraud was by John Fund. Don't remember the title off the top of my head but Amazon will tell you.
Absentee ballot fraud has been rampant in Philadelphia (near where I live) forever. Just punch absentee ballot fraud into Google and stand back as your screen scrolls.
@NobodySpecial - Getting poll workers is painful I've been in charge of my local poll for over 10 years and the single hardest part of the job is getting people to staff the poll. All I need them to do is the check-in stuff, I handle anything complicated, and I'm lucky if I can get people for more than three or four elections. The day starts at 6:30AM and isn't over until 8:30PM. It's a long and brutal day for anyone and tough on youngsters, much less seniors.
During the years 2000-2009, I participated in elections as an election inspector. That is, I was on the team that handled Precinct registration lists, distributed ballots, and gathered ballots into a counting machine.
However, the State I reside in uses a machine-scanned paper ballot. (I used the phrase fill in the oval completely to mark your vote several thousand times while describing how to fill in a ballot.)
I think that is the best method.
(A) it leaves a paper trail
(B) it allows electronic counting, and the machine can return improperly-marked ballots to the voter
However, even that machine requires a special memory card for data, which must be sealed into the counter before the election begins, and returned to the County Clerk in a special sleeve inside the Ballot Container.
@NobodySpecial: the election system I'm familiar with also has a voter-plus-ballot-number in the Poll Book, but the ballot-number is on a perforated tab which should be removed from the ballot before counting. Thus, the ballot can't be connected to the voter (unless there are unique micro-printed marks on the ballot itself), but we can verify that voter X was given ballot N.
@AnthonyF: I can sympathize. For most of my career as an Election Inspector, I was the youngest person on the team by at least 10 years, and often by 20 years.
Some City Clerks make an aggressive effort to recruit and train good Inspectors, and others rely on the same pool of Interested Citizens who have been doing it for fifty years. Usually that pool of Interested Citizens are older women from the community.
@karrde: "machine-scanned paper ballot ... I think that is the best method. "
Being the best doesn't mean it's good. It depends on the details.
Assume that the machine is hackable and assume that such a hack leaves no proof (both assumptions do not seem unreasonable from experience).
The central questions is, what is done with the paper trail?
If it is just stored unless a recount is ordered, it depends on how a recount may be requested: If it requires evidence of tampering, there will *never* be a recount (see assumptions). If it doesn't, a recount will *always* occur, since there will be at least one activist per precinct who requests recounting out of principle.
So, either the paper trail is never used and therefore worthless, or the machines won't save time&money.
The only reasonable way to use these machines is to take their results as quick preliminary indicators, *always* recount the paper trail and use *only* the paper trail to compute the final official result (which may take a few days then, since we would have a reasonably accurate electronic count to set the mood for the parties).
Additionally, if electronic pre-count and paper re-count differ, initiate a re-recount (this is where it may actually save time, since paper counts are usually done at least twice - more often if the counts differ).
"But you don't know your id isn't written onto the card stripe, in fact if it isn't you can't prove that your vote was recorded."
Yes you do. The ballot cards are taken randomly out of a stash next to the election officials. You can even pick one yourself if you ask so. You show your id and the invitation letter, and you get a card. Simple.
If you could have a paper confirmation after depositing it in the ballot box to verify who you voted for, then run the receipt through a paper shredder, there is exactly nothing that can tie your identity to whom you voted for, unless someone would go through an awful lot of trouble to reassemble the shreds and then take fingerprints. Which is actually much easier to achieve with paper ballots.
I think the problem is that most people _assume_ there's some way to detect tampering in these cases, and if we can detect it you can just deal with it when tampering shows up. I think what needs demonstrated isn't that the machines are hackable, but that when they're hacked there's no way to tell that the results are wrong.
One good trial might be a false election. You get a group of election officials, reporters and such to actually use the machines to vote, and set it up so they know what the results will be beforehand (eg. they all vote but they do so in plain view of the others and the vote's tallied on a whiteboard so at the end everyone knows what the totals are, with a rule that there's one candidate nobody is to vote for so he's guaranteed to get zero votes). Then the machines spit out results that *do not* match how everyone voted (wildly so, eg. showing as the winner the candidate who got no votes). Then challenge the group: you know the results are wrong, now *prove* it. No pointing to the whiteboard, in a real election nobody would know how you voted and that whiteboard wouldn't exist. Make them grapple with the results, not the process.
@dirk - sorry, I misunderstood. I thought the card was swiped to register that you turned up to vote then the card was kept to verify your vote.
It sounds more like the equivalent of the tear-off serial number @karrde mentioned
If I lived in the upper 50, I doubt I would bother to register to vote. I have pretty low confidence in the process.
Here in Puerto Rico we vote using paper ballots marking an X in a big box. 3 ballots, city, district and islandwide offices. Each a different color, each goes in a different ballot box.
A pretty hard to counterfeit voter ID card picture here
No card, no regular vote. You cast a special ballot for later adjudication.
Wavelength specific invisible ink on the index finger before voting.
We have about 80% of all eligible residents registered and typically have 70-80% turnout.
We have election results by 7PM on election day. Final results by 11 or so. there is a process taking a week or two for certification but this almost nver changes the results.
Allegations, much less proof of fraud are so rare as to be almost non-existent.
We don't get any better pols but the ones we get are elected honestly in a process than we can have confidence in.
It just ain't that hard to do!
We also have *EXTREMELY* limited absentee voting in Puerto Rico.
If you want to vote, you go to the polls. If you don't want to go to the polls, no vote for you.
Main exceptions are military and students.
As long as they reliably deliver Republican victories, there is nothing wrong with the security of voting machines.
"The last time I voted in Ohio the ballot had over 60 decisions, "
There's your problem.
There is so much voting going on that democracy is all but lost.
60 decisions, with everything from dog-catcher to president. That's not democracy, that's just crazy.
Less than 50% voter turnout (voluntary and tedious), hideously complex voting systems (how else do you keep track), uninformed votes (how many of those 60 votes do you think the average voter has the faintest idea about) all serve to weaken democracy.
"That's not democracy, that's just crazy."
A nitpick, but that actually is democracy at its "finest". It is precisely for this reason that representational forms of government exist in the world. Democracy is all about the will of the people in everything, directly. Not that it's much different from anarchy in its pure form.
Also, regarding the point about blind voters and those with other disabilities: What is the difficulty with making paper ballots accessible? It can't be terribly expensive to mark ballots with Braille characters alongside printed figures, or at least not as much as it would be to purchase and maintain electronic machines properly.
This is an honest question, as I haven't studied accessibility concerns much. Is it the difficulty of marking the ballots, or reading them in order to mark them, or in ensuring that tallying is fair and equal for all?
Do away with same day voter registration and no absentee ballots except for military and out of state college students and lots of your issues go away.
Then you can look at the out of state college students voting in both in their home state and the state they go to school.
Doing some reading of back issues of Crypto-gram, I came across a small piece that Bruce wrote about the difficulty of implementing electronic voting. It's still relevant today, and it's extremely sad that in eleven years we have not progressed at all.
No one's going to hack an election "so blatantly that no one believes the results. (cf. Georgia 2002; Ohio 2004.)
The next new thing: ballots delivered over the internet. You sign in; your computer displays a ballot; you mark the ballot online; your printer prints out your ballot, as marked, but with a barcode that purports to represent your choices. You check the readable part of the ballot, but not, of course, the barcode. You mail the ballot to your state elections agency. Because your mailed-in ballot doesn't meet scanner requirements, the state agency produces a scannable ballot, using the barcode on your mailed-in ballot to determine your choices.
Did the scanned ballot duplicate your choices? Who knows? The barcode could have been hacked, or the machine that read the barcode in order to produce a scannable ballot could have been hacked.
The principle of the voter-verified ballot is nullified by the two-stage employment of an unverifiable barcode.
There's really only one way to assure a voter-verified-ballot voting system: voter marks a ballot--either by hand or using a ballot-marking machine--and verifies that the ballot represents his/her choices; voter-verified ballot is scanned at the precinct; some fraction of the precincts are recounted by hand on election night, and their results compared with the optical-scanner results. If discrepancies exceed a prespecified threshold, all the precincts are audited, with the possibility that the entire election, in that county, will be hand-counted.
"More voting machine problems...."
But atleast they have real paper "ballot papers" to fall back on...
I must admit, I'm at a loss to understand the myriad of technical failure issues to do with voting machines.
Look at it this way, the job they are doing is in effect a simple tallying process with a simple user interface, and some method of conveying the results back to one or more centralised points and in some cases give a receipt. There are any number of "self check out" systems for stores that do this job reliably day after day, so a voting machine should not realy be presenting any insurmountable technical problems within it's functional scope.
That said however it might in this case be down to a human issue to do with re-installation and test after storage. Lets be honest these machines don't exactly get the best of treatment when not in use and those running them on the day in many places are volunteers with little training and to many other worries on the day.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.