Voting Machine Security

Last week, DefCon hosted a "Voter Hacker Village" event. Every single voting machine there was easily hackable.

Here are detailed details. There should be a summary report soon; I'll add it to this post when it's published.

Posted on August 2, 2017 at 12:59 PM • 38 Comments

Comments

e1229August 2, 2017 1:24 PM

I'd love to see more equipment tested. Although we know that it doesn't end on the voting machines, because even summing up the totals is relevant (and subject to a whole bunch of attacks and frauds), it's interesting that worldwide some voting machines are secured by keeping them private and not available to tests and hacks.

brian o'blivionAugust 2, 2017 1:26 PM

I've been unable to find out if these included ballot machines with hardcopy monitor rolls or register tapes. Some photo's suggest there were. I'd like to see if they were able to tamper with them.

Also, while this is very valid for machines in storage and setup, a Voter who stood at the machine for more than 5 minutes is going to attract poll worker attention. I'd like to see attempts to manipulate the machines in a more operational context.

FredPAugust 2, 2017 1:49 PM

@e1229 - "some voting machines are secured by keeping them private" - this sounds like security through obscurity. In the long term, given determined attackers, you need more than that layer of security. In fact, as a major purpose of a free and fair election is to proove to the looser(s) that they lost fairly, it likely would be counterproductive.

RhysAugust 2, 2017 2:08 PM

Every citizen should volunteer to serve their local Recorders (elected official) and State Elections during voting cycle. At least one of each.

If not just as a civic duty but, to learn something we, the people, should not take advantage of.

That said, fixing these issues without understanding the disconnects leads to more paralysis by analysis.

The political parties have designated monitors who are material to the existing process. Means and methods. (And they don't really care much for Carter Foundation, or other third parties, participation.)

Aside from the technophobes, most elected officials who have won a funding office provide for the electoral processing system on a less than subsistence basis.

Those who serve as election officials don't have staff, or background, in Intelligence collection/influence or OpSec/TechSec business. Rules and processes are mostly late 19th century artifacts. Mostly attracts rust-out/burned-out or career ladder climbers.

Take-away: its more than technical bandaids. Its culture. Its outdated processes. Its structural underfunding. Its monitoring with professional vulnerability assessment & mitigation.

(IMHO- monitoring should never assigned to anyone with a vested interest, such as political party. Policy disinterested, professional, 3rd parties only. Technical and Operations security.)

GLBAugust 2, 2017 3:16 PM

One idea for a fairly hack-proof voting system might be a pager-like device distributed to every voter which, *shortly* before the day of the election, would receive an encryption key that would be beamed to it from the planetary satellites.

e1229August 2, 2017 3:21 PM

@FredP : exactly. And the voting machines are just part of the problem. If votes from one machine are transmitted so some central system, any security in those machines is almost irrelevant, except if the central system can also be audited.

It won't help if you just can audit that the machine ABC123 stored and transmitted the same votes that were printed and stored in a secure bag. If your central system doesn't show where all votes came from, you just mess with the total votes and we are done (and doomed).

John MacdonaldAugust 2, 2017 4:26 PM

@Rhys - having parties with a vested interest doing the monitoring ensures that there are people available for the monitoring. It is in the interest of each party to have their own monitors, with a vested interest of ensuring that no-one is cheating against their party. With each party providing such a monitor, there is complete coverage. This works even better in most countries, where there are more than two parties. There, anyone who wants to game the system on behalf of one party has to avoid the attention of a monitor for *any* of the other parties (or even his own party if the monitor is not involved in the gaming).

someoneAugust 2, 2017 7:24 PM

@John: the problem with monitoring is that it is largely ineffectual. My apologies that I don't have citations to hand, but its just a google away to find complaints where the photos clearly show that the "tamper evident" bags show clear evidence of tampering. Despite this (and other) evidence I'm not aware of any complaint that resulted in a finding of fraud. Maybe such complaints aren't as newsworthy as the "OMG look at them ignoring clear evidence of fraud".

My point here is that just having monitors is useless when there is no effective mechanism for taking action.

Secondarily, in our two party system both parties may collude to prevent an independent politician from winning. Looked at dispassionately, there is little to differentiate between the two major parties and plenty of incentive to prevent any challenge to the forced dichotomy (as that has become central to those groups maintaining power/sway over voters).

WinterAugust 3, 2017 3:44 AM

What do voting machines add that is worth the trouble?

I am glad my country simply decided to scrap voting machines and go back to paper and pencil voting. Why bother trying to win an arms race in computer security when you already have a almost fool proof system that can be easily secured by volunteers.

DroneAugust 3, 2017 4:20 AM

Why on earth would you care about voting machine integrity when you don't even verify who the voter is in the first place? Voter ID is just as important as the ballot process itself!

WinterAugust 3, 2017 4:35 AM

@Drone
"Why on earth would you care about voting machine integrity when you don't even verify who the voter is in the first place? Voter ID is just as important as the ballot process itself!"

Contrary to popular myths, voter identity verification is the most secure part of the whole voting process. For instance, a decade of in depth investigations in the USA have only brought a handful of voter impersonation cases to light.

An exhaustive list of these investigations can be found here:
https://en.wikipedia.org/wiki/Voter_impersonation_(United_States)

WinterAugust 3, 2017 5:44 AM

@Larry
"That's IF a state uses voter ID. NY for example doesn't."

But NY still has no voter impersonation fraud.

http://www.lohud.com/story/news/politics/politics-on-the-hudson/2017/02/22/number-ny-voter-fraud-cases-0/98264448/

Every research and investigation performed in the USA, Canada, or EU has shown time and again that voter impersonation fraud is never a problem. Voter verification is the most secure part of the voting process. The only voter fraud that might matter is absentee ballots and vote-by-mail.

But if you do have solid evidence of such fraud, please share it with us.

mark hutchinsonAugust 3, 2017 6:02 AM

We're watching vote machine tampering unfold in Venezuela on the daily news.

Clive RobinsonAugust 3, 2017 6:40 AM

@ Winter,

The only voter fraud that might matter is absentee ballots and vote-by-mail.

Have a google for "Lutfur Rahman" and "Tower Hamlets" where well over half the voter fraud in the UK has been reported in the last half decade.

WinterAugust 3, 2017 6:54 AM

@Clive
"Have a google for "Lutfur Rahman" and "Tower Hamlets""

But was that voter impersonation fraud? The reports I see talk about bribing and intimidating voters before and during the elections.

Clive RobinsonAugust 3, 2017 9:03 AM

@ Winter,

The reports I see talk about bribing and intimidating voters before and during the elections.

That was part of it as was supposadly "migrant workers" who were in some cases living 18-20 strong in one and two bedroom flats. Then there were family members that were known to be living else where who were "postal voters" but their forms appeared to have been filled in by one of a handfull of people. Then there were "helpers" who came around and filled the postal votes in for some old / disabled / non english speakers.

What got into court and got the man convicted was but a fraction of what went on and got reported by the main stream media. If you can hunt out some of the "Private Eye" magazine articles you might find your eye brows lifted so far they will feel like a fur collar at the back of your neck.

parabarbarianAugust 3, 2017 10:04 AM

@Drone

"Why on earth would you care about voting machine integrity when you don't even verify who the voter is in the first place? Voter ID is just as important as the ballot process itself!"

I am pretty sure the powers that be here in the US do not want *that* much integrity. Only effete socialist nations -- like Canada and most of Europe -- insist on identifying voters.

Seriously: A system made up of people only works as long as the overwhelming majority of those in it believe it is working for them. I am amazed that readers here would object to such a simple means to better improve the perception of integrity in elections.

WinterAugust 3, 2017 1:06 PM

"I am amazed that readers here would object to such a simple means to better improve the perception of integrity in elections."

If you mean the US shenanigans with voter ID's, these are mainly used as a tax on voting. IDs accepted are those most Democratic voter do not have in their possession and cost money, or are not available on short order. There is ample evidence that the introduction voter ID laws has lead to a considerable reduction in voter numbers of minorities.

That is contrary to the non-existence of any evidence of voter impersonation fraud.

WinterAugust 3, 2017 1:09 PM

@Clive
"If you can hunt out some of the "Private Eye" magazine articles you might find your eye brows lifted so far they will feel like a fur collar at the back of your neck."

But was it anything that could have been prevented with better voter IDs?

HJohnAugust 3, 2017 2:56 PM

@If votes from one machine are transmitted so some central system, any security in those machines is almost irrelevant, except if the central system can also be audited
__________

I probably would recommend where the breakdown of votes by precinct are published at both the precinct and state level. It is unlikely that material differences would go unnoticed.

The thing about any kind of fraud is we never really know for certain how much occurs that is undetected, since by definition it is unknown. The ACFE estimates approximately 5% of business is lost to one kind of fraud or another. That is a monetary estimate, but I suspect that we'd find it is much lower for any kind of voter fraud that may occur... voter fraud would obviously be different from financial fraud in that some percentage of fraud one way will be canceled out by fraud another. That wouldn't mean it isn't fraud, it just means that if 200 of Bert's votes are fraudulent and 150 of Ernie's are fraudulent, the difference made in the bottom line by the 350 would be 50. I don't believe either side of spectrum so bad that this is a major problem, or so good that only the other side would do it. It's probably more equal than some would care to admit.

Insofar as voter ID, I lean towards it, though understanding the concerns on the other side. One suggestion I would have to any state requiring it is that voters do not have to pay for IDs if they can prove their identity (and to those who say the voter cannot prove their identity, my question would be "how did they register in the first place then?"). That would take the "poll tax" concern off the table, plus I wouldn't mind seeing more of the struggling constituencies in our society have the benefit of a complementary ID.

Best,
HJohn

AnuraAugust 3, 2017 3:27 PM

@HJohn

and to those who say the voter cannot prove their identity, my question would be "how did they register in the first place then?"

The main concerns about voter fraud (that voter ID can deal with) isn't that people are voting under completely fake identities (this is something we should be able to figure out relatively easily), it's that they are voting under another person's name.

And with that...

The thing about any kind of fraud is we never really know for certain how much occurs that is undetected, since by definition it is unknown.

We can get a good idea about how much in-person voter fraud there is by how many people show up to vote only to find someone else has voted in their place. This likely isn't very common, given that we don't hear much about it; much more common is people with multiple addresses registering in multiple states, which can't be solved by voter ID. Most of the anecdence that is presented to support this allegation is just people who moved but didn't update their registration in their old state (while the convictions are mostly people voting under their name in multiple states), and this is much more easily solved by having a single national voter registration system.

LOLAugust 3, 2017 3:42 PM

I read the "write up" of "easily hackable".

"The Hackers" who "can hack" describe themselves schoolchildren in possession of a various voting devices, armed with a sharp screwdriver, and "hacked" them apart with the sharp screwdriver.

LOL

Clive RobinsonAugust 3, 2017 5:06 PM

@ Winter,

But was it anything that could have been prevented with better voter IDs

In the UK "voter ID" is established by filling in a registration form you get from the local govermnent/council and send it back (or online). Come voting time if you have not registered for a postal vote they send you a polling card with the polling station you should go to.

As part of the registration you give your full name, date of birth, national insurance number (social security number equiv) and current address. This is supposed to be checked with the Department of Work and Pensions data base that has a record from a persons employer which has the same details. Likewise unemployed people are in the register because the government pays a "persons stamp" when they are unemployed.

So in theory if you are paying into the system by NI being taken from your wages along with taxes or you are "signing on" then you will have had your ID checked by an employer etc which these days involves providing proof of ID by photo ID and proof of residency status and home address, so is tracable back through to a persons pasport.

The reality is of course that existing registered voters were just transfered from the old register system to the new with no further checking...

WillAugust 4, 2017 3:01 AM

I read private eye and read what I hear about on voting fraud, and I'm with Winter on this one.

Voter fraud is small and rare and the current push for voter ID in the US seems out of all proportion and better explained by the popular narrative as a push to make many democratic-leaning minorities unable to vote.

Sweden is an example of a country where every citizen has a 'personal number' that identifies them. This simplifies public life immensely.

HJohnAugust 4, 2017 6:31 AM

@: "Voter fraud is small and rare and the current push for voter ID in the US seems out of all proportion and better explained by the popular narrative as a push to make many democratic-leaning minorities unable to vote."
_____________

It's one thing for proponents to believe voter fraud may be a bigger problem than realized and suggest a rule of "here is my ID, this is who I am, give me my ballot" as a common sense measure. This is a fair point.

It's also a reasonable position for opponents to say "I do not think it is a big enough problem, and the consequences are worse than the solution." This is also a fair point.

However, this argument "it's a push to suppress minority votes" is quite a serious, slanderous charge. I doubt there are very many people with a nefarious motive like that. Not to mention, I've always found the argument somewhat racist. It's like saying some minorities are so uniquely incompetent they cannot manage to get an ID.

Of course, that's unfortunately politics. Two people who disagree make good points (such as the need to prevent voter fraud vs the concerns with suppressing turnout), and end up attacking motives instead of debating ideas.

WinterAugust 4, 2017 6:49 AM

@HJohn
"However, this argument "it's a push to suppress minority votes" is quite a serious, slanderous charge. "

It is definitely not slanderous when GOP candidates admit they push voter ID laws for electoral gain.

Some Republicans Acknowledge Leveraging Voter ID Laws for Political Gain
https://www.nytimes.com/2016/09/17/us/some-republicans-acknowledge-leveraging-voter-id-laws-for-political-gain.html

Wisconsin Congressman Admits Voter ID Law Will Help GOP Nominee Win In November
http://www.huffingtonpost.com/entry/wisconsin-voter-id-2016_us_5704a2eee4b0a506064d90cf

GOP congressman: Voter ID law will help Republican presidential candidate
http://edition.cnn.com/2016/04/06/politics/glenn-grothman-voter-id-wisconsin-republican-2016/

PS, I assume you are a US voter. So why do US voters comment on this blog not knowing this while I, a European who cannot vote in the USA, have known this for years?

HJohnAugust 4, 2017 7:49 AM

@Winter: "PS, I assume you are a US voter. So why do US voters comment on this blog not knowing this while I, a European who cannot vote in the USA, have known this for years?"
__________

I am aware of what you posted. Don't assume that just because someone disagrees with you, that they are ill informed. I happen to pay attention to both sides of the issue.

Yes, many people on the (R) side think voter identification will help them win elections, because they believe illegal votes favor the other side to a greater degree than perhaps is reality, but that is not the same as wanting to suppress minority votes.

Likewise, people on the other side (D) think voter identification will hurt them in elections, because they believe illegal voting is less of a problem the voter suppression. They could just as easily be accused of wanting to encourage illegal voting, and I'm sure some doofs have made that accusation, but I think that too would be unfair.

This is why I think any state that wants to require someone prove their identity to vote should provide the IDs at no charge to the recipient. This considers both concerns.

Clive RobinsonAugust 4, 2017 11:18 AM

@ HJohn,

I doubt there are very many people with a nefarious motive like that.

Taken solely on it's own then you would perhaps be correct.

But the US has a long and unenviable history of voter suppression by both of the parties one way or another.

The fact minorities often get the brunt of this, is not against them persay, but the fact that as they are usually on the wrong end of the stick, they are unlikely to vote for the political encumbrants. So they are seen as a threat to the encumbrants nice featherbedded lives, thus self interest alone justifies the behaviour.

JG4August 4, 2017 12:11 PM


@Clive

Your comment about "unenviable record" jogged my memory about events that purportedly occurred not so long ago in the Deep South. If it were historically correct, an expensive poll tax would be included in the story, but that usually is omitted. I'd like to see the entire Bill of Rights walled off permanently from taxation, also known as "the power to destroy." The vote administrators, when faced with a potential black voter, would tell them that a literacy test was required. One particular black gentlemen said "I don't mind a literacy test, I can read and write." Then the chief examiner handed him a copy of a Chinese newspaper asking him to read it aloud. The man looked at it, and said, "No problem, I can read this very clearly." The examiner was stunned. He said "What? You're telling me you can read that?" "Yessir," said the hopeful voter, "that newspaper says 'Ain't no niggers voting today.'" Not so different from what the liars, thieves and murderers do today to trample fundamental human rights.

RachelAugust 5, 2017 3:29 AM

Clive

The fact minorities often get the brunt of this, is not against them persay, but the fact that as they are usually on the wrong end of the stick, they are unlikely to vote for the political encumbrants. So they are seen as a threat to the encumbrants nice featherbedded lives, thus self interest alone justifies the behaviour.

well said. This was overwhelmingly the case in the controversial Bush junior elections, as has been extensively documented elsewhere.
Another case of sociological or social security rather than purely technical.

A similar thing occured in Australia in the same era, with the pro-Bush prime minister around the time of Iraq war. People in suburbs of cities known for being exclusively muslim, were informed at the polling booths (if anyone enquired - which they didn't really) that votes from those areas would not be counted. This actually happened! I personally know people whom were informed outright!!

DroneAugust 5, 2017 10:02 AM

@Winter

You said: "Contrary to popular myths, voter identity verification is the most secure part of the whole voting process. For instance, a decade of in depth investigations in the USA have only brought a handful of voter impersonation cases to light."

How the heck can it be that "voter identity verification is the most secure part of the whole voting process" as you say, if you DO NOT VERIFY who the voters are in the first place!

You CAN NOT know ANYTHING about voter integrity without attempting to verify voter integrity in the first place! Your "exhaustive list of these investigations" is based on a flawed sample set from a system that DOES NOT verify voter integrity as a whole IN THE FIRST PLACE.

Get it!?

In countries where the system as a whole DOES attempt to verify voter integrity, statistical analyses repeatedly reveal rampant attempts at voter fraud. Not only the that, the voter integrity system is constantly tested by orchestrated anonymous attackers, something that is IMPOSSIBLE to do without a blanket Voter ID mandate in the first place.

To not mandate an across the board Voter ID requirement invites voter fraud.

To argue against a Voter ID mandate is to collude with those who vote illegally to sway an election.

moopsAugust 5, 2017 6:20 PM

So the WinVote machine looks the most problematic. old Windows CE with many many known exploits, and a running wifi with 40 bit encryption, and exposed and open USB ports on the unit itself.

The PEBS-based systems look harder to black-box into and fared better, but I suspect that once the right exploit is known it would be a total system compromise.

but hacking voting machines is the least problematic part of the election. GRU went at the vote tallying systems in 39 states.

cgAugust 8, 2017 2:27 PM

Voting.

Hard paper ballots.

Counted by hand one small precinct at a time.

Totals certified and aggregated to larger districts.

Not that hard after all.

Unless, like Vladimir Putin, you are trying to "hack" the election.

It's high time for the people to take a sledgehammer to these fraudulent commodity-O/S-based electronic "election" machines.

Steve FrahmAugust 8, 2017 6:37 PM

http://blackboxvoting.org/ Fraction Magic Video - A real-time demo of the most devastating election theft mechanism yet found, with context and explanation. Demonstration uses a real voting system and real vote databases and takes place in seconds across multiple jurisdictions.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.