I’m not sure how long these machines were in use, or in how many precincts. But, wherever these machines were in use, someone with not a lot of skill could sit in the parking lot, access the machines, change votes, and probably never be detected. I especially love that the machines recorded votes in MS Access databases. Look, I made my living as an Access developer for years. Access is awesome for some things. But not for running a damn election!
The audit also found that there were USB ports exposed on the exterior of the machine and you could easily boot to removable media. Once you do that, you can do all kinds of fun stuff to the data. Someone walking in off the street would probably be detected trying to boot to removable media while he was in the booth. But election workers would have all the time they wanted. Take a machine out of rotation, upvote your candidate, done.
Is there any evidence of vote tampering where these machines were used? No. But, then there wouldn’t be, since there was almost no logging and no effective integrity checking in place.
So, raspberries all around to Advanced Voting Solutions and to election officials in Virginia, Pennsylvania, and Mississippi. Way to handle the mechanism of our democracy, guys.
Since every computer can be hacked, and very few people, let alone your average poll watcher, have the ability to uncover altered software, I am not in favor of using electronic voting machines, regardless of who manufactured, or is supplying the machines.
Pencil and paper ballots work just fine. They just take longer to count, but the politicians aren’t expected to take or leave office the day after the election.
Question: why in the world would a voting machine given an admin the ability to change vote totals? Something is fishy here. I’m an admin at my job and there are only so many things that are customizable. I can’t go in and change sales numbers. If I had access to the code I could screw with it by changing how sales are calculated, but uncompiled code wouldn’t be on a voting machine. In any system worth a damn, you can only change things that are meant to be changed, such as logins, permissions, inventory, prices, etc. Stuff that isn’t supposed to be edited, but is what it is once calculated, you can’t just go in and change.
So if admins can change vote totals, even if it’s not hackable, WTF? Why would we trust even admins with the completely unnecessarily ability to change vote totals? There’s just no reason an admin needs to ever be able to do that.
A Windows admin account is different from an admin account in a (properly designed) application. A Windows admin account by definition has access to everything. The type of admin account that you’re talking about is specific to your sales application and is separate from the accounts in the operating system itself. If somebody logged into the operating system that your sales data lives on as an admin, they could change whatever they like.
10 IF VOTE$=“JOHN KERRY” THEN KERRY=KERRY+1
20 IF VOTE$=“GEORGE BUSH” THEN BUSH=BUSH+1
30 PRINT KERRY
40 PRINT BUSH
There is no way to alter the output of that code without changing the code itself. Unless I add code allowing such editing. Which would be crazy.
I actually created a simple thing like that for a school in 2004 that wanted to hold a mock election for the students. Took all of ten minutes and the only ability the admin had was to turn it on or off.
Sure there is. Just off the top of my head: (1) exploit a buffer overrun in another process to write over the count location of the variable’s memory. (2) exploit an elevation of privilege to “lock” one of the memory locations. (3) Insert a dongle between the keyboard and the computer that changes “JOHN KERRY” to “GEORGE BUSH.” (4) Modify the display driver to add a few digits after the string “GEORGE BUSH” before printing a number. (5) Modify the display driver to ignore the running app and replace it with whatever outcome you want. (6) Have an entirely separate program raise itself in front of yours and do whatever the heck it wants. (7) Combine several of the above to force the vote count memory locations to “roll over” by granting it lots of extra votes. (8) Modify the loader for applications to initialize memory to something other than zero.
Heck, your program is buggy all by itself once you exceed the number of votes than an integer can store and you get an overflow.
I’ve fixed or hardened code against all of those sorts of attacks and many more in the last few years – security is hard, and “I could knock this off in ten minutes” comments expose more ignorance than skill (ignoring the use of BASIC, which doesn’t help that case, either). Hacking programs isn’t done by “changing the code itself” and recompiling; it’s done by seemingly innocuous things around the program modifying the environment in which it runs.
What you cited are methods other than just “going in and changing vote counts” by an unskilled person, which is what the article said was possible. I used the code not to demonstrate security(anyone who knows BASIC and can hit BREAK can alter the code easily), but to demonstrate that the designer of an application controls what even an admin can alter. Companies do not just put sales data in a database that a CEO or whoever can then just change to something they prefer to show to shareholders. The numbers the program produces are the numbers the program produces. And there’s no reason to grant ANYONE the ability to change those numbers simply by altering a field.
If indeed a poll worker with the admin rights can just change the votes, that’s the actual problem, not hacking.
Adaher, your BASIC code is not really analogous to the situation here. Your code just holds a variable in memory and increments it. In an actual voting application, the individual votes have to be recorded to storage, such as by writing a record of each vote to a database. What the testing of these devices found was that it is trivially easy to access that database and change the records. This can be done by totally bypassing the application that is supposed to be writing the vote records to the database. Even if the application itself is protected from tampering, it writes the votes to an unprotected storage area that can be altered by means other than the application. So, fiddling with the application code is not necessary.
It is possible to design an application so that someone with admin rights on the OS cannot access the data in the application. You can use database encryption in such a way that OS admins cannot read the data without a separate login to the application. However, that was not done in this case.
Anyway, in this case, the testing discovered that it was trivially easy to gain admin access to the box. So, one issue, as adaher indicates, is that administrators can change votes, which in a well-designed system they would not be able to. Compounding this weakness is that anyone with a little skill can gain administrator rights on the system by quickly joining the wireless network and breaking into the voting machine.
It’s an incredibly lazy design. But, then, lots of applications are designed in an incredibly lazy and insecure manner. OK by me, though. I make my living responding to security breaches, so the more crappy systems out there, the more work for me.
adaher, when I’m root on a system, I have complete control of that system. I can replace files or encryption keys, write over the memory your app is running in, etc. Absolutely nothing is off limits, that’s the point of being root. Once you have the access necessary to actually administer a system, you can do anything to it, include replace the operating system.
Now, even in a system with severe auditing, there is a person who has the ability/responsibility to maintain the auditing system. It boils down to the age-old question of who watches the watchmen.
In this case, they left the key under the mat, and didn’t even hire watchmen.
And yet IIRC the two big voting machine manufacturers won’t let anyone check their software because it’s proprietary. Gives me a warm feeling all over, lemme tell ya.
Voting machines are usually stored in a locked facility for two years, and are guarded by the cheapest security firm the taxpayers can afford.
In a large city, political parties may each spend $5 to $10 million for a mayor, governor, state, or federal legislator’s campaign(s).
I’ll suggest that an unscrupulous person could offer an unscrupulous programmer $1,000,000 to write software that guarantees that the candidate(s) of my choice will win the election. The software must also have the ability to remove itself. I will guarantee that the programmer will have unlimited access to the voting machines beginning sometime after midnight until, let’s say, 0500.
On election day, the average voter suspects that something is wrong with the voting machine they are using. They report the issue to the average poll watchers. The machine should then be taken aside, senior voting officials should be notified, and the maintenance company called (because no one else knows how the proprietary software operates). Maybe the hack will be discovered, maybe it won’t.
OTOH, pencils and marking pens are easy to trouble-shoot, reliable, and cheap to replace.
I’m in complete agreement with doorhinge. Make paper ballots and retain them for a number of years for potential audits and recounts. Read them with optical scanners if you want but save the paper trail. Electronic voting could lead to the day where the side with the best hackers wins.
Actually, if you were a salesman with a huge sale that did not get recorded correctly, you definitely want someone to change the figure before your commission check is cut.
As for your second point, you just don’t want someone with admin/admin combination to have that access.
