Breach podcast: Step 3, election hacking: Voting machines

 The worst mistake you can make is not voting. The second-worst is … accidentally voting for the wrong person. So read those voters pamphlets, and news stories about HOW you’ll be voting, and be prepared!

Still, there are other ways your vote can be screwed with on election day. For more, listen to my podcast. Or keep reading.


Just click play above, or listen to the podcast on Stitcher

or on iTunes

 


(What is this? Go back to the beginning)

U.S. voting machines have been under scrutiny dating back at least to the hanging chads of Bush v. Gore in the 2000 presidential election.  In 2002, Congress passed the Help America Vote Act, which gave states money and incentives to abandon old-fashioned voting machines and led to the purchase of electronic machines — generally touch-screens (DREs) or optical scan / scantron machines (like multiple-choice tests). They’ve caused a lot of trouble. There have been years of demonstrations showing the machines are vulnerable to various attacks.  Vendors often say these are only theoretical, that the machines themselves are not networked so they aren’t really vulnerable.  Many voting experts disagree.

“What people sometimes don’t understand about voting machines is that they’re really not as isolated from each other and from internet-attached systems as they may seem,” said J. Alex Halderman,  director at the Michigan Center for Computer Security in Society, and another long-time voting expert.

For starters, the machines must be loaded with candidates — somehow.

“Before every election, virtually every electronic voting machine in the country has to be programmed, and it has to be programmed with the ballot design. That is the candidates, the races, and the rules for counting,” he said.  This is usually done with an election management system. “(Hackers) can potentially spread malicious software to every voting machine in the jurisdiction just by having that software essentially hitch a ride with the ballot programming that election officials copy to the machines in the field.”

Harri Hursti was the researcher who first hacked voting machines nearly 15 years ago.  His technique actually has a name: “The Hursti Hack.”

“What I found was that the bootloader is looking from the memory card a certain file name. If it finds that name, it will reprogram itself with the contents of that file with no checks, balances whatsoever,” he said. Some of the same machines he hacked 15 years ago are still being used in elections today. “Sometimes I get a little bit tired (of talking about it)…but it took 15 years before people started listening.”

PARTIAL TRANSCRIPT

ALIA:
Harri Hursti was the first to figure out how to get into two different kinds of voting machines.
Remember, they named it after him, the “Hursti Hacks”. But he considers the DRE the most
dangerous for our votes.
HARRI:
Because what I found was that the bootloader is looking from the memory card a certain file
name. If it finds that name, it will reprogram itself with the contents of that file with no checks,
balances whatsoever.
ALIA:
So this is crazy dangerous because even if someone officially reprograms or cleans or updates
the DRE machine, it will look completely clean. But every time you turn the machine on, the
bootloader is still there running Harri’s file. Again, this was fifteen years ago he figured this out.
And these machines are still in use. Do you ever get sick of actually talking about this because
this is essentially your life’s work.

HARRI:
I— I sometimes get a little bit tired, but then again it is — It took 15 years before people started
listening.
ALIA:
Something else I wanted to know while we were in the presence of cybersecurity and hacker
folks is, what would they make a machine do once they hacked it? Once they got their malware
in it. Like what’s the play? Maggie said she wouldn’t actually flip anything.
MAGGIE:
Why instead of switching a, you know, um, a red state to a blue state or a blue state to the red
state. Let’s— let’s just say orange and yellow for now. I don’t really care about politics in this
respect. Why wouldn’t I instead say, oh, this place is usually orange. I’m going to make it a little
more orange this time. And this place is usually yellow, I’m going to make it a little less ye— Or
it’s not usually yellow, I’m going to make it a little more yellow this time. So now the numbers
say well, it was a very passionate election. A lot of people stepped out to vote who didn’t
usually. But I would probably not want to do it in such a way that people would think like, would
trigger a recount. Right? I just want to do a little here, a little there in a battleground state.

ALIA:
I always thought this would be a big overhaul of a hack, but Maggie made me realize it can be
super targeted and specific

BOB:
Not a million votes, but just a few hundred in carefully selected places could change an election
and fly under the radar
MAGGIE:
Because like one of them falsehoods I’ve seen is them saying like, well it would be such a
massive effort to swing a US election, and I go, that’s, no, it’s not simply not at all. The Electoral
College, these two, that Ohio and Florida had been decided by a few thousand votes in some
very well known counties and very well known down to the neighborhood areas. I would just
maybe impact things there or impact things slightly away from them so that their’s are more or
less important depending on how I want to do it. So, you know, um, this idea that we are, we’re
protected by our diversity of systems or that we’re protected by our size is simply not true in the
United States.
ALIA:
On to some better voting options.
MATT:
So the best thing that we’ve got, the best idea that anyone has uh, come up with, and that’s
really regarded as the state of the art, is to use systems that don’t depend on software.
ALIA:
That was professor Matt Blaze again, bringing us to our next kind of voting machine.

MATT:
And an example of a system for that would be uh, paper ballots, um, optical scan, scantron
paper ballots were we recover the actual piece of paper that the voter marked, and can you
know — a human being can look at that and see what it was supposed to say.
BOB:
These are the second option: optical scan machines. Think of the forms with the little bubbles
that you fill in.
ALIA:
Oh yeah, like the scantron test in college.
BOB:
The reason optical scan machines are preferred is that they have paper. Your scantron ballot is
a built-in paper trail.

ALIA:
Yeah. In D.C., producer, Jan and I were feeling really encouraged by the optical scan machines
while talking to Matt.
JAN:
Um, can scantrons be hacked?
MATT:
Sure. Um, yeah, absolutely. Again, those— those machines are computers.
BOB:
Yeah, I know. I should have mentioned the “Hursti Hack” Harri did fifteen years ago was with an
optical scan. Those machines have memory cards too.
MATT:
But uh, the advantage is that you still leave behind the piece of paper that the voter uh, marked.
If you couple that with a system of audits where the, um, we take a random sample of precincts,
we hand count the ballots, compare that result to what the uh, scanners um, found. We can get
pretty good confidence that the software is working in any given election.
ALIA:
I thought we’d found the answer. Paper ballots that get optically scanned.

BOB:
Well, I think that’s precisely the point. If you think you found the solution via technology, you just
don’t know how it can be hacked yet.
HARRI:
All voting machines we have today and all welding machines we are going to have in near future
probably during our lifetimes are vulnerable and hackable. So let’s accept as a fact, and built
around auditing procedures.
BOB:
The mantra you’ll hear again and again in the tech community is “there is no such thing as an
unhackable technology”. But there can be an auditable system.

 

About Bob Sullivan 1277 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.