Diebold voting machines can be hacked by remote control

http://www.salon.com/2011/09/27/votinghack/

This was written before the 2012 election We don’t know yet if these machines are still in use. Article says they were to be used in 2012 election.

Voting machines used by as many as a quarter of American voters heading to the polls in 2012 could be hacked with just $10.50 in parts and an 8th grade science education, according to computer science and security experts at the Vulnerability Assessment Team at Argonne National Laboratory in Illinois. The experts say the newly developed hack could change voting results while leaving absolutely no trace of the manipulation behind.

The Argonne Lab, run by the Department of Energy, has the mission of conducting scientific research to meet national needs. –

“We believe these man-in-the-middle attacks are potentially possible on a wide variety of electronic voting machines,” said Roger Johnston, leader of the assessment team “We think we can do similar things on pretty much every electronic voting machine.”

The Argonne Lab, run by the Department of Energy, has the mission of conducting scientific research to meet national needs. The Diebold Accuvote voting system used in the study was loaned to the lab’s scientists by VelvetRevolution.us, of which the Brad Blog is a co-founder. Velvet Revolution received the machine from a former Diebold contractor

Previous lab demonstrations of e-voting system hacks, such as Princeton’s demonstration of a viral cyber attack on a Diebold touch-screen system — as I wrote for Salon back in 2006 — relied on cyber attacks to change the results of elections. Such attacks, according to the team at Argonne, require more coding skills and knowledge of the voting system software than is needed for the attack on the Diebold system.

Indeed, the Argonne team’s attack required no modification, reprogramming, or even knowledge, of the voting machine’s proprietary source code. It was carried out by inserting a piece of inexpensive “alien electronics” into the machine.

Diebold-11-278x300

The Argonne team’s demonstration of the attack on a Diebold Accuvote machine is seen in a short new video shared exclusively with the Brad Blog [posted below]. The team successfully demonstrated a similar attack on a touch-screen system made by Sequoia Voting Systems in 2009.

The new findings of the Vulnerability Assessment Team echo long-ignored concerns about e-voting vulnerabilities issued by other computer scientists and security experts, the U.S. Computer Emergency Readiness Team (an arm of the Department of Homeland Security), and even a long-ignored presentation by a CIA official given to the U.S. Election Assistance Commission.

“This is a national security issue,” says Johnston. “It should really be handled by the Department of Homeland Security.”

The use of touch-screen Direct Recording Electronic (DRE) voting systems of the type Argonne demonstrated to be vulnerable to manipulation has declined in recent years  and the high cost of programming and maintenance. Nonetheless, the same type of DRE systems, or ones very similar, will once again be used by a significant part of the electorate on Election Day in 2012. According to Sean Flaherty, a policy analyst for VerifiedVoting.org, a nonpartisan e-voting watchdog group,

“About one-third of registered voters live where the only way to vote on Election Day is to use a DRE.” Almost all voters in states like Georgia, Maryland, Utah and Nevada, and the majority of voters in New Jersey, Pennsylvania, Indiana and Texas, will vote on DREs on Election Day in 2012, says Flaherty. Voters in major municipalities such as Houston, Atlanta, Chicago and Pittsburgh will also line up in next year’s election to use DREs of the type hacked by the Argonne National Lab.

 Who may gain physical access to machines that were not designed with security safeguards in mind.

“This is a fundamentally very powerful attack and we believe that voting officials should become aware of this and stop focusing strictly on cyber [attacks],” says Vulnerability Assessment Team member John Warner. “There’s a very large physical protection component of the voting machine that needs to be addressed.”

The team’s video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a “bad guy” virtually complete control over the machine. A cheap remote control unit can enable access to the voting machine from up to half a mile away

Voting machine companies and election officials have long sought to protect source code and the memory cards that store ballot programming and election results for each machine as a way to guard against potential outside manipulation of election results.

But critics like California Secretary of State Debra Bowen have pointed out that attempts at “security by obscurity” largely ignore the most immediate threat, which comes from election insiders who have regular access to the e-voting systems, as well as those who may gain physical access to machines that were not designed with security safeguards in mind.

“This is a fundamentally very powerful attack and we believe that voting officials should become aware of this and stop focusing strictly on cyber [attacks],” says Vulnerability Assessment Team member John Warner. “There’s a very large physical protection component of the voting machine that needs to be addressed.”

The team’s video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a “bad guy” virtually complete control over the machine. A cheap remote control unit can enable access to the voting machine from up to half a mile away

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s