With fewer than 24 hours before polls open for the 2016 US presidential election, consider this your periodic reminder that e-voting machines expected to tally millions of votes are woefully antiquated and subject to fraud should hackers get physical access to them.
A case in point is the Sequoia AVC Edge Mk1, a computerized voting machine that will be used in 13 states this year, including in swing states such as Arizona, Pennsylvania, and Wisconsin. The so-called direct-recording electronic vote-counting system has long been known to be susceptible to relatively simple hacks that manipulate tallies and ballots. Researchers from security firm Cylance are driving that point home with demonstration hacks. The first one causes one or more votes for one candidate to count as votes for that candidate’s rival. A second one alters the names as they appear on the electronic balloting screen.
The hacks work by tampering with—or more precisely, reflashing—the PCMCIA card, a storage device in the voting machine that’s similar to the tiny hard drive that’s used by many digital cameras. The fraud could be carried out by inserting a maliciously modified card inside a Sequoia AVC Edge machine, although the attackers would likely have to circumvent tamper-evident seals that are designed to flag such abuse. The video above shows the hack being used to alter both the public and protective counters the machine uses to count and recount results to ensure tallies are valid. The decade-old hack first came to public attention in 2007 in a research paper titled Source Code Review of the Sequoia Voting System.
Stuffing the digital ballot box
The Cylance demonstration came three weeks after researchers from competing security firm Symantec published a post with a similarly cautionary tone. In it, researchers reported buying an unidentified DRE voting machine. They, too, were able to hack a storage card used by the machines to effectively stuff the digital ballot box. In the report, the Symantec researchers wrote:
Voters entering polling stations that use electronic voting machines are handed a chip card that they use to cast their vote. Once someone has voted, they turn the card back in to the polling station volunteer and it gets re-used by the next voter. Just like credit cards, these cards are essentially a computer with its own RAM, CPU and operating system. Which means they can be exploited like any computing device.
In examining the election process for vulnerabilities, we discovered that there’s an opportunity for a hacker to modify the code put on a voter’s chip card. Anyone who knows how to program a chip card and purchases a simple $15 Raspberry Pi-like device could secretly reactivate their voter card while inside the privacy of a voting booth. We found a card reader that fits neatly into the palm of our hand and used it to reset our fake voter chip cards two different ways. In one scenario, we reset the card to allow someone to vote multiple times using the same chip card. Our second method programmed the card to allow that card to cast multiple votes. In both approaches, that attacker is stuffing the digital ballot box and casting doubt in the validity of the results from that polling station.
Encryption absent on the voting machine hard drive
We also discovered that there was no form of encryption on the internal hard drive of the voting machines we purchased, which were running an outdated operating system to display the ballots and record votes. These types of hard drives are similar to those used in digital cameras. The lack of full disk encryption on the internal hard drive (as well as the external cartridges) presents opportunities for hackers to reprogram and alter ballots.
Potential hackers would also be unhindered by the voting machine’s lack of internet connectivity. Some types of malware, such as Stuxnet, can take advantage of air-gapped networks and vector through physical access to a machine. The lack of full-disk encryption on the DRE machine makes it easily exploitable, requiring only a simple device to reprogram the compact hard drive.
Security experts have been quick to point out that hacking enough votes to alter an election is prohibitively hard to do. As already noted, most hacks require physical access to machines that by law are required to be monitored by election officials. What’s more, machines used in US elections are extremely diverse. Taken together, these characteristics probably prevent hacks from scaling to the volumes that would be required to change the outcome of a national election.
Still, the hacks might be used to alter a relatively small number of results in swing states, where outcomes have been known to be decided by fewer than a few hundred or a few thousand votes. The hacks could also be used to sow widespread distrust in the official returns and undermine confidence in the legitimacy of the election. US intelligence officials recently accused the Russian government of hacking into the computer accounts of Democratic officials and leaking e-mails that could sway voters. Republican nominee Donald Trump has long warned of an election system that’s “rigged” against him and has rebuffed calls that he pledge to accept the results should rival Hillary Clinton receive a majority of electoral college votes. The lack of security in many of the nation’s e-voting systems certainly doesn’t inspire confidence.