Could Hackers “Rig” The Election?
Donald Trump has predicted that the November elections will be “rigged.” Most politicians and pundits dismiss that idea as “impossible.” But according to many security experts, thousands of electronic voting machines that will be used across the country on November 8 are so riddled with security holes that the possibility of manipulating the votes they record cannot be waved away. Here's what you need to know...
Are Electronic Voting Machines Secure?
In a word, no. Princeton professor Andrew Appel and his colleague, Ed Felten (now a member of the White House Office of Science and Technology Policy), along with a rotating crew of Princeton grad students, have hacked every kind of voting machine, creating at the Center for Information Technology Policy where they work, a monument to mediocre computer system design.
Security experts have always opposed Direct-Recording Electronic (DRE) voting machines that are in widespread usage. DRE voting machines leave no paper trail; one’s votes are recorded, stored, transmitted to vote-tallying machines, and reported to election officials digitally. It’s a recipe for disaster, say the experts.
“They’re just computers, and we know how to tamper with computers,” testified Dan Wallach, now a computer science professor at Rice University, to the Houston City Council when DRE machines were under consideration in that city. He was worse than ignored.
According to Wallach, “The county clerk, who has since retired, essentially said, ‘You don’t know anything about what you’re talking about. These machines are great!’ And then they bought them,” using part of $4 billion that Congress made available through the Help America Vote Act (HAVA) of 2002.
By 2006, all 50 States had purchased new voting machines, including DREs, optical-scanners, and other technologies. Some 20,597 of those machines are DREs, now used by several hundred election districts nationwide. They have been unreliable and insecure since their invention in the 1990s.
Numerous Attack Vectors
The team at Princeton investigating the security of voting machines re-programmed one machine to play Pac-Man; infected other machines with a self-replicating malware that spread via a supervisor’s access card; discovered physical keys to voting machine locks for sale on eBay; and programmed one machine to surreptitiously swing a mock election from George Washington to Benedict Arnold. Then, in 2003, they got serious.
A Diebold employee accidentally (?) left 40,000 files containing the code for the Diebold AccuVote TS, one of the most popular voting machines, on a public Web site. Appel and crew grabbed that bonanza and analyzed it thoroughly. One of the earliest papers they published, “Analysis of An Electronic Voting Machine,” includes some alarming findings, including these reported by Politico in a recent (and lengthy) excoriation of DRE voting machines.
“The machine’s smartcards could be jerry-rigged to vote more than once; weak cryptography left the voting records file easy to manipulate; and poor safeguards meant that a “malevolent developer”—an employee inside the company, perhaps—could reorder the ballot definition files, changing which candidates received votes. The encryption key, F2654hD4, could be found in the code essentially in plain view; all Diebold machines responded to it.”
Diebold dismissed the report, claiming that the software it examined was obsolete. But we have only Diebold’s word that security has been improved; no company that makes voting machines will allow its software to be vetted by the open-source community. Five “accreditation labs” supposedly vet voting machine software, but their reports are sketchy and the labs won’t answer questions. One of them even told California Secretary of State Kevin Shelley, “We don’t talk about our voting machine work” when he asked questions about the Diebold TSX machines. Shelley later banned Diebold machines from California elections, calling the company’s conduct “deceitful.”
The voting machines purchased between 2002 and 2006 are now 10 to 15 years old, well within the age range when electronic components start to deteriorate. A widespread problem with touchscreen DREs caused the machines to freeze or record a vote for another candidate when a voter touched his real choice on-screen. Larry Norden, another researcher of voting machines, attributes such behavior to deteriorating glue behind the screen. The software running on today’s voting machines is equally old. Support has ended for some of it, leaving orphaned code that becomes more vulnerable to hacking every day.
Security Through Obscurity
Why are voting machines plagued by deplorable security holes? One reason is that the really good security experts are working in more exciting, lucrative, and career-enhancing markets, leaving only the mediocre for voting machine makers to hire. Another reason is the voting machine industry’s reliance on “security through obscurity” -- they just won’t talk about problems, or allow outsiders to examine their code for flaws. A third reason is the vendors’ reliance on other people’s security practices; those elderly volunteers who work at polling places are sufficient security, they say.
But every year, Appel publishes a new photo of unguarded voting machines sitting in storage or empty polling places. His team has proven, over and over again, that these machines can be totally “owned” (reprogrammed) by a hacker in seven minutes or less.
While many States have gotten the message and rushed to replace vulnerable DREs (mostly with optical-scanning machines that provide paper trails), the flawed Diebold TSX will be used in 20 states in 2016, including critical swing states Pennsylvania, Ohio, Florida, Missouri and Colorado.
High-Level Hacks More Likely
The voting machines that voters see are easily hacked, but they have not become popular targets among hackers. The machines at one polling place are relatively small targets, not worth the trouble. Major mischief is better done at the next level up the information-gathering hierarchy, in the computers that aggregate votes from many polling places.
Ukraine’s 2014 national election was very nearly derailed by malware injected into the country’s centralized vote aggregation system; it was discovered and neutralized just 40 minutes before it was due to work its mischief. Had the malware executed, the system would have shown candidate Dmytro Yarosh as the winner with 37 percent of the vote (instead of the 1 percent he actually received) and Petro Poroshenko (the actually winner with a majority of the vote) with just 29 percent. The hackers also infiltrated the central vote-tallying system, deleting key files and rendering the machines inert; Ukrainian officials restores their software from backups within a day, but it was a close call.
Ukraine officials point the finger directly at Russia, noting that a Russian state-controlled television news station reported that Yarosh won the election by a margin of (surprise!) 37% to 29%, then buried that report when the official results were released minutes later.
Could Russia, another adversary nation, or even operatives from within, disrupt or manipulate a U.S. national election? Hackers have achieved that level of savvy, say experts like Appel, and with the enormous resources of a national government behind them, hackers can infiltrate nearly any system. At least a dozen U.S. government agencies have been hacked in the past two years, including the Department of Defense, the Office of Personnel Management, Health and Human Services, the Department of State, the Federal Aviation Administration, the Internal Revenue Service, and even the non-classified email of the President. So, yes, it could happen here.
Election officials nationwide are in denial about the security of their voting machines and the integrity of their results. They do not have any money to replace insecure, aging machines. It is up to voters to ask pointed questions and push their dully (sic) elected representatives to fund and mandate a complete switch from DREs to a technology, like optical scanning, that gives voters the opportunity to make sure their votes were counted, and accurately.
Do you have confidence that the results of the upcoming U.S. elections will be accurately tabulated and reported? Your thoughts on this topic are welcome. Post your comment or question below, but PLEASE, don't get into the political mud here. This article is about election integrity, not the candidates or their parties.
This article was posted by Bob Rankin on 11 Aug 2016
|For Fun: Buy Bob a Snickers.|
Geekly Update - 10 August 2016
The Top Twenty
Should You Be Allowed To Sell Your Privacy?
There's more reader feedback... See all 31 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Could Hackers “Rig” The Election? (Posted: 11 Aug 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Could Hackers “Rig” The Election?"(See all 31 comments for this article.)
11 Aug 2016
Vote by mail maybe the answer.
11 Aug 2016
Governments (at ALL 'levels') continue to "impress" their citizens with their continually PROVEN ability to F%$K UP almost EVERYTHING they touch!!!
They constantly tell us how "important" it is
to vote, then turn right around & let this happen!
Meaning, "they" are either EVIL &/or STUPID!!!
11 Aug 2016
How is voting by mail the answer? The Mailbox can be stuffed the same way we get junk mail stuffed into our mailbox. Mail is bundled when a lot of it is going to one address, that would be the Counting Center. Maybe Dead Voters are smarter than the Living.
11 Aug 2016
You raise questions about voting machines identified as "DRE"s.
I always thought that stood for "digital rectal examination."
Perhaps you can vote and get your prostate checked at the same time.
Can't do that with paper ballots!
11 Aug 2016
I'm with Ron De Stasio -- Vote by mail. I'm one of those old fashioned Americans who feels a certain aura of 'Sanctity' in a voting booth -- for me it really was a quazi-Religious/Spiritual experience each time I've stepped into a voting booth and pulled the curtain. After the 2000 election, I asked for, and received, a vote by mail ballot. The PEOPLE should elect a president, not the Supreme Court or Congress or the Executive or The Electoral College -- it's up to the PEOPLE.
Here's one of MY biggest gripes: the PERCENT OF REGISTERED VOTERS WHO VOTE - in the year 2000 only 51% of registered voters voted, meaning the Bush the Second was elected by only ~25.5 of the population, thus 3/4 of the population is not represented, and the percentage of non-voters remaining in the ~50% range (49.0% - 58.2%) it only makes sense to vote by mail since rural elderly, infirm, or people without transportation have SEVERE obsticals placed in their path, the same is true of inner city populations, and those in the suburbs where voting places may have been centralized FAR from their residence. Often by gerrymandering by both sides. It takes care of Moors Law and hacking voting machines, and the ONLY disadvantage I see is that a last moment revelation of a candidates malfeasance or funding structure (who paid to have him elected -- not meaning to sound cynical) - I cannot change my vote from one candidate to another, or withhold my vote completely if I cannot in good conscience vote for the alternative/proposition/law.
I am proud to say that I am a 'decline to state' party member - which leaves me out of primaries, but keeps SOME of my personal data personal (though this year I DID register for a party, voted in a primary, then changed back to 'Decline to State'. It does not align me in divisive politics, allows me to vote any way I please across party lines, and also allows me to play devils advocate with straight party line voters since I am NOT a straight line party voter -- I can read and I can think.
The 2000 election was a fiasco and that was all about 'hanging shads' - others ARE about Computer computer glitches. When I watched a video of a Hacker (note capital) take control of a vehicles CPU and turn it and crash it into a wall at 20 MPH -- switching to a vote by mail (paper trail) eliminated any part *I* might play in a 'rigged' election.
And Bob is right - fiddle with just a few machines in just a few precincts of one or two major states and the election is thrown. AND there are never 'not enough machines' if you are using voting machines, all you do is add several booths and the 3 and 4 block lines of voters waiting to vote, and the 1-5 HOUR waits disappear.
I support TWO concepts - 1) vote my mail and 2) if you do not vote, you incur a small fine that increases each subsequent year you fail to vote. If people refuse to participate in voting, even if by sending back a completely blank ballot, then it MAY be up to a Democratic Republic to force the issue in order to force the individual voter to participate in the process, and not say - both parties are basically the same, so no matter who I vote for, it makes no difference.
Elections are not just about people, they are about local ordinances and laws -- and I lived in a county where the population was so thin that - for example, the vote to add a $1 (ONE DOLLAR) fee to each parcel of land to support a library failed by 2 votes (out of less than 500 cast) -- our county no longer has a library. THAT is the biggest threat to Democracy I can imagine. Even a greater threat than ignorant voters - there is no non-partisan place where neutral information can be found. NE California and Central and Western Nevada have HUGE counties with population densities in the 3-7 people per mile squared. A single vote would have tied the library vote and 1 vote determined the fate of a rural volunteer fire department. One Vote took away a fire district which also provided EMS services through the EMT-II (NOT 'Paramedic') Basic Advanced Life Support services (B-ALS) - increasing response time to a heart attack, auto accident, or Ranch-Farm injury from about 10 minutes to first person on scene, to just shy of 30 minutes to first person on scene. That vote also took away their b-ALS status as well. Thus no IV's or Drugs administered on site by people who were 20 minutes.
11 Aug 2016
And will it still be rigged if he wins!
11 Aug 2016
Wow Bob, I would hate to ever accuse anyone of plagiarism but it is quite suspect in this article. So I will refer to this article at Politico
11 Aug 2016
This week in Australia we had a 6 yearly Census and they tried to do it via the internet.Our Gov. gave a contractor $6m.(IBM), to create the biggest disaster in Australia's Census history. The day before the Census,my friends and I took bets on when it would crash through congestion and attempts to hack it. I lost the bet by one hour! It happened at 10.30 Am. If a Gov. intends to use the internet, they should look at the banks systems. They seem to nearly work.
12 Aug 2016
Fred, How can you intimate plagiarism when sources are so amply cited? Looks to me more like a condensation of the basics.
Marc de Piolenc
12 Aug 2016
I'm pretty sure that at least one election - the last presidential election - has already been rigged at the national level. Ohio had more votes than eligible voters, for example. It would not surprise me if machine manipulation were part of it, but the easiest way to rig elections is the old-fashioned way - sneaking in ineligible voters, getting people to vote two or more times, etc. There are no voter ID requirements, so who is to know?
12 Aug 2016
Regarding Ken Mitchell's post: Please...He should stop using every topic on this website as an excuse to slip in partisan political polemics. Forum members have shown restraint by not flaming him on these outrageous claims and made-up facts, and he should respectfully do the same by sticking to the computer issues that Bob Rankin is addressing. Ken can still post those rants on the sites of the crackpot online newsletters where he reads those things in the first place.
Having said that, one claim really must be cleared up: Both government and independent investigations into voter fraud have consistently found it to be extremely rare and usually it involves absentee ballots or signature petitions, rather than “in-person” fraud of the type targeted by voter ID laws. In 2012, the Texas Attorney General verified 18 fraudulent votes cast in that "tiny" state over the preceding TEN years. Ohio found 4 in 2002 and 2004 (out of 9 million votes cast). George Bush's Justice Department charged 120 people for improper voting of one kind or another (convicting only 86) in the entire country during a five-year "crackdown". So any claims that officials (like the ones Ken named) would not have been elected were it not for voter fraud are very amusing. I have to admit I enjoyed reading that one.
12 Aug 2016
Given how huge and pervasive government has become, the temptation to rig elections is enormous. Well over a billion dollars will be spent on the Presidential contest alone, but the prize is control over a multi-trillion dollar budget (not to mention the indirect value of the government's regulatory power). The payoff is three orders of magnitude greater than the expense.
So the very least we should do is make sure that elections are as honest as possible. This entails many aspects. DREs should be abolished. Optical scanners which provide auditable paper trails work reasonably well. All aggregation software should be open-sourced and analyzable by the public for potential flaws. A sufficient number of observers should be recruited (and paid if there aren't enough volunteers) from competing political parties to oversee every step of the voting operations, perhaps video recording everything. Ballots need to be securely tracked and stored.
But ballot security is only half of the problem. Voter security is the other half. We need reasonable voter ID requirements to make sure only eligible voters can vote, that they can do so only once, and only in the precinct where they live. Any qualified citizen should be able to register and provide identification without intentional obstacles. But minor inconveniences which are easily circumventable should not be an excuse for failing to obtain IDs or failing to vote. Frankly, I have no sympathy for citizens who are too lazy or uninterested to bother obtaining IDs or voting. If their vote isn't that important to them, then we're better off if they stay home. The franchise is too critical to be exercised in ignorance.
Voting must also be protected from bribery and intimidation. That's why we have secret ballots. Unfortunately, absentee voting and mail voting in general erodes the secrecy of the voting booth, since it offers the potential of allowing third parties to suborn or steal votes in various ways. Absentee voting should be limited to "good cause" excuses, the way it used to be, to minimize the risk of illegitimate outside influence. And voting should be concentrated on election day rather than spread out over a period of weeks.
Finally, elections should be decentralized as much as possible. The threats of vote fraud and procedural failures can never be entirely eliminated, but they can be localized and minimized. That's one of the reasons that I prefer the Electoral College system: A problem in one county or one state is limited to that locale, and rarely affects the outcome elsewhere. "Rarely" doesn't mean "never", as we saw in Florida in 2000 and in a few Senate races which can impact that body's overall makeup. But in most states, especially deep red or blue states such as Texas or California, nobody's going to bother stealing or forging Presidential ballots, where fraud would have to occur on a massive scale involving hundreds of thousands or millions of votes in order to change the outcome. It's just not worth the risk. On the other hand, if the outcome was determined purely by popular vote and the election was very close, then every city and every state would have an incentive to cheat since it could impact the final result. Instead of one "Florida" we could have 30 "Floridas" all over the country battling over the meaning of hanging chads, with the uncertainty lingering for months or years as different courts hashed out the challenges. To take another example, Chicago's large population of deceased voters doesn't matter to the Presidency, since Illinois will reliably vote Democratic anyway. But if the popular vote replaced the Electoral College, many more zombie voters would claw their way out of the ground to try to tip the national totals.
12 Aug 2016
The file of registered voters is also automated, and is vulnerable.
This whole business could destroy confidence in the democratic process. For example, a defeated candidate can claim the election was rigged. In fact he could recruit hackers so he could point to "proof" for his claim. Has Trump not already said he suspects the election of being rigged?
12 Aug 2016
Anything can be tampered with.
Over 50 years ago, Chicago first used machines instead of paper ballots. The type of machine when you push buttons to select your candidate and then pull a lever to lock in your vote. These were mechanical machines with counters inside to tally the votes. Random inspections of these machines showed many of them with hundreds of votes already counted before the polls opened.
13 Aug 2016
If you want to read more copy and paste the title of the articles at this URL in Google search. https://archive.is/mIxup#selection-717.0-719.17
14 Aug 2016
The best that can be said is that no voter fraud that they could detect took place. To say that no fraud took place is an unwarrented display of arrogance.
15 Aug 2016
I have been wondering, this article solidifies my thinking. It seems very possible
15 Aug 2016
Three comments - Vote by paper ballot, whether by mail or in person on election day. It takes longer to count, so maybe only vote-by-mail votes will be available that evening and only 80% the next morning, but all votes end up counting, and counted only once.
Voter fraud these days is vanishingly small; anyone who says differently quite simply has a factless argument. In Colorado, for instance, there were 22 cases of voter fraud charges being brought between 2000 & 2014, over which time well in excess of 10M ballots were submitted. The possibility of someone rigging an election, however, is a scary proposition.
The Electoral College system could probably be improved, perhaps by proportional voting per state rather than a winner-take-all system, but if you though the 2000 Florida recount was bad, think of the problems a country-wide recount would require, if the popular vote was very close.
15 Aug 2016
I forwarded the article to our contacts at Kennesaw State University Center for Elections Systems. KSU has partnered with the Secretary of State’s office since 2002 when the current voting system was purchased and implemented throughout the state of Georgia. The response below is from the Center’s Director, Merle King.
Terry - Georgia's voting system has been used in Georgia since 2002. In that time, we have conducted over 8,000 elections, tabulating more than 45 million votes. Every federal, state and local official, from both political parties that is currently serving in Georgia, was elected by this system. Periodically we get requests from the public regarding the security of our system, and are glad to respond.
1. Cyber Security - the identification of threats to computerized systems and their corresponding mitigations, must deal with the probable, not just the possible. By definition, anything that is not impossible, is possible. Election officials at the state and local level must be responsible custodians of the taxpayers money and allocate security resources where there are in fact, probable threats. The State Elections Division and the Center for Election Systems monitor all reported threats to our system and evaluate both the threat's probability, its vector (how it would or could attack our system) and whether there is an existing or needed mitigation. This monitoring is done in conjunction with the Election Assistance Commission (EAC) and the system's vendor, ES&S. The EAC accesses the resources of NIST and Homeland Security to support their internal efforts.
2. The voting system uses a layered defense approach. This means that penetrating one layer of defense does not give you access to the system, it only presents a different layer. These layers are physical (things like locks, keys, seals, logs, etc.), procedural (chain of custody, dual sign offs on election activities, reconciliation at the polling place and elections office), and logical (encryption of data, SSL certificates, changed logins and PINS, etc.). These layers work in unison to protect the integrity of the system and its data.
Over the years there have been several internet videos that have professed the ease of accessing and hacking a voting system or tabulation server (the GEMS server). These videos are carefully scripted events that selectively ignore the overall security protocol of the voting system. Because voting technologies are so different from consumer or other commercial technologies, the public has difficulty in understanding the architecture of voting systems - they are unlike any other consumer or commercial technology.
One important aspect of the security controls that surround voting systems is their reliance on detective controls vs. preventative controls. Preventative controls literally prevent an anomaly from occurring. Preventative controls are expensive to design and implement. They require perfect knowledge of future events. Detective controls are designed to detect an anomaly and alert the election official. Security seals are good examples of detective controls. They don't keep anyone from getting into a system, but instead, alert the election official that the system has been accessed. Once a detective control has been penetrated, the election official implements a standard procedure of removal of the system, quarantine, forensic analysis, and after-event report.
3. One of the most important controls is the amount of testing that the voting system receives. Our system has been tested to the then-current federal FEC/NASED VSS standard. It has been tested and certified twice at the state level and is conformance with Georgia statute and rule. Both of these testing processes utilize source code review and extensive functional testing. In addition, every unit of the system is tested for conformance to the state standard. This acceptance testing occurs whenever a new unit arrives or when a unit is sent off for repair and returned. Counties perform Logic and Accuracy testing of every piece of equipment prior to each election. The Center for Election Systems performs forensic tests at the request of the Secretary of State, to support investigations. All of the GEMS server are tested each time a county moves the system or it is replaced. This test includes a hash value comparison - a logical comparison of the software on the machine to the known standard load for the server.
4. Georgia requires at least one member of the local elections office to be certified to conduct elections. This certification includes 24 hours of training on the use of the voting system, which includes maintenance and security.
At the Center, we take very seriously the current conversation about elections being rigged or that hacking an election is a trivial exercise. If you have any additional questions or concerns about our voting system, don't hesitate to ask.
From: Don Hawbaker
Sent: Friday, August 12, 2016 9:22 AM
To: Terry Colling ; William Wilson Jr. ; Eric Mosley ; Helen Grayson ; firstname.lastname@example.org
Subject: Fwd: Could Hackers “Rig” The Election? - August 11, 2016
I'm forwarding your email to our elections supervisor (Terry Colling), the Chairperson of our Elections Board, and county management to let them know of your concerns about hackers affecting election results. If anyone has information that would address or provide assurances about these concerns, please reply to all.
404 668 3790
---------- Forwarded message ----------
Date: Thu, Aug 11, 2016 at 10:32 AM
Subject: Could Hackers “Rig” The Election? - August 11, 2016
With all of the other problems you are dealing with, I thought you would appreciate this one.
My questions are, are our local officials aware of the problem and what are they doing to avoid the problem?
Don J Hay
113 Jasper Ct
Griffin, GA 30223
Sent: 8/11/2016 10:08:11 A.M. Eastern Daylight Time
Subj: AskBob - Could Hackers “Rig” The Election? - August 11, 2016
Having trouble seeing this message? Open in your Web browser.
Below you'll find a link to my latest article. Click, read and leave your comment! -- Bob Rankin
Could Hackers “Rig” The Election?
20 Aug 2016
As an experienced Election Judge and long-time AskBob reader, I've fretted about election hacking for years. I've yet to figure out how it could be done on a large scale, without simultaneously altering all the THOUSANDS of paper records, though there's a definite risk of a data-collecting hack resulting in incorrect results being announced on Election Night, with much national angst & distrust arising from releasing amended, audited results.
I agree that leaving machines unguarded is risky, but my Election Commission is too undereducated in cybersecurity (or technology in general) to change this practice. Our hope lies in always having a paper record -- and in phasing out the touchscreens (actually needed only for vision-impaired voters), where the paper record could be hacked to differ from the voters' choice, though the voter -- if not vision-impaired -- has the ability to verify the paper record). But in my large county, it would take a LONG time, with many, MANY labor hours, & great taxpayer expense, to re-tabulate all the touchscreens' paper tapes & all the optical readers' paper ballots.
Certain roles of the election judge team should require a minimal level of government security clearance, to ensure hackers (or friends or family members of hackers) don't have unattended access to certain pieces of equipment. And WIFI should not be used by election sites (it's used in my county for voters whose paper signature capture is missing or blank -- not for live vote-casting, but it still puts voters' personal data at risk, if intercepted). However, Homeland Security is NOT accepting feedback from mere judges, as we don't oversee an actual .gov site (and in my large county, the Election Commission uses a .org site); I was dismissed by an annoyed US-CERT clerk when I phoned in my concerns.