On September 13, researchers at Princeton University’s Center for Information Technology Policy (CITP) released a study detailing their successful attempt to hack a Diebold AccuVote-TS, one of the most widely used voting machines in the United States. The researchers, Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten, also posted a demonstration video of their hack.
The CITP is not the first group to demonstrate the vulnerability of Diebold’s machines. BlackBoxVoting.org, Open Voting Foundation, and Johns Hopkins computer science professor Avi Rubin have all published accounts of security compromises in Diebold products. BlackBoxVoting.org wrote about their successful guerrilla project to swap out a Diebold voting machine’s memory card using $12 worth of tools in four minutes (the Princeton team says it can execute its hack in one minute).
But the previous reports simply highlighted potential holes in the Diebold machines’ security. The CITP study shows exactly how entire voting systems could be not just rendered inoperable, but deliberately hacked to rig an election. In fact, the CITP group developed a simple software virus to do just that, along with a method of deploying it.
The group’s study had three main findings. First, the CITP group discovered that not only could it install malicious code on the voting machine, but also that the code could easily be configured to “disappear” once its work was done, leaving no trace of tampering; the electronic and paper records produced by the voting machine would agree–and both be wrong.
Second, they found that physically hacking into the machine and its memory card was easy, as BlackBoxVoting.org had also discovered. The Diebold AccuVote and similar machines rely on a removable memory card for storing vote counts and uploading new system software. The CITP team was able to remove the card, replace it with one of their own, and reboot the machine, causing it to automatically install the software they had placed on the memory card–the software that could fix election results.
The CITP’s third finding was that its virus code could spread. The CITP showed that an infected machine could infect its original memory card, once the card was returned to the machine. Furthermore, the infected memory card, inserted into another voting machine, would infect that machine and then its memory card, and so on. In normal election procedures, memory cards are taken out of all voting machines and placed into one machine, which acts as an “accumulator” for tallying the total votes in a precinct. “By planting a virus far enough in advance, [a hacker] can ensure that a significant number of machines can steal votes on election day” even if the criminal had access to only one voting machine, says the narrator of the demonstration video.
“It’s like the old days, when viruses were spread on floppy disks,” says Princeton’s Felten.
Diebold has been aware of security issues in the past. In late 2003, the company sent cease-and-desist letters to various Internet Service Providers after internal company documents, outlining known security flaws, were published online.
The push to replace paper ballots came after the infamous “butterfly ballots” and hanging chads in the 2000 Presidential election, in which the Caltech/MIT Voting Technology Project estimated there had been up to two million votes not counted due to confusing ballot designs or faulty equipment. Congress passed the Help America Vote Act (HAVA) of 2002, which aimed to replace old voting machine with electronic, touch-screen ones. No provisions were made mandating a paper trail.
A year later, Representative Rush Holt (D-NJ) sponsored the Voter Confidence and Increased Accessibility Act. It would have mandated that electronic voting machines leave a paper trail for independent vote verification. Although the bill had 157 co-sponsors, it has not yet been brought up for a vote.
If enacted, however, this measure still might not be sufficient to safeguard elections. The CITP researchers show that it is possible to hack a voting machine so that its paper receipts agree with a tampered result.
Some companies and researchers have been investigating options for independent verification devices (IVDs)–separate machines that would be attached to each electronic voting device and provide a separate voting record. Roy G. Saltman, a voting technology consultant, recently wrote a paper for the National Institute of Standards and Technology recommending the use of IVD to “improve integrity and public confidence in the correctness of reported outcomes.”
Some IVDs work by capturing the video displayed on the voting machine, so that a separate record exists of which on-screen buttons a voter pushed. Others add another layer of confirming or rejecting voting choices. Another potential system provides a synthesized voice reading to the voter (through headphones) as a confirmation of his or her choices; the voter can hear that votes are being recorded accurately.
“Some of these systems are, in the long run, promising,” says Felten. But he’s skeptical that they’re ready just yet.
“It’s a complex problem,” he says. “An IVD has to get input directly from the voter, and still, you can’t tell what’s happening inside the computer.”
“If you want independent verification,” he says, “you need [an independent] paper trail. That’s the best safeguard right now.”