Christopher Mims

A View from Christopher Mims

How Long Before Hackers Steal Votes?

In the U.S., the only things standing between democracy and election fraud are a few pieces of adhesive tape.

  • March 18, 2011

When the stakes are high enough, hackers have figured out how to defeat all manner of computers not even connected to the internet: ATM machines, credit card readers on gas pumps; you name it. How long then, in a society in which elections are already bought and sold through political action committees and K-Street lobbying, before the monetary incentive to steal votes from the latest generation of voting machines exceeds the difficulty of pulling it off?

That, indirectly, is the question asked and answered in a just-released judge’s summary (pdf) of testimony from a trial conducted in 2008-2009 in which the state of New Jersey was sued for insufficiently guaranteeing the physical security of its electronic voting machines.

Experts called during the trial asserted that that the state’s existing security methods, consisting primarily of tape that should reveal evidence of tampering if key parts of a voting machine are removed or opened, were insufficient. So New Jersey expanded the number of physical seals on its machines from three to six. Subsequently, the same experts testified that these measures were essentially useless in the absence of training for election workers in the proper use of these seals, and that the seals interfered with legitimate maintenance of the machines.

In other words: New Jersey’s electronic voting machines, which are emblematic of machines across the U.S., remain vulnerable to attack by hackers who could inject software or hardware to skew vote counts.

If the idea of motivated hackers turning to this method of election fraud sounds far-fetched, check out this scenario from an October 2010 paper (pdf) by Andrew Appel, chair of the department of computer science at Princeton University:

Candidates for the presidency of the United States routinely spend hundreds of millions of dollars to get elected; candidates for Governor of New Jersey sometimes spend tens of millions. Independent groups not associated with the candidates routinely spend millions of dollars. Volunteers and party workers routinely devote hundreds of hours to political campaigns, even separately from the flow of money. Even candidates are quite honest can sometimes attract supports who are willing to use unethical or fraudulent means. If there is a limitation on resources, it is not in “how much is it worth to get elected?,” but more in “how many people can be involved in an election fraud before word leaks out?”

Appel goes on to describe the myriad circumstances in which voting machines are accessible to members of the public. Insiders like election workers and those with access to the warehouses in which machines are stored could have continuous access to voting machines for long periods of time.

Outsiders also have access to voting machines, which, owing to their size and weight, are often left unattended for days in polling locations like schools and community centers.

Literally the only guarantee that these machines haven’t been compromised are the physical seals on them. The machines are locked, of course, but beyond locks, these seals primarily consist of measures that should show evidence of tampering, if they’re broken. If these measures are truly as inadequate as experts believe they are, the next step is hacking the software of the machine itself:

DRE voting machines are very vulnerable to software-based fraud: if an attacker replaces the firmware (software) that determines how the computer interprets button-presses on the user interface, then he can make the machine fraudulently miscount votes according to an algorithm he determines. He can choose the algorithm so as to resist detection by black-box testing, that is, not to cheat in circumstances other than in real elections. In real elections, of course, the privacy of the ballot prevents interviewing the voters to learn how they voted, so unlike (for example) bank ATMs there is no end-to-end way to audit a “paperless” DRE.

Ironically, it’s the sanctity of the voting booth that makes fraud through electronic voting machines potentially undetectable. Remember the U.S. presidential election of 2000? At least we had hanging chads to count.

h/t Andrew Appel

Follow Mims on Twitter or contact him via email.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.