Security Experts Able To Hack Into Nearly Every E-Voting Machine

from the seems-a-bit-troublesome dept

Mon, Jul 30th 2007 9:44pm — Mike Masnick

Back in March, California decided that after years of negative publicity about the security of e-voting machines (and certainly enough evidence to suggest they weren't very secure) that it would allow independent security experts to try to hack into any machine before it got approval to be used in California elections. Those researchers have gone ahead and found that every machine they tested was hackable -- often very easily. The researchers were able to hack into Diebold, Sequoia and Hart InterCivic machines. They didn't get a chance to test ES&S machines because, as you may recall, ES&S stalled before handing over their source code (and included a nasty threatening letter with it). To be fair, these machines were tested in non-normal conditions, where the researchers had access to all sorts of documentation, the full source code and no election going on where people might spot them tampering with a machine. That is, this doesn't mean that it's necessarily easy to hack an election. It just means that all of the machines have some insecurities -- most of which we didn't know about before. The key here is that we can now understand these insecurities and whether or not they're adequately protected by other measures. What still doesn't make sense is why the e-voting firms are so against this process. All it's really doing is helping those companies improve their products to make them more secure. Of course, one key reason is that the researchers found that many of the security problems are because the machines weren't built with security in mind -- but only had it added as an afterthought. In other words, these companies probably should be redesigning their machines from scratch, which they don't want to do. Of course, does it worry anyone else that the machines weren't designed with security in mind in the first place?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: california, e-voting, security
Companies: diebold, es&s, hart intercivic, sequoia

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

hoopajoop, 30 Jul 2007 @ 11:10pm

first!!
even if they were secure those Bushes would have one, the evil bastids!
[ link to this | view in chronology ]
- SPR, 31 Jul 2007 @ 5:24am
  
  Re: first!!
  Wake up, dumbass!! There is no evidence that Bush ever "stole" an election. On the other hand, the Democrats have for years been registering (and voting) residents of the nations cemeteries for years. The most recently documented case was in Louisiana. More recently, they have been busy registering felons currently serving in prison, those who have forfeited their right to vote by their criminal activity. Besides, this was not about stealing an election, it was about improving the security of electronic voting machines. These companies would be wise to offer to work WITH the security experts to IMPROVE their product.
  [ link to this | view in chronology ]
  - SailorRipley, 31 Jul 2007 @ 11:27am
    
    Re: Re: first!!
    "There is no evidence that..." actually means: "I haven't seen any evidence in main stream US media that...".
    
    Try reading a book once in a while, for example "The Best Democracy Money Can Buy" by Greg Palast.
    
    "More recently, they have been busy registering felons currently serving in prison, those who have forfeited their right to vote by their criminal activity"
    
    My guess would be they're doing that to compensate for all the people the Republicans incorrectly prevented from voting
    [ link to this | view in chronology ]
hoopajoop, 30 Jul 2007 @ 11:11pm

re: first!
"won", even. :)
[ link to this | view in chronology ]
Enrico Suarve, 31 Jul 2007 @ 12:27am

That would have stopped all the fun
If they'd have allowed testing before people would have known what was going on and that would have been bad for Bush

"It is enough that the people know there was an election. The people who cast the votes decide nothing. The people who count the votes decide everything." - Joe Stalin
[ link to this | view in chronology ]
Nunya, 31 Jul 2007 @ 1:01am

The real problem
The Electoral College is the second problem. Its out lived its time. No matter how good these machines get your vote truley doesn't matter, if yur a republican in a magority democratic state or vice versus. But they say that these machines were tested in uncommon situations,like having the source code.....hmmm well source codes get leaked everyday.
[ link to this | view in chronology ]
- Haywood, 31 Jul 2007 @ 6:14am
  
  Re: The real problem
  "The Electoral College is the second problem. Its out lived its time."
  
  Not really, it still serves its intended purpose; to give the people of sparsely populated states a voice.
  But for that New York and California would pretty much decide everything, and Montanans might as well stay home on election day.
  [ link to this | view in chronology ]
Bubba Nicholson (profile), 31 Jul 2007 @ 1:51am

republicans dishonest
Republicans aren't the only dishonest people in America, but they're the only ones who organize teams of criminals to assassinate or attempt to assassinate US presidents (e.g. JFK by plumber gang under Richard M. Nixon & G.H.W. Bush) (Ford & Regan by G.H.W. Bush), candidates for US president (RFK, George Wallace, MLK (attacked by plumbers under G.H.W. Bush again)), and break into people's homes and offices (plumbers under Nixon). They regularly fund organized cheating in American elections, skirting election law only needed because of republican cheating in the first place.

Republicans gang up and rape whole industries, like the savings and loan corporations, like Navy oil reserves, like strategic petroleum reserves, like insurance companies. Democrats don't say much because, well, there're just too many of 'em. We tried shooting them all and that didn't work, but it slowed them down in the 1860's & 1870's.
[ link to this | view in chronology ]
- Paranoia Will Destroya, 31 Jul 2007 @ 3:39am
  
  Re: republicans dishonest
  I'm sorry, did you just say that the Republicans, with the help of plumbers, have assassinated presidents or presidential hopefuls, and apparently at the sole command of George Herbert Walker Bush.
  
  As much as I would love to believe that the Bush's, not money, are the root of all evil, I think people will find your... accusations... a little tough to swallow without proof.
  [ link to this | view in chronology ]
Chad Howell, 31 Jul 2007 @ 3:32am

The moonbats are out tonight....
Watch out people! The black helicopters are after you!
[ link to this | view in chronology ]
W, 31 Jul 2007 @ 4:42am

Can we get back on topic?
The article is about voting machines not evil Republicans or communist Democrats.
I use to work on the older lever-type voting machines and if you gave me the kind of access these researchers had I could rig them too. The sad truth is, elections have been rigged for as long as there have been elections so don't be afraid of new technology. Trust but verify...
[ link to this | view in chronology ]
Pinkynarf, 31 Jul 2007 @ 4:50am

What if we looked at cars this way?
Come on. Of course you can hack a machine if you have access to it in a dark closet where nobody is looking. We aren't talking the real-world here. This is all just a bunch of propoganda.

What if the police department hired an outside firm to examine the next fleet of police cars they were going to purchase? The independant organization would find that none of the police cars are safe: They can go too fast, use explosive gasoline, don't provide adequate security measures to prevent a theft, are too heavy, may lose control when taking a corner too fast...

Now really, if you look at anything at all you can pick it apart and find something wrong with it. Is E-voting secure? I doubt it. Is hand-counting fool-proof? I doubt it. Is the world going to end? Yes, absolutely.

We wouldn't need some many stupid laws and security if people followed the 2 commandments from God: Love God, and Love your neighbor. That pretty much covers it all.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Jul 2007 @ 11:31am
  
  Re: What if we looked at cars this way?
  "hey can go too fast, use explosive gasoline, don't provide adequate security measures to prevent a theft, are too heavy, may lose control when taking a corner too fast..."
  
  all excellent reasons why police cars are not used for e-voting
  [ link to this | view in chronology ]
freak3dot, 31 Jul 2007 @ 5:30am

"Love your neighbor" -- Pinkynarf

It would be equaly effective (without the religion) if everyone followed the concept of Karma. Believe it or not, when you do something you know is wrong to someone else, it will come back on you in some form or another.
But at the same time, if you do something you know is right and go out of your way to do the right thing, that will come back on you in some form or another as well.

freak3dot
[ link to this | view in chronology ]
- Pinkynarf, 31 Jul 2007 @ 5:43am
  
  Re: freak3dot
  freak,
  
  Leaving the religion out of things is why the world is such a mess. America was created for religion of freedom. Things have now swung so far the other direction that we are now a country based on freedom from religion. Many people today are looking out for themselves. The idea of Karma comes from religion, although it may not be directly religiously based. It is just another example of people stripping religion from all that is good and trying to claim it for themselves (no offense. My comment is not directed at you who follow Karma, but rather the people who start such movements in the first place). Good and Bad happens to people regardless of what you do. I do not have a better life because I am a Christian. I am a Christian because God loves me no matter what I have done. If you were offended by something I said, please find a church and talk to someone. Dialog is a good thing.
  [ link to this | view in chronology ]
  - Sanguine Dream, 31 Jul 2007 @ 6:35am
    
    Re: Re: freak3dot
    This is viciously off topic so don't say I didn't warn you...
    
    Sounds like you're trying to say that religion itself isnt the problem but the people in interpret it are. That I can agree with seeing as how religion has been used to justify some of histories darkest moments.
    
    I personally do not think I have the decent life I have because I am agnostic but I am agnostic because while firmly believe that there is a higher power running things in the universe I really don't care who/what she/he/it is.
    
    And by the way:
    
    The idea of Karma comes from religion, although it may not be directly religiously based. It is just another example of people stripping religion from all that is good and trying to claim it for themselves
    
    I'm not sure what you are saying here.
    [ link to this | view in chronology ]
Ikey Benney, On Voting Machines, 31 Jul 2007 @ 6:35am

Voting Machines
Hello:

If what you said in this article is true, then it is indeed alarming because it means that no election would be reliable.
I expect the authorities will take steps to plug the security holes.
Ikey Benney
[ link to this | view in chronology ]
Overcast, 31 Jul 2007 @ 6:38am

To be fair, these machines were tested in non-normal conditions, where the researchers had access to all sorts of documentation, the full source code and no election going on where people might spot them tampering with a machine

Any real world hacker worth their salt would do the same thing. As for tampering - well that all depends on where you are and who you know.

Of course, it won't matter, because it makes it so very easy for elections to be 'fixed' and dupe the public.
[ link to this | view in chronology ]
san, 31 Jul 2007 @ 6:39am

zero day
wonderin when it'll appear on http://www.wslabi.com/ for good
[ link to this | view in chronology ]
Sanguine Dream, 31 Jul 2007 @ 6:45am

Quit the arguing...
There is dishonesty on all sides of the political spectum here so constantly shouting the likes of, "_____ stole the election." and "Oh yeah? Prove it." is just a vicious cycle of passing the blame around.

The topic at hand here isn't who may be stealing elections from who but the fact that elections can be stolen with help from these e-voting machines with questionable security. Personally I'd say the best way to test these machines would be to hold a mock election in a real city. That way the test conditions are as real as possible and anyone trying to comprimise the machines will have to actually think about how to do it instead of being given the manuals and documentation.
[ link to this | view in chronology ]
Scott, 31 Jul 2007 @ 6:56am

Windows based...
It seems most of the machines were windows based. That is a can of worms for exploit right there. The machines should only run a customized open source operating system and voting software. That is the only way to verify all the software running on the machine including the BIOS. All the code could then be reviewed by security experts and anyone else interested.
[ link to this | view in chronology ]
Anonymous Coward, 31 Jul 2007 @ 7:54am

I do hope that this practice becomes alot more widespread. If all the states forced companies to pony up their source code and machines for testing they might at minimum be marginally secure from random people walking in on election day.

However, mass tampering that can sway an election is generally done by the people running it, not someone randomly walking in on election day. A test where the hackers have total access is the right way to do it.

It is totally possible to design a system where a hacker cannot subvert it without alerting everyone. I doubt that is possible if these are all windows apps. It really requires specially designed hardware such that even the voters can easily tell if the machine has been tampered with.
[ link to this | view in chronology ]
Ed, 31 Jul 2007 @ 8:09am

...
God has nothing to do with this. God has nothing to do with you. God doesn't even exist. If you really believe that you would be a terrible person and everyone else would be too; based solely on the qualification of religion.. I mean.. grow up ok. You were a child and a great man was always looking after you and kept you safe. But God didn't keep that other person the same age of you safe. Were they evil? Were you moreGodlike? NO. Religious people are so mentally immature it ruins this whole country. I must beleive in God to do the good things in my life and he is just testing me during the bad. That is, he never shows up and what you create good is from you and what you create bad is also caused by you. And everything else is left up to the cosmic coin flip.

As for these emachines. I am shocked, shocked, that the Republicans finally let people look inside the machines at all. Isn't it neat how for 5 years people wanted to look into those machines, ever since the 04 election people have been trying to get the machines open to check them out. to look at their "proprietary code." Yes, we collect the nation's votes (almost like a public service), for the reason to determined who our governmental leaders are for the entire nation.. you want to look at our code? NO! We are a private company, we don't care that our service affects every American, it's ours and go f'off government you can't look at it and check it. Yeah.. awesome companies.
[ link to this | view in chronology ]
- Some Roandom Guy, 31 Jul 2007 @ 5:18pm
  
  Re: ...
  While trying to soak in your infinate knowledge, I find your statement dismissing the exsistance of a GOD about as annoying as those who try to cram it down peoples throats. It's the closed minded extreme absolutist views from the land of know it alls that turn any conversation into a heaping pile of realitive #$%#. That's you my friend. Enjoy the rest of your life....
  [ link to this | view in chronology ]
Anonymous Coward, 31 Jul 2007 @ 8:26am

If American companies wont give us secure machines I guess we'll have to buy from China.
[ link to this | view in chronology ]
Anonymous Coward, 31 Jul 2007 @ 8:30am

I'm moving to Canada...who's with me?!?
[ link to this | view in chronology ]
niftyswell, 31 Jul 2007 @ 11:33am

For every Murtha there is a Packwood...for every Alaskan bridge to nowhere there is a post office scandal. People need to realize that the people who seek power are by their very nature corrupt but use different excuses to get it the Democrats will have government wipe your ass for you and say they are using rich people's money to do it (without pointing out they are richer that the guys across the aisle) and the Republicans will promise to lower taxes while at the same time expanding government at a faster pace than ever seen before. The only solution is to limit the size of government and the only way to do that is to reduce the tax base so that only essential services are paid for. The whole gist of the article is to convince everyone that your candidate lost because someone rigged the election- hardly a new conspiracy theory! There aint an election that cannot be bought or a system that cant be beat.
[ link to this | view in chronology ]
joe, 31 Jul 2007 @ 11:33am

Capitalism
Way off topic but since there is some red vs blue going on.

I don't think it matters who is elected. What matters is making money. No matter who is in office if you want clean streets, low crime, a decent education for you kids, and justice you have to make enough money to live in an expensive neighborhood. It is bad but it is reality.
[ link to this | view in chronology ]
Charles Griswold, 31 Jul 2007 @ 6:45pm

Security Through Obscurity
What still doesn't make sense is why the e-voting firms are so against this process. All it's really doing is helping those companies improve their products to make them more secure.
It's called security through obscurity.
[ link to this | view in chronology ]
matthew warerell, 16 Aug 2007 @ 2:54pm

n.y.p.d.
please tell me how to hack in
[ link to this | view in chronology ]