Hacking of Voting Equipment in Front of Election Supervisor of Leon County, Florida

Submitted by Sarah Gonzales on November 16, 2005 - 11:56am. ::

A new hack test of voting equipment ... this time in front of the election supervisor of Leon County, Florida. by Pokey Anderson Sunday Monitor, KPFT - HOUSTON, June 5, 2005

See also:

The investigative team from Black Box Voting, a non-partisan elections advocacy group, got permission to attempt to hack a real voting system this year.

Previously, numerous independent studies have severely criticized software and hardware of various electronic voting vendors, such as Diebold and ES&S. In one study that was commissioned by the State of Maryland, a team from RABA Technologies hacked a test Diebold touchscreen system easily, in many different ways, and left no trace of their test visit -- even the one that changed votes. In that touchscreen test over a year ago, RABA expert Michael Wertheimer said it would take nearly a complete rewrite of the computer code to fix the machines' flaws. One of his team said that Diebold "basically had no interest in putting actual security in this system. It's not like they did it wrong. It's like they didn't bother."  [Source: Stephanie Desmon: "Md. computer testers cast a vote: Election boxes easy to mess with" January 30, 2004, Sun (Maryland)]

Several thousand computer experts have been critical of touchscreen flaws and fundamental security design problems. Many, including Rice Professor Dan Wallach, have suggested that optical scan systems, especially since they have paper ballots, are preferable to the paperless voting.

In the new test, however, the system used was optical scan. Optical scan is similar to an SAT test -- the voter fills in a circle for his or choice, and the paper is run through a machine to scan and detect the choice. The results are tabulated electronically.

In this test, the optical scan equipment was made by Diebold. The Diebold optical scan system was used in about 800 jurisdictions in 2004. Among them were several hotbeds of controversy: Volusia County (FL); King County (WA); and Lucas County, Ohio.

The hack test was in northern Florida, near Tallahassee. Leon County Supervisor of Elections Ion Sancho agreed to the test. The hack testers made three separate visits, attempting to invade the voting system from the outside, and from the inside.

The Supervisor of Elections' statement can be found at www.leonfl.org . The website states:

"No outside hack was accomplished. ......The Leon County Supervisor of Elections was tremendously relieved that such penetration was not accomplished."...
"This was not the case however when the hacker was physically present at the vote tabulation computer terminal. "Granted the same access as an employee of our office, it was possible to enter the computer, alter election results, and exit the system without leaving any physical record of this action. It was also demonstrated that false information or instructions could be placed on a memory card
(the device used to program the individual voting machines and record the voter's votes) and create false results or election reports."

According to the report from Black Box Voting, "The Diebold optical scan system uses a dangerous programming methodology, with an executable program living inside the electronic ballot box. This method is the equivalent of having a little man living in the ballot box, holding an eraser and a pencil. With an executable program in the memory card, no Diebold optical scan ballot box can be considered "empty" at the start of the election.

The Black Box Voting team proved that the Diebold optical scan program, housed on a chip inside the voting machine, places a call to a program living in the removable memory card during the election.

Computer expert Harri Hursti gained control over Leon County memory cards, which handle the vote-reporting from the precincts.

Election activists have long suspected the central tabulation point in an election system would be a juicy target for hackers and fraud, given that the votes accumulated centrally are more numerous than at the precinct level. Dr. Herbert Thompson, a security expert, took control of the Leon County central tabulator by implanting a trojan horse-like script.

The experts used by Black Box Voting each found the vulnerabilities for their respective hacks in less than 24 hours of study. When it comes to this optical-scan system, Hursti says, "It's not that they left the door open. There is no door. This system is 'open for business.'"

Congresswoman Corrine Brown (FL-Dem) was shocked to see the impact of the trojan implanted by Dr. Thompson. She asked if the program could be manipulated in such a way as to flip every fifth vote. "No problem," Dr. Thompson replied. "It IS a problem. It's a PROBLEM!" exclaimed the congresswoman.

The key to the hacks shown by the consultants, using the actual voting system used in a real elections office, was that the Diebold optical scan equipment couldn't tell a real memory card from an imposter. The memory card is like a ballot box. When an altered memory card was substituted for a real one, the equipment couldn't tell. Even an imposter memory card with the votes themselves changed was not detected to be a fake.

The Election Supervisor himself was unable to tell, at first, whether the poll tape printed with manipulated results was the real thing. Only the message at the end of the tape, which read "Is this real? Or is it Memorex?" identified the tape as the tampered version of results.

Black Box Voting believes the testing demonstrates that Diebold programmers developed a system that sacrifices security in favor of dangerously flexible programming. None of the attacks left any telltale marks, rendering all audits and logs useless, except for hand-counting all the paper ballots.

This optical scan equipment was certified, and BBV says this violates FEC standards and calls the actions of testing labs and certifiers into question.

Black Box Voting writes: "Putting an executable program into removable memory card "ballot boxes" -- and then programming the optical scan chip to call and invoke whatever program is in the live ballot box during the middle of an election -- is a mind-boggling design from a security standpoint." Black Box Voting is calling for the product to be recalled.

The black box voting report is available at www.blackboxvoting.org

The group plans to make available a more technical report as well this month.