The Truth will prevail, But only if we Demand an Article V Convention

9-11 Inside Job and Neocons Hacked 2004

Best Articles
and Videos

Report: Magnet and PDA Sufficient to Change Votes on Voting Machine

By Kim Zetter EmailDecember 17, 2007 | 11:36:19 PMCategories: E-Voting, Election '08, Hacks and Cracks  
Peb_emulation_on_ess_machineA new study (PDF) on the security of voting machines was released in Ohio on Friday. The report, one of the most comprehensive and informative that I've seen yet, contains some pretty astounding information about the security of voting machines that hasn't been revealed before. Unfortunately, the report isn't receiving the kind of attention it deserves.

It's the first independent study to examine machines made by Election Systems & Software, the largest voting machine company in the country -- the company's machines are used in 43 states. (A similar study of voting systems done in California earlier this year did not examine ES&S machines.)

What the researchers discovered is pretty significant.

They found that the ES&S tabulation system and the voting machine firmware were rife with basic buffer overflow vulnerabilities that would allow an attacker to easily take control of the systems and "exercise complete control over the results reported by the entire county election system."

They also found serious security vulnerabilities involving the magnetically switched bidirectional infrared (IrDA) port on the front of the machines and the memory devices that are used to communicate with the machine through the port. With nothing more than a magnet and an infrared-enabled Palm Pilot or cell phone they could easily read and alter a memory device that is used to perform important functions on the ES&S iVotronic touch-screen machine -- such as loading the ballot definition file and programming the machine to allow a voter to cast a ballot. They could also use a Palm Pilot to emulate the memory device and hack a voting machine through the infrared port (see the picture above right).

They found that a voter or poll worker with a Palm Pilot and no more than a minute's access to a voting machine could surreptitiously re-calibrate the touch-screen so that it would prevent voters from voting for specific candidates or cause the machine to secretly record a voter's vote for a different candidate than the one the voter chose. Access to the screen calibration function requires no password, and the attacker's actions, the researchers say, would be indistinguishable from the normal behavior of a voter in front of a machine or of a pollworker starting up a machine in the morning.

The attack they describe is significant because the researchers' description of how an intentionally miscalibrated machine would function -- that is, prevent a voter from voting for a certain candidate -- is precisely how some voters described the ES&S machines were acting in a controversial Florida election last year.

In November 2006 in Sarasota, Florida, more than 18,000 ballots recorded no votes cast in the 13th congressional race between Democrat Christine Jennings and Republican Vern Buchanan. Election officials say that voters intentionally left the race blank or failed to see the race on the ballot. But hundreds of voters complained during the election and afterward that the machines had been malfunctioning. Some said the machines simply failed to respond to their touch in that race -- the rest of the ballot, they reported, was fine. Others said that the machines appeared to initially respond to their selection of Christine Jennings, but then showed no vote cast in that race when they reached the review screen at the end of the ballot. Jennings lost to Buchanan by fewer than 400 votes. The race is under investigation by Congress and the Government Accountability Office.

[Earlier this year I did a FOIA request for records documenting the complaints that voters made about the machines on election day in Sarasota and put together a spreadsheet that you can view here. The third column from the left, marked "Problem," describes the nature of each complaint that came in.]

The Ohio researchers' findings raise new and interesting questions about that race. Indeed, the researchers themselves note that their description of how an intentionally miscalibrated ES&S machine might function, or malfunction, is consistent with how iVotronics have apparently acted in some elections (they don't mention the Florida race by name, but they likely had Sarasota in mind when they wrote this).

ES&S isn't singled out in the report. The researchers, among them computer scientist Matt Blaze, examined source code and hardware of touch-screen and optical scan machines from two other vendors as well -- Premier (formerly known as Diebold) and Hart InterCivic. They found vulnerabilities in the various systems that would allow voters and pollworkers to place multiple votes on machines, to infect machines with a virus and to corrupt already cast votes.

But one of the most worrisome flaws in my mind involves that infrared port on the front of ES&S touch-screen machines because it doesn't require anyone to open a machine to hack it. (The Premier/Diebold machine also has an infrared port on it, but the report doesn't discuss it, and the Ohio researchers weren't available to answer my questions.)

The problem concerns the PEB (personalized electronic ballot) interface used for preparing ES&S's iVotronic touch-screen machines for an election. The PEB is the external memory device that I mentioned above that is used to communicate with the iVotronic machine through the infrared port. PEBs are used by election administrators to load the ballot definition file and basic configurations onto the machine before the machines are deployed to polling sites. They are also used by poll workers to launch the machines on the morning of an election, to instruct the machine to pull up a ballot for each voter and allow the voter to cast just one ballot, and to close the terminal and collect the vote totals at the end of the election.

The researchers found that access to the PEB memory itself is not protected by encryption or passwords, although some of the data stored on the PEB is encrypted (using Bruce Schneier's Blowfish cipher -- note to Bruce to add the ES&S machine to your Blowfish products page). Nonetheless, the researchers were able to read and alter the contents of a PEB using a Palm Pilot as well as substitute the Pilot for the PEB. It's worth reading the section about this from page 51 of the report:

Anyone with physical access to polling station PEBs can easily extract or alter their memory. This requires only a small magnet and a conventional IrDA-based palmtop computer (exactly the same kind of readily- available hardware that can be used to emulate a PEB to an iVotronic terminal). Because PEBs themselves enforce no passwords or access control features, physical contact with a PEB (or sufficient proximity to activate its magnetic switch and IR window) is sufficient to allow reading or writing of its memory.

The ease of reading and altering PEB memory facilitates a number of powerful attacks against a precinct’s results and even against county-wide results. An attacker who extracts the correct EQC, cryptographic key, and ballot definition can perform any election function on a corresponding iVotronic terminal, including enabling voting, closing the terminal, loading firmware, and so on. An attacker who has access to a precinct’s main PEB when the polls are being closed can alter the precinct’s reported vote tallies, and, as noted in Section 6.3, can inject code that takes control over the county-wide back-end system (and that thus affects the results reported for all of a county’s precincts).

Only search This Site

Featured Articles & Videos

9-11 Truth Manifesto-Article V Constitutional Convention

The Biggest Scam in History

Olberman Interviews Michael Moore on Sicko Movie

Michael Moore Rips Lies of CNN

Olbermann-Bush and Cheney Should Resign

1967 War and Israeli Occupation of Gaza and West Bank

Israel-Violent Oppressor

AIPAC Intervenes on Iran

Mark Crispin Miller-Imposition of Theocracy Video

Overthrow: America's Century of Regime Change Video

Israel-Not So Cool Facts Video

Israeli Neocon Connection Video

Impeach Cheney Movement

How George Tenet Lied

America Freedom to Fascism 

Open Complicity-Anatomy of 9-11 Cover-Up Video-MUST WATCH

Israeli Lobby-Portrait of a Great Taboo-Video

Top Federal Reserve Bank Scam Articles and Videos

Are Rove's E-Mails the Smoking Gun of 2004 Election

WTC Demolition Video

Biden to Bush-Stop War-Video

How Iraq Was Looted

Neocons in Cheney Office
Fund al-Qaeda Type Groups

Bush/Exxon Fund 90% of U.S. Soldiers Killed in Iraq

Scott Ritter-Middle East Abyss-Videos

Afghanistan to Iraq-Connecting Dots with Oil

U.S. Role in Sadam Invading Kuwait

Essential Films on Globalization


Bill Moyers' Talk on Media Reform-Part 1