Q&A: E-voting systems hacker sees ‘particularly bad’ security issues

Herbert Thompson took part in a hacking of Diebold voting equipment last year

News Story by Marc L. Songini (marc_songini@computerworld.com)

JANUARY 19, 2006 (COMPUTERWORLD) - When Herbert Thompson, director of research at Wilmington, Mass.-based Security Innovation, talks about e-voting security, he speaks from firsthand experience. Security Innovation conducts security testing and Thompson is the co-author of several books, including How to Break Software Security. He volunteered to use his expertise in tests to determine whether it's possible to hack electronic voting gear last May and again last month in Leon County, Fla. With fellow security expert Harri Hursti, Thompson took part in the hacking of an optical scan system made by Diebold Elections Systems Inc., allegedly proving that election results could be changed.

Thompson spoke recently with Computerworld about e-voting reliability. Diebold declined to make anyone available for an interview on the topic, but a spokesman dismissed the concerns raised by Thompson. Diebold’s response follows Thompson’s comments below.

Can you tell us about some of your e-voting machine hacking activities? On Tuesday, Dec. 13, we conducted a hack of the Diebold AccuVote optical scan device. I wrote a five-line script in Visual Basic that would allow you to go into the central tabulator and change any vote total you wanted, leaving no logs. It requires physical access to a machine, which in many counties isn’t very difficult to get -- you have elections offices full of volunteers. In Leon County, they have good policies and procedures in place. But in many counties, where such awareness doesn’t exist, that brings up some serious concerns about someone being able to tamper with the results.

Harri Hursti changed the contents of a memory card used in the optical scan device and preloaded it. During the [pre-election testing] procedure, it will tell you there are no votes on the card, but there is executable content on it. If you can get access to the memory card, you can change its logic and have it do whatever you want -- even print a smiley face. That hack was like prestuffing a ballot box to handicap one candidate by giving them negative votes and giving another positive ones.

Is e-voting security a political issue? I’m strictly an independent person donating my time. It’s not political. Bad software is the issue. I’m a software security guy. I see a lot of bad software. All software has security vulnerability -- this is just particularly bad. As an election official, you have to be wary when touching a tabulator or a memory card, it has to be treated like a box of live ballots.

Diebold has claimed that the hacks have been unfair. Your response? I would love to do a demonstration where Diebold participates. There are certainly other voting companies that make tabulation software as well as optical scan gear, and we’re seeing the same vulnerabilities as we’ve seen in Diebold’s systems, which raises a broader question. That’s about whether the verification and validation processes these machines go through are woefully inadequate or not. The e-voting companies aren’t volunteering up their systems for independent audits and analysis.

Is the security in e-voting up to the standards business executives would demand in their business applications? No way. Definitely not. Five years ago, yes, but in the current climate, no. These guys are betting their critical business processes on software. They need to consider who might do harm to that system. This level of rigor isn’t applied to e-voting systems.

What do you think should be done? There should be much more severe security testing requirements. The key, from my perspective, is you need to raise awareness that these vulnerabilities do exist and can be exploited and you need a way of measuring security.

Diebold Responds

Diebold has publicly denounced the Leon County tests as being invalid. In fact, the vendor contended that Leon County Elections Supervisor Ion Sancho’s decision to sponsor the hacking attempts were potential violations of licensing agreements and intellectual property rights. In a letter to Sancho on June 8, Diebold said Sancho had committed a “very foolish and irresponsible act.” In that same letter, Diebold said the May hack was akin to “leaving your car unlocked, with the windows down and keys left in the ignition and then acting surprised when your car is stolen or the interior vandalized.”

Diebold spokesman David Bear responded to some of Thompson’s claims about Diebold gear. The design of the equipment used in the Leon County demonstration dates back to the early 1990s, Bear said. Diebold’s current touch-screen voting machines have far more sophisticated security that would prevent this type of attack.

Additionally, Bear said, the older optical scan machines are only vulnerable to such a hack when normal security procedures are not followed. “Even the older memory cards are sealed in the machines after pre-election testing is complete,” he said. “The cards are not given to third parties for ‘hacking purposes’ as was done during the demo. If any of the seals are broken or there is any hint of a security breach, the paper ballots can be recounted. Furthermore, many locations require a certain percentage of ballots be recounted even when there is no suspected fraud.”

He also said that Diebold regularly enhances its products to bolster security, and the enhancements are discussed, implemented, tested, certified and made available to customers. “This situation is no different,” he said. “Procedures are available which fully protect against this style of attack.”