UC Scientists Release Voting Machine Hacking Video

By Brad Friedman, Brad Blog. Posted September 10, 2008.

The Computer Security Group at the University of California Santa Barbara (UCSB) has released a short, chilling video demonstrating how a single person can hack an election on a touch-screen voting system -- even one with a so-called "Voter Verifiable Paper Trail" (VVPAT) added to it -- in such a way that it is highly unlikely that the manipulation would ever be detected by either the public or election officials.

The video, which shows "just examples of the different ways in which the system can be compromised" is the latest in a similar string of such demonstrations that have been released over the last two years, all showing how easily electronic voting systems can be tampered with, often undetectably.

In the UCSB video posted below, the hack of Sequoia voting system being prepared for use in an entire county, is done in approximately 3 seconds, by a single person with simple insider access and a $10 USB thumb drive. Every machine used in the county, in such a case, would be effected. Moreover, the viral hack would not be discovered by pre-election "Logic and Accuracy" testing -- in cases were election officials actually bother to perform such tests prior to elections -- nor would it likely be discovered even in the event of a complete, 100% post-election audit of the touch-screen "paper-trail" records.

The hack demonstration, prepared by the UCSB scientists as part of California's 2007 "Top-to-Bottom Review" of all of the state's e-voting systems, also reveals how so-called "security seals" placed on such machines after they've been programmed for an election, can be easily defeated without detection ...

How and Why It Was Done

The landmark California study, which employed dozens of the world's top computer scientists and security experts, was commissioned by Sec. of State Debra Bowen. The first-of-its-kind, independent state analysis, included hack tests -- so-called, "Red Team" attacks -- to analyze the security of the e-voting systems. All of the systems studied were easily defeated by the testers.

The UCSB group was in charge of the analysis of voting machines made by Sequoia Voting Systems.

The methods used in the hack of a Sequoia Edge direct recording electronic (DRE, touch-screen) system -- a system which includes the Sequoia Verivote paper-trail printer, as seen in the video -- were original described in the Red Team security analysis [PDF] of the Sequoia systems as published by the Secretary of State.

The video demonstrating the voting system manipulation was prepared at the same time, but had not been released publicly until now. The scientists involved in the tests declined to speak on the record as to their reasons for releasing it at this time.

"We found a number of major flaws that can be exploited to compromise the integrity, confidentiality, and availability of the voting process," explains the UCSB website where the video was released. "In particular, we developed a virus-like software that can spread across the voting system, modifying the firmware of the voting machines."

The page goes on to explain that "The modified firmware is able to steal votes even in the presence of a Voter-Verified Paper Audit Trail (VVPAT)." In addition to the hack of the paper-trail touch-screen system, the UCSB scientists also demonstrate, in the video, how the Sequoia Edge touch-screen voting system may be accessed and manipulated even after so-called "security seals" have been applied to the machine following pre-election programming. The members of the team in the demonstration are seen access the system, while the plastic "security seals" are remain undisturbed in the process.

"Security seals" of this type, as used in California and elsewhere -- seen being easily defeated in the video -- have been cited by election officials and voting machine companies alike as key to the secure use of electronic voting machines such as the one seen being hacked in the video above.

E-Voting "Fatally Flawed"

"The video shows how one can use a simple USB key to infect the laptop used to prepare the cards that initialize the various voting devices. As a result, the cards are loaded with a malicious software component," UCSB explains.

"When a card is inserted in a voting terminal, the malicious software exploits a vulnerability in the terminal loading procedure and installs a modified firmware, effectively 'brainwashing' the terminal. Later, when the terminal is used by the voters to cast their votes, the firmware uses a number of different techniques to modify the contents of the ballots being cast."

The UCSB Security Group page notes that electronic voting systems are exceedingly vulnerable to malicious manipulation of the type demonstrated in their video.

"While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny," they write.

See more stories tagged with: fraud, voting rights

Liked this story? Get top stories in your inbox each week from Politics! Sign up now »