In the Republican Primary elections back in June, I had my first experience voting using Utah County’s new electronic voting machines. The process itself was smooth and voting using the machines was easy to understand and even pleasant.
However, my experience as a computer programmer has taught me a healthy distrust of technology and of people using technology.
Implementing proper security in any system takes an exceptional amount of effort, and even then, hackers are unbelievably resourceful and will often find ways to infiltrate the system despite a well implemented security process. What a lot of people unfamiliar with the topic don’t realize is that hackers excel at not only software engineering, but at what we call Social Engineering, or manipulating people using their expectations of technology.
Here is an illustrative example of the kind of technological-social engineering a hacker might use that I remember from a security book I read some years ago:
Many offices employ a phone system where the phones have a small caller-id display screen that, for internal calls, shows the name of the employee who is calling. Some of these systems have a weakness in that if you receive a call from outside the company and then forward it to another employee’s extension, it will display your name on the caller id of the other employee instead of showing it as an outside call. Taking advantage of this fact, a hacker calls the receptionist and asks to speak with the company president. When the company president answers the call, the hacker tells him that he has made a mistake and meant to be transferred to the IT department. The president, forwards the call on to the IT department. What does the IT staff member see in the caller-id? She sees the company president’s name. She picks up the phone and the hacker, doing his best imitation of the president’s voice, says “I seem to have forgotten my password. Will you please reset it to: hck@12a.” The IT staff member thinks it is the company president, tells him that she will get on it right away, hangs up the phone and makes the change. The hacker can now use the password to access the president’s account.
The hacker in this example used social engineering in combination with technical knowledge to compromise the company’s system.
I used to work as a data conversion programmer for a financial data center. While the data center’s security policy and procedure were well designed and employees did a good job of adhering to the policy, we struggled to get the employees of the banks we provided service for to understand security issues and act accordingly.
When new banks signed on to our system, I was in charge of migrating loan data from their old data source to our system. Usually the data was transferred by plane on large magnetic tapes. However, I was surprised at the number of times I received unencrypted email attachments from bankers consisting of an Excel spreadsheet of the loan data to be converted. The loan data did not contain PIN numbers, but it often contained sensitive information such as names, mother’s maiden names, social security numbers, what the loan was for, or information about how often the account holder had been late on their payment and by how long.
No matter how emphatically we stressed the insecurity of sending such data via email, the convenience of it, and the resistance to learning to use new, secure methods of transferring it, guaranteed that it would still happen.
Perhaps it is needless to mention that my sense of security with regard to my own financial data, and financial data in general has never recovered. It is a miracle that our society continues to function on its unquestioning faith in modern technology and those who use it. Chaos always lurks beneath the seemingly serene surface. I would not at all be surprised if one day it all came tumbling down.
So back to voting machines.
The Center of Information Technology at Princeton University has published a research paper demonstrating how to hack Diebold voting machines so that they steal votes for one candidate and give them to another, and then report the incorrect winner in the final tally.
From my memory, the machines appear to be identical to the ones I used in the primary election earlier this year and that will likely be used this fall in the general elections.
The research team has also produced the following 10 minute video demonstrating how the machines are compromised and the vote tallies changed. It is well worth the 10 minutes to watch it. You can view it embedded below or at the Princeton research website linked above.
This video should scare voters to death. With the general election fast approaching, I hope that Utah County and State will address this study and come up with a solution to assure voters that the election will not be compromised by the use of Diebold voting machines, even if that means going back to punchcard ballots.
Please write your city, county, and state representatives including the county commissioners and clerk/auditor.
UPDATE: Diebold Election Systems Inc. has released a statement intended to refute the Princton study. They explain that the security software on the model used in the study is old and is not in use in any of the states that employ the machine. The method used to compromise the antiquated system would not work on current versions. That doesn’t mean that we should not be concerned. But it does mean that Princeton Study was performed on an outdated system and should be taken with a grain of salt.
Still, my experience teaches that we should be worried about the potential for hacking electronic voting machines.
One Response to Hacking Electronic Voting Machines