X

E-voting machines vulnerable to remote vote changing

Researchers say they suspect Diebold machines aren't the only ones susceptible to simple man-in-the-middle attacks.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
 
The researchers explain how they did the attacks on the e-voting system in a video on The Brad Blog and YouTube.
The researchers explain how they did the attacks on the e-voting system in a video on The Brad Blog and YouTube. The Brad Blog

U.S. government researchers are warning that someone could sneak an inexpensive piece of electronics into e-voting machines like those to be used in the next national election and then remotely change votes after they have been cast.

The Vulnerability Assessment Team at Argonne Laboratory, which is a division of the Department of Energy, discovered this summer that Diebold touch-screen e-voting machines could be hijacked remotely, according to team leader Roger Johnston. Salon reported on it today, noting that as many as a quarter of American voters are expected to be using machines that are vulnerable to such attacks in the 2012 election.

Basically, when a voter pushes a button to record his or her votes electronically, the remote hijacker could use a Radio Frequency remote control to intercept that communication, change the votes, and then submit the fraudulent votes for recording.

The researchers uncovered similar problems with Sequoia e-voting systems in 2009, Johnston told CNET this afternoon. He said he believes the problem exists in all major e-voting systems but has only demonstrated successful attacks on the two systems.

"I believe this is a homeland security issue. Foreign nations could hijack elections," Johnston said. "In my view, this is a very serious matter that the Department of Homeland Security should be involved in, and for the most part, it's not."

Although it wouldn't take a nation-state to pull of a successful attack, he said. Someone with limited computer science knowledge and electronic parts costing about $25 could do it, without needing to even solder anything and leaving no trace behind, according to the researchers.

E-voting systems have been plagued by criticism about security issues, so much so that elections officials in various states have abandoned touch-screen systems over security and fraud concerns.

Dominion Voting Systems, which now owns Diebold and Sequoia, did not respond to a phone call and e-mail seeking comment from CNET this afternoon. E-voting system vendors in general have argued that security problems identified are either overly theoretical or have been fixed with hardware and software updates.

Previous demonstrations of e-voting hacks involved cyber attacks where knowledge of the operating system and hardware were required, according to Johnston. However, that was not the case in these demonstrations, he said.

"It would be pretty easy to pull off," Johnston said. "The bigger concern is that this attack is so straightforward. It suggests that there hasn't been much thinking about security in these voting systems."

While it would be relatively easy to make this type of attack more difficult to do by making modifications to the voting machine, stopping the attack cold would require more effort and a "careful examination of the security protocols used," he said.

Johnston and his team did the research on their own time, as "a kind of Saturday afternoon project," he said. "There's not a lot of funding out there to study voting machine problems."