Electronic voting machines vulnerable to untraceable hacking, DOE security team says
Any amateur computer saboteur with $10.50 in his pocket could easily tamper with touchscreen polling machines, potentially changing final vote counts, a federal security testing group demonstrated recently in a 15-minute video.
All it takes is a commercially available microprocessor that easily fits in the palm of a hand, according to the video by the Vulnerability Assessment Team (VAT) of the Energy Department's Argonne National Laboratory. The testers opened the back of a Diebold AccuVote TS direct recording electronic voting machine, plugged in the microprocessor between two components, and that was it.
The type of attack demonstrated, called "man-in-the-middle," allows a saboteur to send information from the touchscreen to the computer that varies from what the user touched on the screen. With a $15 radio-frequency remote control, someone could actively change the data while a person is voting. The data changes cannot be traced.
The computer scientists, Roger Johnston and John Warner, say their demonstration shows that electronic voting is vulnerable to attacks much less sophisticated that what it would take to launch a full-on cyberattack. There are no external signs of machine tampering such as soldering or breaking a seal, they point out. And a smaller microprocessor could be overlooked even if someone opened the machine to examine the circuit board, they say.
The machines are vulnerable after being set up at the polling place before Election Day, while in transit to the polling place, or while in storage between elections, they say.
Los Angeles blogger Brad Friedman broke the news in a Sept. 27 article in Salon. He says that the Diebold machines were provided to the security testing team by VelvetRevolution.us, an organization he co-founded, a so-called "citizens brigade" set up to "fight the corrupt tactics of government and corporations." Friedman obtained the Argonne group's video and posted it on YouTube.
Friedman subsequently blogged that paper ballot optical scanners are vulnerable to similar hacking.
Several states use direct recording electronic, or DRE, machines. Others have phased them out because the systems do not provide printouts, making the results difficult to audit, reports The Register.