Are electronic voting systems vulnerable to hacking?
Congressional Research Service's Report for Congress from 2003 entitled "Election Reform and Electronic Voting Sytems (DREs): Analysis of Security Issues," stated:
"The most well-known attack targets are computers with direct Internet connections that hackers can exploit.
Vendors and election jurisdictions generally state that they do not transmit election results from precincts via the Internet, but they may transmit them via a direct modem connection. However, even this approach may be subject to attack via the Internet, especially if encryption and verification are not sufficient. That is because telephone transmission systems are themselves increasingly connected to the Internet...and computers to which the receiving server may be connected, such as through a local area network (LAN), may have Internet connections. In fact, organizations may be unaware of the extent of such connections."
Edward Felten, PhD, Director of the Secure Internet Programming Laboratory at Princeton University, and two of his graduate students at Princeton University's Center for Information Technology Policy, Ariel J. Feldman and J. Alex Halderman, released a paper on Sep. 13, 2006 titled "Security Analysis of the Diebold AccuVote-TS Voting Machine," which stated:
"Analysis of the [Diebold AccuVote-TS] machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities - a voting-machine virus."
Black Box Voting, Inc. and Harri Hursti, a computer security specialist, state in their May 11, 2006 report "Security Alert: Critical Security Issues with Diebold TSx,":
"Based on publicly available documentation, source code excerpts and testing performed with the system [Diebold AccuVote-TSx], there seem to be several backdoors to the system which are unacceptable from a security point of view. These backdoors exist in each of these three layers [boot loader, operating system, and application program] and they allow the system to modified in extremely flexible ways without even basic levels of security involved...
In the worst case scenario, the architectural weaknesses incorporated in these voting terminals allow a sophisticated attacker to develop an 'offense in depth' approach in which each compromised layer will also become the guardian against clean-up efforts in the other layers. This kind of deep attack is extremely persistent and it is noteworthy that the layers can conceal the contamination very effectively should the attacker wish that... The three-level attack is the worst possible attack. However, each layer can also be used to deploy a stand-alone attack...
It is important to understand that these attacks are permanent in nature, surviving through the election cycles. Therefore, the contamination can happen at any point of the device's life cycle and remain active and undetected from the point of contamination on through multiple election cycles and even software upgrade cycles."
Herbert Thompson, PhD, Chief Security Strategist at Security Innvoation, Inc., described an attack he performed with assistance from Black Box Voting, Inc. on the central tabulator for an electronic voting system in Leon County, Florida in a Jan. 19, 2006 interview with Computerworld magazine:
"On Tuesday, December 13, ... I wrote a five-line script in Visual Basic that would allow you to go into the central tabulator and change any vote total you wanted, leaving no logs. It requires physical access to a machine, which in many counties isn't very difficult to get - you have elections offices full of volunteers...
That hack was like pre-stuffing a ballot box to handicap one candidate by giving them negative votes and giving another positive ones... It's not political. Bad software is the issue. I'm a software security guy. I see a lot of bad software. All software has security vulnerability - this is just particularly bad."
Michael Shamos, PhD, JD, Distinguished Career Professor of Computer Science at Carnegie Mellon University, wrote in his paper "Paper v. Electronic Voting Records - An Assessment," published in the Proceedings of the 14th ACM Conference on Computers, Freedom and Privacy, 2004:
"The hacking stories we read in the papers concern attacks over the Internet against systems that are deliberately held open for access by the general public. Voting machines, by contrast, are highly controlled and cannot be accessed over the Internet. Hackers are not omniscient and even vendors have trouble programming tabulation software correctly. The prospect that a hacker could not only manipulate an election but do it without exhibiting a detectable bug is so far-fetched an idea that no one has come close to showing how it might be done."
Dana DeBeauvoir, Travis County (Texas) Clerk, submitted a paper titled "Prevention of Attack, Not Detection After the Fact: A Note on Risk Assessment and Risk Mitigation" in conjunction with her public testimony before the U.S. Election Assistance Commission on May 5, 2004, which stated:
"If there is no external communications pathway, then there is no risk of hacking, or gaining unauthorized entry into the tabulation system. Texas requires the use of closed systems. Most counties do not use modem transfer or only do so from substations, not directly from the polling place...It is possible to detect attempts to enter a modem line. Also, the Counting Station should still accept surrender and delivery of the physical medium and compare the tally and number of votes cast on the medium to the modemed [sic] results."
John R. Lott, Jr., Former Resident Scholar at the American Enterprise Institute wrote in his article "Unplugged Election" for the National Review Online, May 3, 2004:
"None of the systems is hooked up to the Internet. The electronic voting machines are stand-alone units. Hacking into them is impossible... In the 20-plus years that these machines have been used, in many counties all across the country, there has never been a verified case of tampering...
And even if such tampering were to occur, it would become readily apparent as the precinct election workers checked the machines for accuracy with sample votes before and after the election."
The Election Technology Council reported in the "Frequently Asked Questions" Oct. 2005 section of their website:
"DRE systems do not feature keyboards or other peripherals that enable an infiltrator to tamper with software code or vote tabulations. Memory is locked in machines. Software code resident in voting machines passes through a series of checks performed by vendor personnel, certification professionals, government officials, multiparty observers and poll workers... Systems may also store ballot definitions and other election data in redundant memory and verify this information after each vote. Discrepancies cause the system to shut down.
Voting machines are not connected to the Internet, barring the possibility of over the network hacking. System access is protected by passwords, and the machines create extensive audit logs that document all system events, including malfunctions or tampering attempts... DRE systems do not connect to the Internet and so cannot be hacked."
Diebold, an electronic voting machine manufacturer, released a document titled "The GEMS System Cannot be Hacked" (accessed May 1, 2007) which stated:
"Any attempt to hack, edit, or otherwise tamper with the election results will introduce obvious, well-defined inconsistencies into the system that will be detected by election administrators because the results are ultimately verifiable and auditable via standard operating procedures...
There isn't any credible vector of attack that can be derived from access to the GEMS application itself. There are no built-in GEMS features for 'hacking the election,' so gaining access to the database...does not open up any new avenues of attack."