An Incredibly Insecure Voting Machine

← "Hinky" in Action The Further Democratization of QUANTUM →

An Incredibly Insecure Voting Machine

The weak passwords -- which are hard-coded and can't be changed -- were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy, an algorithm so weak that it takes as little as 10 minutes for attackers to break a network's encryption key. The shortcomings of WEP have been so well-known that it was banished in 2004 by the IEEE, the world's largest association of technical professionals. What's more, the WINVote runs a version of Windows XP Embedded that hasn't received a security patch since 2004, making it vulnerable to scores of known exploits that completely hijack the underlying machine. Making matters worse, the machine uses no firewall and exposes several important Internet ports.

It's the AVS WinVote touchscreen Direct Recording Electronic (DRE). The Virginia Information Technology Agency (VITA) investigated the machine, and found that you could hack this machine from across the street with a smart phone:

So how would someone use these vulnerabilities to change an election?
Take your laptop to a polling place, and sit outside in the parking lot.
Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
Connect to the voting machine over WiFi.
If asked for a password, the administrator password is "admin" (VITA provided that).
Download the Microsoft Access database using Windows Explorer.
Use a free tool to extract the hardwired key ("shoup"), which VITA also did for us.
Use Microsoft Access to add, delete, or change any of the votes in the database.
Upload the modified copy of the Microsoft Access database back to the voting machine.
Wait for the election results to be published.

Note that none of the above steps, with the possible exception of figuring out the WEP password, require any technical expertise. In fact, they're pretty much things that the average office worker does on a daily basis.

More.

Tags: cell phones, firewall, passwords, patching, security engineering, voting, vulnerabilities, Wi-Fi

Posted on April 23, 2015 at 7:19 AM • 69 Comments

Comments

Dimitris Andrakakis • April 23, 2015 8:04 AM

- WEP
- WinXP
- Password: admin
- DB: MS Access
- No firewall

AAAAAAAARRRGGHHHHHHHHHHHHHHHHHHHHHHH

Andrew • April 23, 2015 8:04 AM

Wow! This brings back memories!

Back in uni someone had cooked up a similar scheme for sharing MS Access dbs for the Department's administration. Took some time and effort to get everyone involved to agree that it's a really terrible idea.

That said, my experience is about half a dozen years old. To still use this approach, let alone in a voting machine... I really don't think there's any excuse for such idiocy.

QnJ1Y2U • April 23, 2015 8:04 AM

Turns out the (unchangeable) wi-fi password is abcde.
Cue the luggage jokes ...

charlie • April 23, 2015 8:17 AM

I'm sure you can do that to change what a voting machine does.

You've got 4-5 voting machines at a precinct, so I'd so one person could do that at a precinct.

(And some voting locations might have 2 precinct combined. Easier)

I'm not taking away from the flaws here. Not even sure why they have wifi.

But this isn't how you steal elections.

The lines out the door in June (because of replaced machines) will be a far larger effect on vote suppression.

Anura • April 23, 2015 8:19 AM

This is why we need serious certification and auditing standards for these machines. I'd argue they should all be open source hardware and software, not necessarily because open source is more secure, but because it allows us to provide a modicum of trust and discourages stupidity occurring because programmers assume that secrets in compiled code cannot be extracted.

Xavier • April 23, 2015 8:21 AM

Wifi connected voting machine running windows XP, with votes in a Microsoft Access database, with accessible usb ports.

How could it end wrong ?

kingsnake • April 23, 2015 8:33 AM

Access!? Good Lord ...

Thomas • April 23, 2015 8:36 AM

The current state of the art of Computer Security is that the average PC sitting in the average house in front of the average user can't show a movie of a skateboarding cat without catching 3 viruses and joining 2 botnets.

To whomever decides these things, please stop thinking about eVoting and go buy some pencils.

Thomas • April 23, 2015 8:46 AM

@Anura

> This is why we need serious certification and auditing standards for these machines

And how do you checck that the certified, audited code is running on the eVoting machine sitting in front of you?

Pencil. Paper. Done.

Dean • April 23, 2015 9:08 AM

It's almost like the system was purposely designed to be hacked...

Bardi • April 23, 2015 9:26 AM

Dean,

Agree entirely. People are not stupid. To think that nefarious individuals would not read technical papers highlighting those discrepancies is naive, at best.

The hard part, I would think, would be to ensure that nothing obvious happened, to allow a few of the other party to win, to disallow or discourage attempts at sweeps.

As an amateur hacker, I have always tried to block attempts to vote electronically.

Spaceman Spiff • April 23, 2015 9:31 AM

Combine this situation with this, http://www.kansas.com/news/politics-government/article17139890.html and one has to wonder just who is behind this cruft! Hopefully, the truth will out.

vas pup • April 23, 2015 9:39 AM

That was posting related to movie plot on April, 1 as joke, but looks like it could be close to reality: "vas pup • April 1, 2015 8:59 AM:
"Hackers break into election system and declared winner of the next POTUS election Ed Snowden (or N.Korean Kim or Cuban Castro or Vladimir Putin - make your own selection). :)"

Winter • April 23, 2015 10:13 AM

@Spaceman Spiff
"Hopefully, the truth will out."

Sadly a fire will have destroyed the paper records before the elections officials will have been able to return them.

The secretary of state will be very sorry, but he will be confident the police will go to the bottom of this and will find the innocuous cause of this fire. Investigations will have found nothing unusual.

Peter Galbavy • April 23, 2015 10:39 AM

So, how long until those that wrote and published this are prosecuted? Don't they know that security research against the administration is a crime?

herbalist • April 23, 2015 10:45 AM

Not the first voting machine running Windows. The Diebold Accuvote ran Windows and at least 7 versions of a proprietary software that ran on top of it. No one ever inspected these. Intellectual property trumps our right to free and open elections.

Winter • April 23, 2015 10:47 AM

@Peter Galbavy
"So, how long until those that wrote and published this are prosecuted?"

We know how such things end:

http://www.democracynow.org/2008/12/22/republican_it_specialist_dies_in_plane

A top Republican internet strategist who was set to testify in a case alleging election tampering in 2004 in Ohio has died in a plane crash. Mike Connell was the chief IT consultant to Karl Rove and created websites for the Bush and McCain electoral campaigns. He also set up the official Ohio state election website reporting the 2004 presidential election returns.

albert • April 23, 2015 10:54 AM

@Dean
Quite so! This design gives plausible deniability to any 'concerned party' doing the hacking. No need for an 'inside job'. If everyone can do it, who done it?
.
In the 2000 'election', there were some serious discrepancies between exit polls and final results in certain districts with EVMs. IIRC, exit polls have had around a 1-2% error rate. No one seems to remember this. I predict tampering with exit poll results as well. They gotta be closer to the 'rigged' numbers.
.
It's so bad it's actually funny.
.
...

Fred P • April 23, 2015 11:16 AM

@Thomas - I'll tell you how the Gambling industry solved it for video lottery; feel free to point out any holes.

Step 1: Request a hash over the code, including any configuration files, etc. Choose the starting seed and the portion of the code to execute it over. Get the result.
Step 2: Perform the hash, in exactly the same way, on a certified, audited eVoting machine.
Step 3: Check that these two values match.

Potential issues I'm aware of:
1) If the memory is sufficient, you can execute some arbitrary code which only uses the audited code for the purpose of the hash.
2) You could choose a poor hash algorithm.

MarkH • April 23, 2015 11:17 AM

From 2008:

http://www.avantnews.com/news/106246-19-year-old-diebold-technician-wins-us-presidency

Anura • April 23, 2015 11:36 AM

@Thomas

Pencil and paper aren't that great either. If you are hand-counting, you introduce human error. If you are machine counting, then you have the same problem as with electronic voting machines, while being more likely to misread or reject a ballot. Not only that, but you risk spoiled ballots which has been a problem in the past (see 2000 elections). Electronic voting machines can be made reliable and auditable, for example machines can simply print out paper ballots, and they also provide much better accessibility for the blind, as well as people with poor manual dexterity.

Someone mentioned the following system in the past:

https://www.usenix.org/conference/evtwote13/workshop-program/presentation/bell

Pallet Jack • April 23, 2015 11:48 AM

Several years ago, some bigshot from HQ of our now-defunct major grocery chain came around to give us a pep talk on their new "state-of-the-art" computer system that controlled *everything*.

Afterwards, I took him out to the parking lot and used a yardsale laptop to give him a guided tour. Went in from the time clock (UID "time" and PWD "clock"), arranged for the central warehouse to ship a load of ice to Alaska ("admin" & "admin"), showed him his (and the CEO's) personal emails, etc.

He looked like a pole-axed steer. Asked me, "Who ARE you?" in an awed whisper.

"One of the guys who unloads your trucks," I replied. "I couldn't get an IT job because I'm 'not certified'."

Guess who got "laid off" the next day?

WinDOHs! 'Murika! qwerty!

God, you people are so seriously, majestically, cosmically screwed.

Clive Robinson • April 23, 2015 12:14 PM

East London Mayor found guilty of electoral fraud today.

http://www.bbc.co.uk/news/uk-england-london-32428648

Whilst the fraud was wide ranging, it's clear there was direct manipulation of votes not carried out by the traditional voting method of poll station booth and ballot paper...

Whilst he has been caught and expelled from office, he has not yet faced criminal prosecution for fraud and other illegal activities he carried out whilst in office...

He has trained as a solicitor (lawyer) and thus should be fully cognizant of what he has done. Therefore I hope he does spend a suitable period in jail (life in prison is one possible sentance). However I suspect at most it will br six months in an open prison...

Clive Robinson • April 23, 2015 12:35 PM

@ Charlie,

The lines out the door in June (because of replaced machines) will be a far larger effect on vote suppression

Whilst that will reduce the over all vote count, it's not likely to effect the ratio of votes cast. And it is usually the ratio that decides who gets to polish the seat of their pants at the tax payers expense....

Ari Trachtenberg • April 23, 2015 12:53 PM

You seem to be making the unsupported assumption that voting in this country is currently free of significant manipulation. The proper engineering approach to secure voting is to first analyze the sources of error, and then target the most influential ones.

Ed Smth • April 23, 2015 12:57 PM

I first saw this system demonstrated in November 2002. The company that manufactured it went out of business a few years thereafter. These units, with their faulty architecture, would never pass today's US EAC standards and obtain a passing lab test report; certainly not a federal Certificate. It does point out a need for States to consider what happens when a voting system ceases to be maintained by its manufacturer. Today's security hash algorthms and key lengths become trivial to break tomorrow. Like any secure system, voting systems require maintenance by some entity to remain viable.

V • April 23, 2015 1:07 PM

The voting system most of (all?) my state uses is quite satisfactory: paper ballots with electronic counting.

A random educated voter can feel confident the vote isn't rigged -- no unique ID on your ballot so you're confident your individual vote isn't being tracked, no paper shredder sounds from the counting machine so you know your vote hasn't been voided, and the right to vote for Lizard People if you wish.

If the election is close the actual ballots can be recounted. That only happens every election somewhere in the state. Election judges can recount random precincts to verify that the counting machines aren't massively crooked.

If there is a power failure in the polling place or if the counting machine goes down, no problem. Collect the votes in a cardboard box to hand count at the end of the day.

As a bonus, high turnout elections are no problem. In the first Obama election my polling place was packed. The election judges had plenty of paper ballots and had laid in a supply of extra pens and clipboards. People were scattered across the room filling in their votes, and sliding them into the vote tabulator took 2 seconds per voter, including the time it took to walk into the privacy zone.

Nick P • April 23, 2015 2:01 PM

@ All
re voting systems

A prior conversation here on the topic brought Scantegrity to my attention. I only briefly reviewed it. The combo of usability and security is good. Sharing it for further peer review or improvement.

Hans • April 23, 2015 2:19 PM

@Anura: Pencil and paper aren't that great either. If you are hand-counting, you introduce human error.

Human error can be corrected by recounting the pencil marks on the paper, and most importantly, the counting can be scrutinized. Machines are more difficult to scrutinize and far more difficult or impossible to re-count correctly (without a re-vote).

I suspect you are overly impressed by machines or our ability to harness them. Just because you can automate something does not mean you should. Automating vote counting is an example of trying to automate a rarely done task where the cost of verifying the automation is high, the cost of failure is high (e.g. recount, loss of trust) compared to the cost of counting pencil marks on paper.

Real, large democracies manage preferential voting schemes (i.e. more complicated than simple majority counting) using pencil and paper.

The 2000 election you mention (Florida, USA, I assume), was not pencil marks on paper. It was badly designed punched cards meant for machine reading. The failure was in trying to interpret the meaning of "pregnant chad", which was never an intended use case.

Bob S. • April 23, 2015 2:56 PM

If I was super-rich and wanted to buy elections, WINVote is the system I would want, everywhere.

It's even got built in plausible deny-ability because the code is so bad. (A child could hack it.)

If you think about it, the political/economic agenda of the 1% is so at odds with mainstream America it's getting more and more difficult to sell it to the suckers/voters. Slowly they are beginning to comprehend, for example, that globalization, out sourcing and automation of jobs leads to less jobs, less wages and a lower living standard. Meanwhile, whatever profit that results from higher efficiencies, goes to the 1% owners.

Certainly, fraud can and does occur with machine counting and paper ballots. However, WinVote system is much easier to hack, has infinite scalability and can be done secretly without a trace (almost).

It makes me wonder where the money trail goes for WinVote. Does it back track to some rich guy?

Anura • April 23, 2015 3:16 PM

@Hans

You seemed to have ignored most of my comment. It addressed all of your concerns. No system is perfect, but combining both computers and paper ballots provides the best of both worlds.

Voting is Broken • April 23, 2015 3:50 PM

Taking a step back, does it really matter if a voting system works in an environment where representative government has become detached from the deep state?

Here we are with multinational intelligence organizations that spy on everyone and presumably use that knowledge to control everyone.

Philip K. Dick once observed that cops are cops everywhere, having the same problems to solve. After dropping constitutional protections against unwarranted search, there isn't a dime's worth of difference between the 5 Eyes and the Chinese or Russian intelligence organizations.

It is conceivable that the primary political division is not be between political parties, but between a world wide intelligence organization and the people it controls.

Existing institutions such as Interpol could simply be extended, in the same way that NSA resources are now being deployed for civilian law enforcement. Perhaps cooperative arrangements between the 5 Eyes and Chinese and Russian intelligence are already in place.

How do you vote your way out of a situation like that?

It seems like economic sanctions are the only viable tool for reasserting control over unaccountable spies. In other words, voting by changing purchasing bahavior.

For example, stop buying computer products that are on an upgrade path to a police state, and instead buy computers that give more and more control to users as the software improves. Buy and use encryption. Use cash instead of credit cards etc.

It's a question of putting the emphasis on things that might actually work.

tyr • April 23, 2015 4:23 PM

I seem to recall someone found a full ballot box
floating in the Bay where it had accidentally
fallen in the water.

At least the hacked machines votes get counted.

999999999 • April 23, 2015 4:31 PM

How dare they expose a vulnerability in public. I am shocked.
Now the esteemed Mr. Wallace won't be able to "consult" for them.

Andrew Wallace • April 23, 2015 4:53 PM

"The weak passwords -- which are hard-coded and can't be changed."

Isn't that commonly known as an intentional backdoor?

Andrew

Mike Amling • April 23, 2015 5:01 PM

@Fred P
>>
Step 1: Request a hash over the code, including any configuration files, etc. Choose the starting seed and the portion of the code to execute it over. Get the result.
Step 2: Perform the hash, in exactly the same way, on a certified, audited eVoting machine.
Step 3: Check that these two values match.

Potential issues I'm aware of:
1) If the memory is sufficient, you can execute some arbitrary code which only uses the audited code for the purpose of the hash.
<<

Even if the memory is limited, the malicious code could keep a compressed version of the legit code/data, decompressing it to feed into the hash.

Mike Amling • April 23, 2015 5:15 PM

Voting on paper is good. But hand-counting needs some associated reforms for it to be practical. in particular, the number of races on the ballot in countries that use hand counting of paper ballots is much lower than the number of races on typical ballots here in the USA.

Do we want the election judges who have been there since 5 AM hand-counting ballots after the polls close at say 8 or 9 PM? Some of them are pretty old.

There were 18 races on my ballot the last time I counted the races. And I know I've had 24 races on some ballots in the past. Hand counting one race in a precinct where 600 or 1000 ballots are cast might be practical, but 5 election judges hand counting 20 races on 600 ballots on election night is just asking for errors.

I've participated in recounts, where we went through the paper 'receipts' generated by a DRE. Getting 600 hash marks correct in each of (I think it was) 8 races (for that election) is a challenge.

rgaff • April 23, 2015 6:15 PM

Well that does it... now the rest of the US population is going to prison for "publishing a circumvention device" to voter machines, because we all use "admin" too in our wifi management....

...and I just typed it into a blog too, so I'm waiting for my knock on the door with the rest of you...

moo • April 23, 2015 6:30 PM

E-voting machine security is crap. News at 11.

Seriously, how can you have any confidence in your elections down there? In Canada, we still cast paper ballots and count them by hand.

CJ • April 23, 2015 6:48 PM

The way elections for Pope are handled is very interesting. Lots of lessons learned in 2,000 years.

rgaff • April 23, 2015 6:57 PM

@ Mike Amling

You talking about a race card or a ballot?

rgaff • April 23, 2015 7:01 PM

@moo it's this population down here, it's killing us, there's no way to count that many by hand anymore, we ran out of fingers, and our educational system hasn't taught us how to count any higher...

Matt • April 23, 2015 8:52 PM

Paper voting works. I'm from Australia, where we use pen (not pencil) and paper, and most of these theoretical problems people are raising are overblown.

Firstly, yes there is human error. Most races are not close enough for that to matter. Of those that are, recounts happen. These recounts reveal that the error rate is small enough for the error not to affect the outcome. If it is close enough, it is scrutinised to the nth degree. Counts can be verified with basic note counting machines.

Yes we get quick counts one election night by tired election workers. These are not the official counts, which are done in the days afterwards by staff working regular 9-5. The quick election night results leave little doubt for most races, and cannot be final anyway, as not all postal and absent (ie. votes from outside the precinct) votes may have arrived yet. So we sometimes have to wait a couple of weeks for results in close races, that doesn't kill democracy, and usually does not affect the balance of power.

Importantly, this whole process can be (and is) scrutinised.

We could probably get the best of all worlds if we had people vote on machines, which printed a vote which the voter verifies and puts in the ballot box. The machines give instant results, and the paper votes (which are a lot easier to read than manual pen votes as they are computer printed) became the official count. The hardest part is preventing ballot stuffing while still preserving secrecy.

Andrew Wallace • April 23, 2015 9:20 PM

I would argue that with electronic vote rigging it is more likely to be detected through a retropective digital forensic investigation than is possible with a paper format vote rigging investigation. You are more likely to detect electronic vote rigging than paper.

Andrew

Peter A. • April 23, 2015 9:41 PM

I start to think that the whole idea of popular and universal voting is flawed. The results get so easy skewed, intentionally or not. Last local elections in Poland tell a story. I'll try to make it short. But first a side note for those who may have heard about a failure of electronic voting as it was sometimes misreported: it was indeed a royal fail (mostly due to failures of official procurement procedures), but the ballot is still on paper, the electronic system was intended to help and speed up tallying up the votes which were counted manually at the lowest level - the votes were eventually counted manually at higher levels as well in the general atmosphere of disorder and uncertainty, and results were published late. But to the point.

After the official results were published it become evident that, specifically in elections to local parliaments:
1. There was a large fraction of invalid votes, and:
2. One party got a lot more votes than exit polls predicted.

The election system is like that: officially registered political parties or election committees (=organizations supporting particular political agenda or candidate, created for the purpose of elections; requirements for those are less stringent than for political parties) register their candidates by getting signatures from citizens who support the candidates. There are specific minimum number of signatures required for each position (mayor, member of city council, member of local parliament). This happens before elections. Candidates that got at least so many signatures get registered and official lists are made.

For the collective bodies, elections are proportional, so you actually vote for a party/committee; number of seats awarded depends on sum of votes cast for all candidates from a particular party. Only after seat allocation to parties, the number of votes for a particular person counts: seats are awarded to candidates in order of number of votes cast. Therefore on ballot cards, candidates' names are grouped in several lists, each list holding candidates for one party/committee. The order (and ordinal numbers) of the lists is determined by a random draw. Therefore parties often advertise themselves "vote for list #N". The order of the names on the party's list is determined by the party itself, often most "desired" candidates are put first, because people tend to vote for #1 on the list more often.

The vote is cast by placing an X in a box next to the name - of one candidate on one of the lists. Putting more than one X, not putting any, or putting any other sign makes the vote invalid.

Usually there are quite a lot of candidates for the local parliaments - significantly more than for mayor or city council, often several tens of candidates. (I think it is a result of somewhat misconceived idea - the local parliaments have rather small lawmaking power, and are quite detached from the citizenry - unlike city/village council, which are much closer to people and therefore have more visibility and are more subject to criticism. Being a member of local parliament is thus a safe, not demanding, low-visibility job with little responsibility - so politico types crowd to get there. But this is just my opinion.)

The effect is, that the ballot cards for local parliaments used to be large sheets of paper of A3 format or even larger, printed on one side (legal requirement) with tens of names arranged into 10-20 lists. But this time the administration decided to cut costs on large format printing and generated ballot cards in a form of approx. A5-size stapled booklet, with one list on each odd page of it (even pages were blank).

And what happened? Large number of invalid votes and the party which got #1 in the list order draw got much more votes than exit polls showed...

There was a lot of political bashing, many sides cried forgery alluring that people counting votes, having to handle booklets by turning their pages in search for X signs could easily invalidate votes cast for unfavorable party by conspicuously adding another X on some page, which would be much harder if there would be single sheets of paper etc.

The actual cause of high number of invalid votes had not been explained. Many researchers volunteered to perform analyses, but law does not allow anybody to see archived ballots, only courts can do review. And the judges were not keen to take the burden...

Some researchers hypothesize that this was the form of booklet that caused issues; and unclear communication. The Polish language has a word 'karta' that means both 'a ballot' and 'a sheet' (and 'a page' in colloquial use). When ballot cards had been one sheet of paper previously there was no ambiguity, but the last time there was some - there was a ballot being a booklet of many sheets of paper. Therefore the one-cross rule could have been interpreted as 'one cross per sheet/page'. This could explain high number of invalid votes and could have been verified by examining ballot cards and seeing if a large number of them have crosses on all pages - or most of them. But this verification had not happened - and won't already. This could also explain the unexpectedly good results of the party which got #1 and was on the very first page - some people could not have realized that there are other names on following pages.

Now in retrospective, some researchers point out that in the next-to-last local elections there was a similar effect but on a smaller scale; a "booklet" was used in one district only, where the number of candidates were large and results were somewhat unusual there, but since it was in one district only it had not triggered any concerns - then.

Draw your conclusions as you may - but I am shocked. If so large a part of citizenry is dumb enough not to understand simple instructions, or not to turn a page or two and put their X's on the first page next to a random person of some random party instead of their chosen one (or they had made the "choice" on the spot), how they can decide what's good for them and their country? What's the value of popular and universal voting? We are being ruled by idiots and fraudsters voted into their positions by idiots. And I don't see a way out of it. Maybe going back to 'classical' republic with some voting census would help a little, when only elites would vote - whatever the elites are currently. But it's not going to happen.

Forget the electronic voting machines and their security if such things as a form of a paper ballot card or a piece of news on TV can change the result of elections.

Nick P • April 23, 2015 10:00 PM

@ Andrew Wallace

In practice, the situation has been the total opposite. The electronic systems are resulting in more apparent rigging and glitches than paper ones. Plus, all the electronic systems in use have tons of security issues any time they're red-teamed. Even non-experts (see Hacking Democracy) were able to defeat their security with some study. Counting hardware manipulation (esp vendor), there's lots of easy subversion opportunities. Auditing them totally requires a reverse engineering firm to tear down the chips, image them, and tell you what they do. Plus a software review or reverse engineering to do the same thing.

Or you can have ordinary people counting and checking numbers on paper for the audit. One sounds a lot easier to me than the other. Cheaper, too, given the current cost of reverse engineering sub-100nm ASIC's and shoddy software.

Hans • April 23, 2015 10:21 PM

@Anura: So we need computers to print things on paper, when we could just use a pencil on the paper. Right.... You really are enamored with machines.

65535 • April 23, 2015 11:13 PM

I would like to be a fly on the wall at Fort Meade when they read Bruce’s post.

“They will never be able to pin it on us… ha ha!”

ferritic nitrocarburizing • April 23, 2015 11:29 PM

To those who advocate going back to pencil and paper: there's no need to go back to the serious problems of old voting systems (ambiguous votes, slow tabulation, and the avenues for fraud that these create) just to avoid the insanity of current electronic voting schemes. All that's required is to make certain that any electronic vote count is only a derivative of a clear human-readable ballot.

To accomplish that, all that's needed is to replace electronic voting machines with electronic ballot printers, with the ballot printer incorporating the usual safeguards developed in an industry where losses to fraud are clear losses and people have to be held accountable for those losses: lottery ticket printing. The voter would prepare a ballot using the same touchscreen interface most voting machines use now, but instead of immediately tallying their vote or putting it on a memory card, they would get a slip of paper clearly printed with a reviewable list of votes, a timestamp , and a message authentication code to show that the vote actually originated from a voter action, and a printed barcode containing the same information. Then they would submit their paper ballot to a ballot box attended by a poll worker poll worker. At the end of the day the votes would be counted with a barcode scanner, or by manual tallying from the clearly printed voting information if the barcode was challenged. The electronic tally produced would be derived from a count of the paper ballots, but not a replacement for them.

In fact, this system is also proof against something that neither manual ballots nor electronic votes can prevent: an extortionist demanding that you vote some way in exchange for receiving a benefit or avoiding a punishment, and demanding proof in the form of a photograph showing how you voted. At present, polling places have to combat this by prohibiting photography, and with cameras getting smaller and being built in to more things they have to get increasingly paranoid about it. A simpler, cleverer solution is to allow printing as many ballots as one wishes, and photographing them, provided one only photographs one's own ballot, submits only one vote (the poll worker will verify), and destroys the invalid ballots (which should be shredded even after the voter destroys them). That way anyone can prove that they voted any way they need to prove it, whether or not they actually did so vote.

Chances of this system being adopted anywhere in the United States: zero, unless some entity is caught stealing the vote outright, in which case it is zero.

MarkH • April 24, 2015 12:31 AM

Following is a comment I made on another thread quite recently. The "best of both worlds" is simple, affordable and practical. It blows my mind that all e-vote machines don't do this!
_______________________________________________

For what it's worth, where I live the election officials were uncharacteristically (for local government, that is) sensible, when switching to electronic voting machines ... this was maybe ten years ago, I don't recall now.

The machines themselves are kind of clunky, but usable.

But what's great about them, is that after a voter makes his/her selections, each machine prints a paper record of the vote, which is visible (but not accessible) behind a window. The machine then asks the voter to confirm that the paper record matches the vote. If they don't agree, the voter can cancel and restart, or raise an exception to the election supervisors; if the voter chooses to cancel, then the paper record is marked accordingly.

In this system:

• there is a paper record that can be used to audit any questionable or disputed vote tally

• discrepancies between the voter's choices and the paper record are visible to the voter -- even if only a small percentage are mismatched, the probability of detection is substantial

• an independent record of the number of votes (kept by election supervisors) protects against the voting machines either "losing" or "adding" votes

I like this system very much -- nothing is perfect, but I think it offers assurance at least as good as our previous paper ballot system.

Winter • April 24, 2015 12:51 AM

"The voting machines are controlld by Skynet. Voting machines in Maryland are moving Republican votes to the Democrats' column. Voting machines that ... Skynet has come alive!"

The underlying problem in the USA seems to be that one of the major parties (guess which one) is at the wrong end of a demographic change. Its traditional core voters, rural and middle class white men, are now a minority in most states.

The solution would be simple, move over to appeal to new conservative voters. There are loads of conservative Americans who are not middle class white males. However, the current "management" of the party would rather have the USA dissolve in chaos that to let go of their pet policies (grip on power).

Hence, that party resorts to voter disenfranchising and clear fraud.

(note that I do not say the other party would not do this. Just that the other party only has to get their voters out to vote to win. Fraud is not needed)

dot tilde dot • April 24, 2015 2:05 AM

After all the derailment in the comments above, let's get back on topic:

Have those VITA people already been sued?

(scnr)

.~.

Thomas • April 24, 2015 7:15 AM

@ Fred P

> @Thomas - I'll tell you how the Gambling industry solved it for video lottery; feel free to point out any holes.

You audit and hash the source, but run the binary.

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Gambling and voting are very different.
electronically transferring money leaves audit trails, making it easy to detect and undo cheating.
Try to tranfer money without a trail and you end up with the hilarity that is bitcoin.

Voting must be anonymous. Trying to create an eletronic system that doesn't leave a trail is difficult. And complex.
Trying to make something that's already difficult and complex secure it near impossible. It certainly isn't cheap, meaning it's not commercially attractive.

@ Anura • April 23, 2015 11:36 AM
> Pencil and paper aren't that great either. If you are hand-counting, you introduce human error.

I'll take small-scale error/fraud over the over the kind of large-scale problems electronic voting introduces

> for example machines can simply print out paper ballots, and they also provide much better accessibility for the blind, as well as people with poor manual dexterity.

As long as the paper ballot is the official vote, that kind of system could actually work.
Randomly verify samples to detect discrepancies, and be prepared to ditch the fancy electronic stuff and hand-count.

Accurate Election results are worth waiting for.

@ Mike Amling • April 23, 2015 5:15 PM

> ... in particular, the number of races on the ballot in countries that use hand counting of paper ballots is much lower than the number of races on typical ballots here in the USA.

America has perfected the art of hiding the forest (democracy) behind the trees (voting).
Vote for enough things and the process becomes so complex you can foist all manner of ludicrous voting solutions on the public to make things 'easier'.

Andrew Wallace • April 24, 2015 7:23 AM

Nick P, I would argue that e-voting is helping to uncover more corruption than paper voting and you are more likely to get found out rigging an e-vote.

Andrew

.---- ...-- • April 24, 2015 8:22 AM

Better roll that out in Germany. The natives are restless and the colonial administrators at BND need help.

http://m.thelocal.de/20150423/nsa-had-german-spies-target-euro-allies?PageSpeed=noscript

QnJ1Y2U • April 24, 2015 8:28 AM

@Andrew Wallace
I would argue that e-voting is helping to uncover more corruption than paper voting and you are more likely to get found out rigging an e-vote.

Then please make that argument, and tell us how. The simple attacks described in the post would seem to indicate that wholesale, undetectable corruption of e-voting systems is pretty easy to accomplish.

Andrew Wallace • April 24, 2015 8:31 AM

QnJ1Y2U,

If it was easy to accomplish we wouldn't be here talking about something that has been uncovered.

Andrew

QnJ1Y2U • April 24, 2015 8:43 AM

@Andrew Wallace
From the first link in the blog post:
Bottom line is that *if* no Virginia elections were ever hacked (and we have no way of knowing if it happened), it’s because no one with even a modicum of skill tried.

vas pup • April 24, 2015 8:56 AM

Clive, you've been in Switzeland - do you know what is voting technology there?
That link is not about the topic, but you should start thinking about all apects of their life:
http://www.bbc.com/news/business-32443396. That type of exceptionalism we need all meaning real happiness today versus just persuit of it.

NIck P • April 24, 2015 10:21 AM

@ Andrew Wallace

There are hybrid systems that combine electronic and paper voting that improve some things. All the field evidence shows, though, that paper voting with good auditing is *way* stronger than electronic voting as more eyes can review it with less skill. Would you like to offer evidence for your claim where all kinds of fraud in American elections were prevented by introducing electronic voting to those areas?

I'm especially curious if you have anything to back your opinion or are just shilling for the topic.

Fred P • April 24, 2015 12:34 PM

@Thomas - Erm, yes - the auditor needed to verify the hashes of the binary prior to release. Our auditors (GLI, if you're curious) would re-build the code from scratch and do binary comparisons between the source they generated and the one we gave them to verify that the sources matched the binaries. They, of course, had full access to the source and all tools needed to build it, and would typically spend weeks trying to break it prior to release.

In any case, checking software hashes was a regular double-check, not the primary defense. The primary defense was making physical access difficult. All external communications were encrypted and authenticated (not always well, but that's a separate issue). All physical access was sealed, and key access controlled. Whenever the portion with the motherboards of the machine was opened up, at least two people paid by two different entities observed everything, and it was all taped, with the taping controlled by a third person. The machines were designed so that you couldn't write to where the software was loaded from without physical modifications (for upgrades in the field, we'd remove the old chips and put new ones in, all of it under monitoring by multiple different groups).

Of course you are correct about the application; I would not advise using the software security measures and data retention we used; they were to combat against an entirely different set of threats than a voting machine has to deal with. That said, much of the auditing and custody chain may have some use in the voting machine context; fundamentally, you're allowing threats to use your machine largely unsupervised. In the VLT context, a machine like the one described above would probably be rejected by our auditors prior to accepting delivery (and yes - they would do that).

I think the real problem with using this sort of system is that it's expensive. Apparently, it's much easier to spend on machines that are almost guaranteed to make you (the owner) money than on voting machines.

notsecret • April 24, 2015 2:41 PM

Most voting in US America is NOT anonymouse. Typically, one receives a ballot, signing the book which records the ballot number, and thusly votes. It is trivial to match the ballot with the number header, then to the book, which has your signuture.

MarkH • April 25, 2015 4:12 AM

@notsecret:

Traceability of ballots to voters does NOT accord with my personal experience. If this is the practice somewhere, it is extremely improper.

Where I now live, when we had paper ballots they were not numbered or otherwise uniquely marked. All paper ballots were identical, with the exception of pencil marks made by voters in order to register their vote.

Similarly, with the currently used electronic voting machines (see my comment above), I have seen no provision for traceability. In principle votes could be lined up with the register by the ordering of votes on the paper record printed by the machines. However, there are several machines, and often several voters using them simultaneously, so such correlation could not be done reliably.

My county keeps a publicly accessible database of who voted in each election -- but NOT of how they voted.

In the USA, votes really are supposed to be secret.

If you have evidence of violations of vote secrecy in any jurisdiction, please tell us here, and/or furnish it to the press. That would be an important story, and deserves to be published.

Robert in San Diego • April 25, 2015 8:39 AM

Where I live, ballots are pen based, Fill in the Bubble, type. We used to use punched machine readable ballots, and for one election back in 2003 I think, it was a computer screen. There is a register of voters I sign in on, and the ballots are numbered, but the ballot number isn't linked to my name on the register.

Donald Ball • April 25, 2015 9:15 AM

Way upstream, Clive suggested that long lines (that is to say, inadequate resources at polling places) won't affect outcomes as it's independent of the partisan preference of the voters. As it turns out, in the real world, or at least in these United States, voting resources are allocated by partisan election boards, and inadequate resources (and increased bottlenecks due to ever more onerous authentication theater) tend to disproportionately affect poor voters, who do have a strong partisan preference.

Michael • April 26, 2015 8:24 PM

Entertainment on the same line.

http://www.amazon.com/Floodgate-Short-Story-Matt-Richtel-ebook/dp/B008H4JLYC/ref=asap_bc?ie=UTF8

Book Description
Publication Date: August 21, 2012

It's Watergate. On servers.

On the eve of the presidential election, a conspiracy threatens to alter the outcome of the vote—and the future of American politics. At the heart of the plot is a powerful computer program, aimed at rooting out hypocrisy among politicians to expose their truths . . . and ours. Left to unravel the conspiracy is a bitter, hotheaded former journalist, but he's just not sure he cares enough to get to the bottom of it.

And I have no relationship to author or Amazon.

Nathanael • April 29, 2015 11:52 AM

Unsurprising. We've been fighting this particular danger for 20 years and very few are paying attention.

http://verifiedvoting.org/

Thanks to "DRE" vote-stealing machines, elections are complete frauds in all of New Jersey, Delaware, Maryland, South Carolina, Georgia, Louisiana, and parts of Pennsylvania, Virginia, Indiana, Kentucky, Tennessee, Florida, Texas, Nebraska, Missouri, and Mississippi.

http://www.verifiedvoting.org/verifier2014/

The other states have some safeguards.

Nathanael • April 29, 2015 11:59 AM

"The underlying problem in the USA seems to be that one of the major parties (guess which one) is at the wrong end of a demographic change. Its traditional core voters, rural and middle class white men, are now a minority in most states.

My response:

The problem for the "conservative" party is that, as time has passed, new conservative voters (women, lower class, upper class, nonwhite) are trying to conserve the benefits of society they remember from the, uh, late 1970s at earliest, maybe later.

They are, therefore, Democrats.

The Republican party represents whackjobs who want to go back to an imagined past which never existed, as well as unreconstructed racists and sexists who want to go back to straight up "we own our wives and we own black people" policies, and unreconstructed plutocrats who want to become noblemen and rule over everyone. These are all shrinking demographics.

Even the "middle class white males" aren't really in these demographics any more, and are being defrauded

There's a total lack of representation for people who are more progressive or left wing than the 1970s consensus.

Steve • April 29, 2015 2:36 PM

In 2000, a certain group used a combination of Jeb, dem stupidity/cowardice, and the "Supreme Court" to steal an election. In 2016, they will utilize Microsoft product with its inherent faulty security. Solid plan indeed! ...but they should consider changing that default password to something harder to crack such as "Monkey". That'll fixit'.

Name (required):

E-mail Address:

URL:

Fill in the blank: the name of this blog is Schneier on ___________ (required):

Comments:

Allowed HTML: <a href="URL"> • <cite> • • • <ul> <ol> <li> • <blockquote> <pre>

← "Hinky" in Action The Further Democratization of QUANTUM →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.

An Incredibly Insecure Voting Machine

Comments

Leave a comment