Americas

  • United States

Asia

Oceania

Machines alter election votes: Hacking voting machines so easy that Grandma can do it

Analysis
Nov 06, 20126 mins
CybercrimeData and Information SecurityMicrosoft

Ah, so here we are on Election Day and it wouldn't be complete without controversial claims that voting machines are altering votes. Examples include claims that voting machines can be remotely hacked by your grandma with $30 of hardware, New Jersey email votes involving Hotmail, and cybercrooks are tainting election news and videos with malware.

In the last few weeks, GOP Research claimed voting machines were malfunctioning in several states; “there are reports that voters are experiencing frustration when they cast a ballot for Governor Romney but inexplicably the voting machines registers a vote for Obama.” Ah, so here we are on Election Day and it wouldn’t be complete without controversial claims

Election 2012

such as “2012 voting machines altering votes.” MSNBC jumped all over it by reporting Pennsylvania “electronic voting machine turns vote for Obama into one for Romney.” YouTube user centralpavote posted a video and wrote

I initially selected Obama but Romney was highlighted. I assumed it was being picky so I deselected Romney and tried Obama again, this time more carefully, and still got Romney. Being a software developer, I immediately went into troubleshoot mode. I first thought the calibration was off and tried selecting Jill Stein to actually highlight Obama. Nope. Jill Stein was selected just fine. Next I deselected her and started at the top of Romney’s name and started tapping very closely together to find the ‘active areas.’ From the top of Romney’s button down to the bottom of the black checkbox beside Obama’s name was all active for Romney.

I asked the voters on either side of me if they had any problems and they reported they did not. I then called over a volunteer to have a look at it. She him hawed for a bit then calmly said “It’s nothing to worry about, everything will be OK,” and went back to what she was doing. I then recorded this video.

There is a lot of speculation that the footage is edited. I’m not a video guy, but if it’s possible to prove whether a video has been altered or not, I will GLADLY provide the raw footage to anyone who is willing to do so. The jumping frames are a result of the shitty camera app on my Android phone, nothing more.

The video hasn’t worked for me yet – connectivity is erratic – but there is a serious he said/she said “lies” flame war going on in the comments. NBC News confirmed that the voting machine was taken out of service after centralpavote posted the video capturing the error.

Voting machines have long been called hackable, so to those “doubters” and to stir it up a bit more, your grandma could rig an election with $30 worth of RadioShack gear. Professional hacker Roger Johnston, head of the Vulnerability Assessment Team at Argonne National Laboratory, told Popular Science “It’s always going to be hard to stop James Bond. But I want to move it to the point where grandma can’t hack elections, and we’re really not there.”

Johnston and his colleagues launched man in the middle (MITM) “security attacks on electronic voting machines to demonstrate the startling ease with which one can steal votes. Even more startling: Versions of those machines will appear in polling places all over America.” Explaining “How I hacked an electronic voting machine,” Johnston wrote, “You implant a microprocessor or some other electronic device into the voting machine, and that lets you control the voting and turn cheating on and off. We’re basically interfering with transmitting the voter’s intent.”

The device we implanted in the touchscreen machine was essentially $10 retail. If you wanted a deluxe version where you can control it remotely from a half a mile away, it’d cost $26 retail. It’s not big bucks. RadioShack would have this stuff. I’ve been to high school science fairs where the kids had more sophisticated microprocessor projects than the ones needed to rig these machines.

After New Jersey announced that citizens could vote by email, Computerworld’s Richi Jennings asked, “Are you ******* kidding me, NJ?” Bloggers all over the place jumped on that potential conspiracy theory, but it does not look very secure, such as in the example that BuzzFeed pointed out. “Essex County Clerk posted to his Facebook page Monday that voters could email requests to his personal Hotmail account.”

On that note, GFI Lab’s Jovi Umawing reported detecting a Trojan in an election card1.exe file. “This file could be a result of scammers hoping to capitalize on voters in cities who can’t physically go to polling stations to vote due to Hurricane Sandy, but will resort to voting using email and/or fax. The nature of this threat cannot be more timely.”

Keep in mind as you search for election results or other election news that cybercrooks are happily tainting links and hoping your device will be infected. GFI Labs has spotted several Trojan scams exploiting today’s election. Criminals are using a malware ‘sleight-of-hand’ trick to download a document called “Romney_Obama_Focus_On_Key_States_on_Final_Lap.doc” that is embedded within an executable file. “Users believe that what downloaded is just a harmless document file, not knowing that the malware already made several modifications on their system before they even start to read the article.”

Lastly, GFI Labs warns YouTube viewers to be cautious as some social media links associated with clips will try to get users to download and install a movie player. “Let us be mindful of that for the next couple of days. I doubt that election-related threats and scams will end after the big announcement.”

Don’t let anything stop you, make your voice heard, make sure you vote!

Like this? Here’s more posts:

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.