[This was originally published on RiskBasedSecurity.com.]
As everyone on the planet knows, U.S. politics are in full swing with primaries almost every week and an upcoming presidential election in November of this year. At Risk Based Security we find it curious that one of the most dangerous topics seems to evade the 24-hour a day news cycle every election period. The dangers we face as a democratic society relying on electronic voting machines. Despite the U.S. news being saturated with slogans, petty bickering, and silly antics of candidates seeking to win elections, it was actually news out of Costa Rica that brought the topic back to mind.
Costa Rica’s Supreme Court of Elections is said to to be investigating many electoral contests in Latin America over the past decade. Now jailed hacker, Andres Sepulveda, claims to have used a wide variety of hacking techniques along with social media to gather information and manipulate elections through several means. While this is considerably different than tampering with an election via manipulating electronic voting machines, it speaks to the severity of such activity. These types of issues are not isolated and rare either. The Election Commission of India (ECI) ran into a case of malfunctioning electronic voting machines during the first phase of the Assembly elections in Bengal this month.
In the U.S., there has been a growing trend of claims of “rigged electronic voting machines” in past elections. These range from anecdotal to showing videos of such machines in action flipping votes. The claims of voter fraud are leveled at both major parties; both the Democrats and the Republicans have been accused of this. Some analysis of these claims moves beyond the rumors and examines the statistics behind the tallied results. For example, an engineering professor and statistician from Wichita State University has found “voting irregularities” that indicate tampering of electronic voting machines.
Going back farther, evidence has been aired that exit polling data has been manipulated specifically to benefit one candidate. Focusing more on what many consider to be the real threat in such elections, electronic voting machines have been found to contain an incredibly wide variety of traditional vulnerabilities in the past. Based on published research, no manufacturer of these machines is immune. Advanced Voting Solutions (AVS), Election Systems & Software (ES&S), Digivote, Sequoia, Premier Election Solutions, Hart InterCivic, and Diebold have all been put to the test (note: some of these companies have been purchased by another over the years).
As time permits, Risk Based Security reviews the academic research papers examining these machines, to include the relevant findings in VulnDB. This begins to give a solid picture of just how fragile these machines are when it comes to manipulation and tampering, which can directly affect election outcomes. To date, we have cataloged over 260 vulnerabilities in electronic voting machines, with more research papers in queue for analysis. This supports articles we see from time to time, where a researcher or interested party speaks out about the insecurity of voting machines.
Take the report from 2008, in which researchers showed that Election Systems & Software (ES&S) machines could be calibrated to favor a candidate of choice. Reading the actual report showed that the machines had a flaw related to a backdoor implemented in the devices that could be exploited with a Factory QA PEB (Personalized Electronic Ballot). Or the 2008 report on Sequoia AVC Advantage machines that were ultimately audited, but led to a court case to get the results published. That report resulted in nine distinct vulnerabilities that were added to Risk Based Security’s VulnDB.
More recently, we’ve seen reports from Virginia telling readers how tampering with U.S. voting machines is “as easy as ‘abcde’”. The more detailed report on the voting equipment is somewhat of a dry read, but should be alarming all the same. An article from Wired reminds us that many of these machines are over a decade old, and “ripe for tampering, breakdowns”. Of the 260+ electronic voting machine vulnerabilities we are aware of, that span from February 2004 to July 2015, 154 still have no known solution. Regardless of the election or your affiliation, as you visit your polling place to vote, be mindful of the machines you are using and that any paper trail provided matches the vote you actually cast. With all this evidence of potential voter fraud, where is the “Fair and Balanced” news coverage?