Voting Machine security - nonpolitical

[NAS Newbie]

I don't want this to get political, even though I know it is right on the line. You guys are the most tech-savvy group I'm a member of, so I thought I'd look for some education.

I've gotten into a debate with some friends over voting machines. I say that, all politics aside, it is probably technically possible for someone with enough time, money, and skill to manipulate the machines. I am not making any statements as to whether that happened or not in the recent US election. My view is that even if the machines aren't supposed to be connected to the internet, there's probably plenty of chinks in the armor of the companies that build these things that a determined bad guy could exploit, whether through electronic hacking or social engineering. There's even articles of voting districts leaving machines plugged into the internet after receiving updates. I'm told this is a complete bonkers conspiracy theory. I argue back that nobody would have guessed the SolarWinds/Fireye attack could be as bad as it was, and it went undetected for a long time. If something like that is possible, why isn't it at least theoretically possible that electronic voting machines could be manipulated? I realize one of the basic answers is that there's also paper ballots and the counts need to match, but I'm more looking at it from the electronic hacking/manipulation side.

Again, not looking for a political discussion, I'm just curious if it is technically possible/impossible.

 

[fredbert]

Here in the UK we only use paper ballots.

But looking at securing anything then it's a case of identifying the potential weaknesses and then consider what is the risk and impact of them being compromised. You then try to implement technical, physical, and procedural mechanisms that mitigate these weaknesses to such a point that these mechanisms cost less than the impact of compromise but not so much less that the risk of compromise is too high.

Making anything that is 100% secure is pretty well unlikely but you can minimise the risks by making it too costly to succeed and/or evade detection versus the benefits of breaking the security.

I've no idea how voting machines work nor if the procedures for counting paper ballots is to do them anyway or only if requested. If voting machines are used to gain a quick view of the poll then there can be an expected margin of error for on-the-night results but this would/could be validated in slow time by the paper count.

From what little I heard of the voting machines in the US there are a number of different systems being used and so that would required multiple attacks (technical and social) to achieve a widespread effect.


In the past the US used to use TCSEC security evaluation criteria where EU countries used ITSEC. Both merged into Common Criteria and Protection Profiles. The old TCSEC system relied on increasing technical mechanisms to gain higher security standards (C1/2, B1/2/3, A1) whereas ITSEC allowed for environmental mechanisms to be employed with technical in order to meet its levels (E1 to E6). One of the benefits of ITSEC was that it considered the ease of use (e.g. how not to make assumptions and so mistakes) of manuals and procedures so that when deploying systems they were actually secure when following the setup and run instructions.

My point being is that unless we know exactly what a system does, how it does it, and how it should be deployed and run then it's easier to say it is possible that it can be compromised but that doesn't mean that it is probable.

 

[NAS Newbie]

Fair enough. My view is that there's always someone or something out there smarter than me. I figure that applies to businesses and governments as well. If China or Russia or whoever decided that they wanted to find a way in and they had enough time, money, and talent to throw at the problem, I'm sure they could eventually pull it off. The Enigma machine was supposed to be unbreakable as well, until Turing and friends came along.

 

[fredbert]

Some of the German operators used the same phrases at the start or end of messages. So if you know that you have something to work with.

Anyway I would ask why persist in using voting machines if they are considered to be so vulnerable? Either they aren’t (sufficiently to cause a significant effect) or they are but there is no desire or money to replace them. There is a lot of spin placed on things when it suits and silence when it doesn’t.

Maybe data flows from machines are monitored to ensure expected patterns are occurring, like using a SIEM to analyse log events from multiple devices of different types such that anomalous behaviour is detected.

 

[NAS Newbie]

Knowing how the enigma was hacked (human error - repetitive messages) is a good example of how the voting machines could be hacked. Human users are fallible. There was a news article talking about how 30 some precincts had plugged their machines into the internet and left them there even though they weren't supposed to. I'm not saying there was malice by the people who plugged the machines in, but those actions open a door for other bad actors.

The whole discussion with my friends started because they were talking about some of the crazy conspiracy theories out there. The point I was trying to make is that having the machines get hacked whether through technological means or manipulating human operators in some way isn't necessarily out of the bounds of reality like some of the other kookier theories. Things devolved from there, with people accusing me of wanting to reverse the election, which wasn't my point at all. My point was the media spin on it. To me, investigating and continuing to develop voting machine security shouldn't be the political football it has become.

 

[Deleted member 673]

For the curious... I will offer without comment links to websites for the two largest voting machine manufacturers in the U.S.:
- Election Systems & Software
- Dominion Voting Systems

Both websites offer a response to the recent issues involving their systems.

A few lifetimes ago (1970s) I ran the "Data Processing" department for one of the largest counties in the U.S. state of Iowa. Referring to a Wikipedia Article on the History Voting Machines, we used the "Levers" system which was a mechanical marvel; but was very labor-intensive to set up. The article covers quite a bit of voting machine history starting with a system developed in the mid-1800s that used a brass ball dropped into a hole to count the voter's selection.

Which leads me to end with a "HAPPY NEW YEAR" to all.

 

[fredbert]

Can I vote for the best named machine? Votomatic

I'll be disappointed if it wasn't created by Wallace and Gromit as Vot-O-Matic

 

[Deleted member 673]

Wallace and Gromit Vot-O-Matic! Good one, @fredbert. Which led me to imagine Shaun the Sheep conducting a Vot-O-Matic election on the farm, for a Bitzer vs. Pidsley election. Wonder how that would turn out. Could Timmy vote? Would the pigs contest the election?

Of course Votomatic-style punched card ballots were critical to the 2000 U.S. general election controversy in Florida. When we learned terms like hanging chads, swinging chads, tri-chads, pregnant chads and dimpled chads.

Much to be said for paper ballots. Ron

 

[akahan]

There's no need to speculate on this; the answer is well established. But first, some qualification: THEORETICALLY, one could come up with a voting machine with perfect security. Just as, theoretically, one could come up with an operating system, or a NAS, or anything else with perfect security. So I don't think the right question is, "Is it theoretically possible to come up with an unhackable voting machine?" I think the right question is, "Are a significant number of the current state-of-the-art voting machines hackable?" And the answer is well known: it's "yes".

There's no reason to believe that significant improvements have been made to voting machine technology since 2017, and in 2017, at Defcon (hacker convention), there was a competition to hack the major voting machines of the time. There were 30 different machines (Sequoia, iVotronic, AccuVote TSX, WinVote, Expresspoll 4000, etc.)

Every single machine was successfully hacked. You can find a very detailed report of the goings-on, and the vulnerabilities of the individual machines, here:

dc25-votingvillage-report/dc25-votingvillage-report.md at master · josephlhall/dc25-votingvillage-report

A report to synthesize findings from the Defcon 25 Voting Machine Hacking Village - josephlhall/dc25-votingvillage-report

github.com

 

[Deleted member 673]

So does it boil down to this?

A von Neumann / Princeton architecture computer (where instructions and data are intermingled in the same memory address spaces; and, therefore, data and instructions are, essentially, interchangeable - thus, allowing programs to modify themselves) is inherently hackable. This being the most common architecture for modern computing devices.

Whereas a Harvard architecture computer (where there is one dedicated set of addresses for reading and writing data, and another set of address for fetching instructions) is inherently secure?

Or is this a theoretical oversimplification?

 

[akahan]

A Harvard Architecture computer isn't necessarily inherently secure, because you can load a Harvard Architecture computer with, for example, software that has a backdoor (typically a login/password combination buried in the code, so that no matter what the administrator/owner changes their password to, this login/password combination will still always work), or with crummy encryption algorithms, or any number of other bad ideas. It's like saying that a car with slotted disc brakes is inherently safe... it's not, if the passenger compartment is made of paper mache.

 

[Deleted member 673]

Good point. Harvard eliminates some significant vulnerabilities; but is not inherently secure. Thanks for the good example.

 

[NAS Newbie]

There's no need to speculate on this; the answer is well established. But first, some qualification: THEORETICALLY, one could come up with a voting machine with perfect security. Just as, theoretically, one could come up with an operating system, or a NAS, or anything else with perfect security. So I don't think the right question is, "Is it theoretically possible to come up with an unhackable voting machine?" I think the right question is, "Are a significant number of the current state-of-the-art voting machines hackable?" And the answer is well known: it's "yes".

There's no reason to believe that significant improvements have been made to voting machine technology since 2017, and in 2017, at Defcon (hacker convention), there was a competition to hack the major voting machines of the time. There were 30 different machines (Sequoia, iVotronic, AccuVote TSX, WinVote, Expresspoll 4000, etc.)

Every single machine was successfully hacked. You can find a very detailed report of the goings-on, and the vulnerabilities of the individual machines, here:

dc25-votingvillage-report/dc25-votingvillage-report.md at master · josephlhall/dc25-votingvillage-report

A report to synthesize findings from the Defcon 25 Voting Machine Hacking Village - josephlhall/dc25-votingvillage-report

github.com

That's an interesting article. Am I wrong in understanding that very few of the machines that were tested were actually current machines at the time? The article was from 2017 but mentioned machines from 2008.

My friends kept saying that voting machines aren't actually connected to the internet and so are secure. How do these machines report results? does someone actually call it in, or are many of them networked? The article mentioned the supporting networks behind the machines as being targets for tampering as well.

 

[akahan]

The internet is not the only attack surface. Even if it's true that they're not connected to the internet, that doesn't make them secure. When you go in to vote, you're alone with the voting machine. If it has a USB port, what stops you from connecting your USB stick, with its malicious payload, and, for example, changing all the votes recorded by the machine, so that when they are harvested they'll all be wrong? If you choose your precincts right, I suppose a few individuals armed with USB sticks could flip an election.

 

[NAS Newbie]

I'm out in the boonies. In my precinct we are given a paper ballot which we take to the booth. We then take the ballot out of the booth and stick it into a communal ballot counter. I don't know how the bigger precincts handle it, which is a big part of the reason I was curious enough to answer the question.

Regarding the networking, I know it doesn't have to just be internet connected, but the article made mention of the networked systems behind the voting machines themselves, so I was curious if any machines are actually connected to the network somehow.

 

[akahan]

Ah, OK, in my precinct there are machines, each in a booth (like a phone booth, but inside a curtain), and you go in and vote by manipulating a dial on the machine to "fill in" an onscreen representation of the ballot. So you're alone with the machine while you vote.

 

[NAS Newbie]

Is this in the US? Is there any sort of paper ballot, or is it all electronic?

 

[akahan]

It's in the US. No paper ballot, but as your vote is recorded, you can look through a little window and see a paper "receipt" being created that shows how you voted. It stays in the machine, you don't get a copy of it.

 

[NSquirrel]

I was thinking about voting systems recently and what seemed important to me is the ability to verify a vote later on in order to verify the overall integrity. If a tick is put in a box, the box that is ticked can be manipulated/ changed before it reaches the final count and currently noone may ever know. So could a system include some sort of high integrity feedback mechanism?

E.g. I can put some money in my bank account. I can then check later on that it is still there and of the same amount. If someone, god forbid, hacks my bank account, I can see that the amount has changed -unless the whole system has been hacked and I do not see the actual amount, but simply a dummy amount.

(BTW, supposedly voting is secret, in the UK anyway. I realised a few years ago that it is not. Each ballot paper has a number, which if I remember correctly, is written down next to my name when I collect my ballot paper. The ballot papers and lists are, apparently, destroyed several months after an election. In between time fraudulent votes can be identified and hence the way I voted is not actually secret. -I am not trying to start a conspiracy topic!)

 

[NAS Newbie]

It's in the US. No paper ballot, but as your vote is recorded, you can look through a little window and see a paper "receipt" being created that shows how you voted. It stays in the machine, you don't get a copy of it.

At least there is theoretically a hard copy there that you witnessed that the electronic copy can be checked against later. If we ever eliminate that hard copy, then we'd really be opening a can of worms.

I actually like your method better than ours. Yours eliminates the theories claiming that truckloads of fake ballots were delivered in the middle of the night and forced through the machines. It would also greatly speed up the process instead of waiting on someone to feed thousands of ballots through a busy machine. It's a separate topic, but it blows my mind how long it takes some precincts to finish reporting.