The Sorry State of Electronic Voting Machine Security

A lot of people from different backgrounds have expressed concerns about the integrity of electronic voting machines. It turns out that those concerns were entirely valid:

It’s no secret that it’s possible to hack voting systems. But how easy is it, really? Entirely too easy, if you ask researchers at this year’s DefCon. They’ve posted a report detailing how voting machines from numerous vendors held up at the security conference, and… it’s not good. Every device in DefCon’s “Voting Machine Hacking Village” was compromised in some way, whether it was by exploiting network vulnerabilities or simple physical access.

Multiple systems ran on ancient software (the Sequoia AVC Edge uses an operating system from 1989) with few if any checks to make sure they were running legitimate code. Meanwhile, unprotected USB ports and other physical vulnerabilities were a common sight — a conference hacker reckoned that it would take just 15 seconds of hands-on time to wreak havoc with a keyboard and a USB stick. And whether or not researchers had direct access, they didn’t need any familiarity with the voting systems to discover hacks within hours, if not “tens of minutes.”

Just put those voting machines in the cloud! Everything is magically fixed when it’s put in the cloud!

Anonymous ballots are notoriously difficult to secure but it’s obvious that the current crop of electronic voting machines were developed by companies that have no interest whatsoever in even attempting to address that problem. Many of the issues mentioned in the report are what I would call amateur hour mistakes. There is no reason why these machines should have any unprotected ports on them. Moreover, there is no reason why the software running on these machines isn’t up to date. And the machines should certainly be able to verify the code they’re running. If the electronic voting machine developers don’t understand how code signing works, they should contact Apple since the signature of every piece of code that runs on iOS is verified.

And therein lies the insult to injury. The types of security exploits used to compromise the sample voting machines weren’t new or novel. They were exploits that have been known about and addressed for years. A cynical person might believe that the companies making these voting machines are just trying to make a quick buck off of a government contract and not interested in delivering a quality product. A cynical man might even feel the need to point out that this type of behavior is common because the government seldom holds itself or contractors accountable.

4 thoughts on “The Sorry State of Electronic Voting Machine Security”

  1. A cynical man might suggest that the insecurity is design intent to allow for election fraud.

    1. If I were planning to commit election fraud, I’d want the most secure system possible so nobody could mess with the malicious code I loaded onto the systems at the factory!

Comments are closed.