— The election was rigged.
One team of hackers devised an invisible touch-screen button that allowed voters in the know to easily rack up the tally for their favored candidate. Others disguised a bit of rewritten code that ensured one contender would receive 90 percent of the vote. And that was just for starters.
Thankfully, these “elections” were held within the confines of a computer science classroom at Rice University in Houston. But the exercise in electronic voting chicanery has led its chief provocateur to renew his calls for more rigorous and transparent audits of the kinds of touch-screen voting machines that are expected to tally about one-third of all ballots cast in next month’s presidential election.
Dan Wallach, an associate professor of computer science and director of Rice’s Computer Security Lab, said his class’s exercise reconfirmed his belief that anyone with a little know-how and the right access could easily do considerable damage. Anyone who trusts a system built entirely out of software with no independent checks, he said, is “building on a shaky foundation.”
Despite the classroom setting, students said the vote tampering was eye-opening not only because of how straightforward it was to cause damage, but also because of how easy it was to get away with it — despite the scrutiny of other classmates primed to look for mischief.
“Before this project, I really didn’t know anything about secure voting machines, and I sort of assumed that they would be just that — secure,” said Devin Grady, a graduate student in the computer science department. After reading about security audits of real systems and devising several ways to evade them, Grady said his confidence in electronic voting machines “has gone through the floor.”
Several company and industry representatives staunchly defended touch-screen technology, questioning the relevance of the exercise for real-world voting scenarios that include safeguards beyond the machines themselves.
“It is important to note that there have never been any documented instances of fraud or ‘hacking’ having been carried out on Sequoia’s — or any other election technology provider’s —equipment in a live election in the United States,” said Michelle Shafer, a spokeswoman for the San Leandro, Calif.-based Sequoia Voting Systems. “While well-intentioned, this type of exercise may only drive fear for the voting public.”
Studies highlighting the ease of election shenanigans, however, have been well-documented. A 2006 study by researchers at Princeton University’s Center for Information Technology Policy, for example, suggested that a touch-screen voting machine widely used in elections that year was “vulnerable to extremely serious attacks.”
The researchers noted that “an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs and counters to be consistent with the fraudulent vote count it creates.”
After the 2006 elections, according to several industry experts, electronic voting machines faced a public backlash over both academic concerns and actual glitches (including a well-publicized failure that resulted in more than 18,000 blank ballots in a Florida congressional race in Sarasota County decided by less than 400 votes). High-profile failures of audited systems since then in states like California, where computer scientists successfully hacked into three different electronic machines last year, have only contributed to the doubts.
“Every county that has made a change in voting equipment in the last two years has gone to optical scan equipment,” said Kimball Brace, president of Election Data Services, Inc., a Manassas, Va.-based firm which compiles industrywide statistics.
Newly released figures from his company, in fact, suggest that roughly one-third of registered voters in the U.S. will have access to electronic voting machines for next month’s election. About 56 percent are expected to use optical scans, considered by many experts to be a more secure voting method. Nevertheless, Brace pointed out that optical scans have their own downsides, including headaches over getting voters to follow directions intended to ensure their ballots are correctly tabulated.
“There is no perfect voting system,” he said. “Each has its pluses and minuses. The key for an election official is understanding those pluses and minuses and making sure they don’t come around to bite you, you know where.”
Election officials in Florida’s Palm Beach County can attest to that. The county switched from the infamous “butterfly ballots” of 2000 to touch-screen systems, and ultimately to optical scan machines manufactured by Sequoia. A razor-thin Aug. 26 judicial primary in the county was plagued by erratic optical scan recounts of ballots sporadically recognized or ignored by the machines. (Sequoia’s Shafer blamed “election management and ballot accounting issues that had nothing whatsoever to do with their voting equipment.”)
A problem-free election process may be too much to ask for, though Rice’s Wallach hopes that putting vulnerable voting technology in the hands of budding computer scientists will lead them to advocate for better safeguards.
Hacking the vote
For the exercise, the class of 11 students split into six teams. First, the teams assumed the alias of unethical programmers at a fictitious voting machine company and plotted to sway an election’s outcome without getting caught.
For their target, the students tried their devious hand at a somewhat simplified in-house electronic voting machine called Hack-a-Vote, programmed with the same Java language as many Web applications. After each team carried out its mischief, the machine’s subtly altered source code was inspected by two other teams playing the part of election inspectors tasked with certifying the code.
Some teams created a backdoor PIN code so that workers in cahoots could always use the same PIN — say 111 — to vote multiple times and effectively stuff the electronic ballot box. Other teams tampered with the administrator’s password. One team, according to Wallach, even took advantage of a bug in the underlying Java script controlling images — from buttons on the screen to a picture of an American flag — to create a secret button that would allow one person to cast multiple votes.
Grady and Michael Dietz, a graduate student studying under Wallach, corrupted the file so that the only way of knowing something had changed would be to run the entire program (instead of just visually inspecting the code during an audit process). “So it would survive the audit, and only be malicious once it had been rolled out in the voting place,” Dietz said.
The trickery, in fact, survived two in-class audits by other students well aware of the motive for mischief. Likewise, Dietz missed two bugs that another group introduced by simply omitting a small amount of code that had been there initially.
One of Dietz and Grady’s modifications wasn’t even in the source code, a cleverly hidden bug that wouldn’t have been caught unless the entire system was verified (it wasn’t picked up by either in-class audit). The result? One candidate on the ballot was guaranteed to receive 90 percent of the vote. An obviously fishy result, perhaps, but what if the guaranteed total was 55 percent?
Many other tweaks, though, were caught by the inspectors. “I think it’s proven that source code audits are very beneficial to these kinds of systems,” Dietz said. “Having lots of eyes on them tends to catch these kinds of things.”
Wallach said the argument against opening up a company’s code to multiple viewers rests on the concept of “security through obscurity,” which proposes that a system’s inaccessibility protects it from attack.
“Inevitably, obscurity only damages security, it doesn’t improve it,” he said.
A matter of electronic trust
Ken Fields, a spokesman for Omaha, Neb.-based Election Systems & Software, Inc., said security procedures based on best practices should be implemented no matter which technology is being used (ES&S’s touch-screen and optical-scan machines are now in place in 38 states, a greater number than any other company, according to statistics compiled by the Pew Center on the States).
“It is important to note that every line of our source code is reviewed and tested by an independent testing authority to ensure it meets rigorous federal voluntary voting system standards before it is ever used in an election,” Fields said in a statement.
After completing the federal certification process, he said, the voting systems complete a “thorough” state certification examination as well as third-party reviews in a number of jurisdictions.
Aggelos Kiayias, an assistant professor of computer science and engineering at the University of Connecticut’s Voting Technology Research Center, said the results of the Rice exercise aren’t surprising to experts in the field.
“To be blunt, without a voter-generated paper trail that enables a post-election audit using the actual voter selections, there is no way right now to positively rule out any type of misbehavior/malfunction,” he said in an e-mail.
Kiayias, though, warned against making generalizations about the security of elections based on an issue specific to one type of equipment.
“Always keep in mind that the equipment is only one component in the election process," he said. "It is possible to mitigate equipment vulnerabilities within a larger process, just the same as one can still employ a sub-par lock in a safe that takes 10 minutes to pick as long as a guard checks the room every 10 minutes.”
One way to audit an electronic voting system, Wallach said, might be to assign one or more machines to a fake precinct with election workers as “voters” to check for any misbehavior. California has instituted such parallel tests, though they can only detect certain types of malice and would be flummoxed by tricks like the secret button bug; workers wouldn’t know to push blank portions of the screen as part of the election-day audit.
Technology boasting a more secure voting environment may be on the way. On Tuesday, computer scientists at George Washington University are expected to unveil a system named Scantegrity, which uses optical scan ballots, invisible ink and a “fool-proof” confirmation code-based method for voters to ensure their ballots are counted correctly.
Although Rice’s Wallach favors optical-scan ballots as the best available technology, both he and Kiayias said there’s no reason why better electronic voting machines couldn’t be part of more trustworthy election processes in the near future.
One prototype built from scratch in Wallach’s lab, dubbed VoteBox and written with Java code that has already been released over the Internet, allows a suspicious voter to challenge it on the spot and require the machine to prove that it’s generating accurate votes. If not, Wallach said, the computer delivers the ultimate electronic mea culpa: the equivalent of a signed confession.