Every year, security researchers gather at Defcon’s Voting Village to probe voting machines and report on the longstanding, systematic security problems with them, in order to give secure voting advocates the ammunition they need to convince Congress and local officials to take action into improve America’s voting security.
Whether it’s showing that “secure” firmware can be dumped with a $15 electronic component or that voting systems can be hacked in minutes, the Voting Village researchers do yeoman duty, compiling comprehensive reports on the dismal state of America’s voting machines, nearly 20 years after Bush v Gore put the country on notice about the defective systems behind our elections.
This year’s report is the most alarming yet: it singles out the ES&S M650 tabulating machine, manufactured by Election Systems & Software of Omaha, Nebraska, which still has outstanding defects that were reported to the manufacturer a decade ago. The M650’s manifest unsuitability is so terrible that it would be funny if it wasn’t so serious: this is a machine that uses an operating system developed for the Blackberry phone (!) and then uses Zip cartridges (!!) to move data around.
The M650 is one of the most widespread pieces of equipment in American election systems, used to count in-person and absentee ballots by optically scanning ballot papers whose bubble-in forms have been filled in by voters. The system — connected to the internet by default — is used for county-wide tabulations in 23 states. As the report states: “Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.”
The researchers identified defects in other systems, too: one could be compromised in two minutes, less time than it takes the average voter to cast a ballot on it. Another could be wirelessly hacked with a nearby mobile device and made to register an arbitrary number of votes. The report goes on to warn about attacks on voting machine supply chains, which could compromise whole batches of machines before they even reached the polling place.
As always, this year’s Voting Village report closes with a set of clear, sensible recommendations, focusing on legislative and regulatory action as well as technical advice for manufacturers and electoral officials making purchase decisions.
This summer, Senate Republicans killed bipartisan legislation to fund additional cybersecurity funding for American election systems.
The machine in question, the ES&S M650, is used for counting both regular and absentee ballots. The device from Election Systems & Software of Omaha, Nebraska, is essentially a networked high-speed scanner like those used for scanning standardized-test sheets, usually run on a network at the county clerk’s office. Based on the QNX 4.2 operating system—a real-time operating system developed and marketed by BlackBerry, currently up to version 7.0—the M650 uses Iomega Zip drives to move election data to and from a Windows-based management system. It also stores results on a 128-megabyte SanDisk Flash storage device directly mounted on the system board. The results of tabulation are output as printed reports on an attached pin-feed printer.
The report authors—Matt Blaze of the University of Pennsylvania, Jake Braun of the University of Chicago, David Jefferson of the Verified Voting Foundation, Harri Hursti and Margaret MacAlpine of Nordic Innovation Labs, and DEF CON founder Jeff Moss—documented dozens of other severe vulnerabilities found in voting systems. They found that four major areas of “grave and undeniable” concern need to be addressed urgently. One of the most critical is the lack of any sort of supply-chain security for voting machines—there is no way to test the machines to see if they are trustworthy or if their components have been modified.
Defcon 26 Voting Village [Matt Blaze, Jake Braun, Harri Hursti, David Jefferson, Margaret MacAlpine and Jeff Moss]
Defcon Voting Village report: bug in one system could “flip Electoral College” [Sean Gallagher/Ars Technica]
John Frost writes, “Travis, a railroad engineer, recreated iconic buildings from Disneyland’s Fantasyland in his spare time. The result is an incredibly detailed and faithful recreation of facades to Mr. Toad’s Wild Ride, Snow White’s Scary Adventures and more.”
A reminder that I’m wrapping up my Columbia University lecture series tonight at 5PM, when I’m appearing onstage with Radiolab’s Jad Abumrad at the lecture theater in Pulitzer Hall (RSVP here); and then I’m heading to Swarthmore tomorrow, to give a talk at the Lang Performing Arts Center Room (LPAC) 101 Cinema from 7-9PM. Both […]
In All You Need is “Love”: Evading Hate Speech Detection, a Finnish-Italian computer science research team describe their research on evading hate-speech detection algorithms; their work will be presented next month in Toronto at the ACM Workshop on Artificial Intelligence and Security.
Between your work, emails, family, and friends, you’ve got a lot of responsibilities on your plate and hardly any time to tend to them all. Thankfully, you don’t have to go at them alone. From task managers to smart calendars, we’ve found 8 of the best productivity tools to help you stay on top of […]
Do your college essays still give you nightmares? You’re not alone. A blank page or screen can be a terrifying sight, but a University of Cambridge tutor’s new course can help you hit that keyboard with confidence. Dr. Clare Lynch has de-mystified academic writing and communication for students, business executives and government officials worldwide, and […]
One great use of the Force is chores – telekinetically, of course. Samsung may not exactly be the Force, per se, but they are at least making vacuuming a whole lot easier and more fun. Their POWERbot Star Wars Limited Edition Stormtrooper Robot Vacuum is just too cute not to order around. Like Samsung’s standard […]