The Dangers of Man-in-the-Middle in Voting Machines

The Election Day is fast approaching in every state in the country. Security experts and researchers from Vulnerability Assessment Team or VAT at Argonne National Laboratories made a video that demonstrates a simple and non-cyber man-in-the middle or MITM attacks on the voting machine – the Diebold AccuVote TS Electronic Voting Machine. The researchers Jon Warner and Roger Johnston inserted customized hardware costing only 10 dollars into the Diebold AccuVote TS.

They were able to read the touchscreen vote using it and they were able to alter the information that was stored within. Changing the electronic votes isn’t really new; however, with the addition of a 16 dollars, the team was able to have a remote control that can operate and perform the MITM attacks even if they were miles away from the machine. It was even stated that the levels of sophistication needed to accomplish the deed was comparably easy; even starters can accomplish it without any hardships.

The same multi-disciplinary team of Argonne National Laboratories that is composed of physicists, digital computer forensics experts, computer engineers, white hat hackers, security researchers and also social scientists has demonstrated the same flaws on the machines of Sequoia Voting Solutions.

After the controversial 2000 US presidential elections, various commissions on elections have studied the problems that appeared when counting the final votes in different states. The US Election Assistance Commission back in December of 2005 had adopted what we know now as Voluntary Voting System Guidelines or VVSG.  These guidelines were placed to establish the required minimum security standards for electronic voting machines. The guidelines from VVSG took effect in the 2007 elections and it is still applied until now. However, the simple hacks just like what the VAT performed are still relatively possible.

Diebold AccuVote TS electronic voting system is not a stranger to various controversies. Back in 2004, the California Secretary of State Kevin Shelley had de-certified Diebold AccuVote Machines after they found out that frauds were made in two counties in California – the Alameda county and also the San Diego county. Debra Bowen, the next Secretary of State who replaced Kevin Shelley back in 2007, commissioned a red team of researchers and experts with computer forensics training to evaluate all kinds of voting machines in the state of California – from the optical scanners to the punch cards.

The companies that were included were the Diebold Election Systems, Sequoia Voting Systems, Hart InterCivic and the Elections Systems and Software Incorporated. The results were staggering; all the machines of those companies were found out to be vulnerable to attacks. Thus, these electronic voting machines were de-certified and discontinued from being used until the issues and vulnerabilities were finally resolved.

Once the voting machine is finally certified by the election office, the voting machines are shipped into polling stations a few days before the election will be held. During this time frame, the machines are not in the safe and secure premises of election offices. The machines are store in libraries, schools and in some cases houses. In this period the machines could be tampered, certainly 26 dollars is just a small amount for someone who is desperate to win the elections.

Previously many researchers and experts who have completed computer forensic course have already shown how easy for them to open the electronic voting machines. They even found out that a machine’s physical key can be used in different voting machines and that they could even be ordered on the Internet. In fact, there was a training session on the recent Black Hat conference that was held in Las Vegas, Nevada. The training session was dedicated on how a person can remove the tamper-proof seals without voiding the warranty.

Unfortunately, ever since the 2000 elections, the voting technology has never pursued the importance of security. The most common controversy and issues that were being focused were the requirements for paper receipts – whether it is a safeguard against tampering of votes or is it a violation on the voter’s privacy. The experts and researchers of Argonne National Laboratories have reminded us that there are much more important concerns – it is the interruption of the voting circuitry – it is a concern, whether there are paper receipts or not.

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in computer forensics.

More information about EC-Council is available at www.eccouncil.org.

Leave a Reply