How to Steal an Election by Hacking the Vote - repo.zenk-securit...
How to Steal an Election by Hacking the Vote - repo.zenk-securit...
How to Steal an Election by Hacking the Vote - repo.zenk-securit...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
http://arstechnica.com/articles/culture/evoting.ars<br />
<strong>the</strong> accumula<strong>to</strong>r <strong>an</strong>d every o<strong>the</strong>r machine on <strong>the</strong> network, tainting all of <strong>the</strong> results<br />
for that precinct. And if those machines are networked wirelessly(!!), <strong>the</strong>n a<br />
fraudster with a lap<strong>to</strong>p <strong>an</strong>d a wireless card in a car outside <strong>the</strong> precinct building<br />
could conceivably have his way with all of <strong>the</strong> votes in <strong>the</strong> building.<br />
Cracking <strong>the</strong> central tabulation (GEMS) server<br />
The GEMs server deserves special attention as a weak point in <strong>the</strong> design of <strong>the</strong><br />
overall system. This server is a typical PC with a typical PC software stack. In fact, I<br />
could conceivably reuse my depiction of <strong>the</strong> Accu<strong>Vote</strong> TS software stack in Figure 6<br />
<strong>by</strong> replacing "Windows CE" with "Windows XP," "System Software" with "GEMS," <strong>an</strong>d<br />
"BDF" with "GEMS database."<br />
The GEMS database s<strong>to</strong>res all of <strong>the</strong> votes collected from precinct accumula<strong>to</strong>rs, <strong>an</strong>d<br />
it's used <strong>to</strong> do <strong>the</strong> vote tabulation for a county. Because it's so sensitive, you might<br />
think it would be tightly secured. But you'd be wrong.<br />
The GEMS database is a v<strong>an</strong>illa, unencrypted Access database that <strong>an</strong>yone with a<br />
copy of Microsoft Access c<strong>an</strong> edit. So if you have physical access <strong>to</strong> <strong>the</strong> GEMS<br />
server's filesystem (ei<strong>the</strong>r locally or remotely), <strong>the</strong>n it's not <strong>to</strong>o hard <strong>to</strong> just go in<br />
<strong>an</strong>d have your way with <strong>the</strong> vote <strong>to</strong>tals. If Access isn't installed, just install it from a<br />
CD-ROM, or connect remotely from a lap<strong>to</strong>p <strong>an</strong>d edit <strong>the</strong> database that way.<br />
Or, if you w<strong>an</strong>t <strong>to</strong> filch <strong>the</strong> database, upload vote-stealing software, or do something<br />
else evil, you could always carry along a USB drive in your pocket.<br />
M<strong>an</strong>y GEMS servers are connected <strong>to</strong> a modem b<strong>an</strong>k, so that <strong>the</strong> accumula<strong>to</strong>rs c<strong>an</strong><br />
dial in over <strong>the</strong> phone lines <strong>an</strong>d upload votes. One team of <strong>securit</strong>y consult<strong>an</strong>ts hired<br />
<strong>by</strong> <strong>the</strong> state of Maryl<strong>an</strong>d found <strong>the</strong> GEMS b<strong>an</strong>k <strong>by</strong> wardialing, discovered that it was<br />
running <strong>an</strong> unpatched version of Windows, cracked <strong>the</strong> server, <strong>an</strong>d s<strong>to</strong>le <strong>the</strong> mock<br />
election. This great Daily Show segment, in which one of <strong>the</strong> team members<br />
describes <strong>the</strong> attack, states that <strong>the</strong>y did this in under five minutes.<br />
If <strong>the</strong> GEMS server is somehow connected <strong>to</strong> <strong>the</strong> Internet, <strong>an</strong>d some of <strong>the</strong>m are (in<br />
spite of Diebold's strong recommendation that <strong>the</strong>y not be), <strong>the</strong>n <strong>an</strong>y one of a billion<br />
script kiddies who c<strong>an</strong> crack a Windows box c<strong>an</strong> have a field day with <strong>the</strong> election...<br />
I could go on here with <strong>the</strong> hypo<strong>the</strong>ticals, but let's take a look at how this is alleged<br />
<strong>to</strong> have played out in <strong>the</strong> real world, this past August in Shel<strong>by</strong> County, Tennessee:<br />
Evidence from election official declarations <strong>an</strong>d discovery documents<br />
obtained in litigation over a recent election using Diebold machines<br />
reveals that:<br />
• Illegal <strong>an</strong>d uncertified Lexar Jump Drive software was<br />
loaded on<strong>to</strong> <strong>the</strong> Diebold GEMS central tabula<strong>to</strong>r, enabling<br />
secretive data tr<strong>an</strong>sfer on small USB "key chain" memory<br />
devices. This blocked election tr<strong>an</strong>sparency <strong>an</strong>d raises<br />
questions as <strong>to</strong> whe<strong>the</strong>r hidden vote m<strong>an</strong>ipulation may<br />
have taken place.<br />
• O<strong>the</strong>r uncertified software of various kinds was loaded<br />
on<strong>to</strong> <strong>the</strong> system <strong>an</strong>d, according <strong>to</strong> <strong>the</strong> event logs<br />
examined, was used. This opened <strong>the</strong> door for h<strong>an</strong>d-<br />
Copyright © 1998-2006 Ars Technica, LLC<br />
16