Hack the Vote


The Princeton University Center for Information Technology Policy has published a report disclosing security vulnerabilities that researchers have detected in Sequoia's AVC Advantage voting machine. According to the researchers, the machine can be completely compromised by replacing a single ROM chip--a task that they were able to complete in only seven minutes.

More here.

It's been five years since I first wrote about the insecurity of electronic voting machines. From that 2003 article:

"There isn't a system that has all I want" in terms of security, cost and ease of maintenance, says Tom Stanionis, head of data processing for Yolo County, near Sacramento. Yet he says he is being rushed into choosing new machines.

What's changed since then? The feds have forced a lot more of the iffy machines into polling places, and evidence of their insecurity has continued to mount.

There's a valuable lesson here about mixing politics and IT, and about the limits of technology. I'm headed into an interview with Bruce Schneier, this is on my list of topics to discuss.


3 Comments for "Hack the Vote"

  • Ed Cone October 25, 2008 6:00 pm

    anon -- the danger is not you showing on voting day to break into a machine, it's someone doing it ahead of time. From the AT article: "On top of all of that, the researchers point out that New Jersey's physical security for the machines is poor and that it is easy to gain sufficient access to unattended voting machines." As far as the net, the voting machines may connect to a central tabulating computer, which has net connectivity, and also may get upgrades via a network.

  • Anonymous Security Guy October 24, 2008 7:39 pm

    I'm a bit troubled by some of the things that voting machine security gets beat up with. Don't get me wrong, I don't think they are perfect. But, come on. Show up at a polling place with a toolkit to dismantle the machine to replace a chip, insert a USB device, etc., etc.???? I don't know about you, but at my polling place, you'd stand out like an extremely sore thumb if you had to dismantle the machine. Then there are the network hack attacks. First, why would anyone put these devices on ANY network that would connect to the Internet? Yes, accidents will happen, but I would like to believe that our government IT departments are a bit more competent than what we think. Whether they are logically segregated or physically segregated, if no outsider has access, how do you hack it? And for those of you that say you'll bring your notebook with you, I point you to my first point. You'll stand out if you try to hook up your notebook in that tiny little booth. In they end, you don't hack these systems either. The bottom line is that I think there needs to be some realism brought to security testing of these devices versus what we have now which is EVERY POSSIBLE risk, a lot of which are virtually impossible to execute.

  • Robert MacNaughton October 24, 2008 11:45 am

    I quit reading Ars a few years ago, since I wasn't getting much out of the site. Quality of the site has always impressed me, and the link you provide seems to indicate a continued focus on quality. I'm really glad to see them writing on this issue. RBM

Leave a Comment