
Cylance Discloses Voting Machine Vulnerability - rsobers
https://blog.cylance.com/cylance-discloses-voting-machine-vulnerability
======
Shank
I worked as an election judge in the 2012 general election in Arapahoe County,
Colorado. We had these exact machines. What isn't pictured is the physical
security performed with them.

Typically, tamper seals that are identifiable as broken are placed on all
access doors (including the power switch, data load slots, etc), access
panels, and openings on the device. All seals were verified in tact before and
after the election, and no voter was ever permitted in the back of the access
panel where the firmware update would take place.

Before the machine starts, it gives a "zero" report which is verified
independently by poll watchers, and confirms candidate choices are in place as
needed. When the polls are closed, we seal everything again before the
machines are sent back for reporting (at which point the seals are checked and
verified prior to dumping results).

If this was really a damaging hack, the protective counter & live counters
would show different numbers than what the machine read, but that didn't
happen. It very clearly was tampered with, which means these physical measures
would counteract any unwanted firmware updates during an election. It's
preposterous to think that election judges aren't actively verifying seals
during election day and making sure nobody is tampering with them.

~~~
slim
You mean I could void all the votes simply by tampering with the seal? Seams
like an easy attack

~~~
Shank
The answer to many physical security questions is "it depends." I don't have
my materials on me anymore, but in general, seal tampering means a lot of
extra scrutiny on the people watching the machines and transporting them. The
chain of custody will pin the blame on the last person who signed off, and
things get investigated as needed.

The system doesn't have something in place typically that says "if
(sealVoided) { throw out election }" it just means that additional precautions
are taken to ensure everything is good. It's never a binary answer,
unfortunately.

------
peterarmstrong
Dear America,

This all sounds complicated and insecure.

Why can you not just do paper voting with simple ballots, like in Canada?

Yes, you have 10x the people, but just get 10x the human counters and
scrutineers. Counting is parallelizable.

We run elections and get accurate, verifiable results in the same day.

Ours aren't as nasty as yours are, and we still have better anti-fraud than
you do, since every paper ballot can be counted, as many times as needed. And
since the thing which is counted is the same physical thing which can be
audited, we can always verify the results if anything goes wrong.

You've had some problems with your ballots 16 years ago, and we're not sure
why you haven't fixed this by now. After all, you've gotten people to the moon
and robots to Mars--surely you'd want a fair, verifiable presidential
election? (Especially when one of the two candidates is, frankly, terrifying
to all your friends around the world.)

Love, Canada

~~~
cperciva
_Why can you not just do paper voting with simple ballots, like in Canada?_

As much as I like Canada's easily audited voting system, there's a good reason
for the US to not use a simple way of counting votes: They don't have simple
_ballots_. Rather than just voting for one MP, as we do, a typical American
might be asked to vote for a President, a Senator, a Representative, yes/no on
17 state propositions, a State Senator, a State Representative, the BART
Director, the City College of San Francisco Board of Trustees, the San
Francisco Public Schools Board of Education, a Superior Court Judge, and
yes/no on 25 city measures.

In order for those to be counted the same way as we do in Canada, you'd need
to hand the voter a book of 51 ballots and have them dropped into 51 separate
boxes...

~~~
hubert123
How do you even come up with these weird convoluted non-arguments, we have
many choices on a single ballot here too. It's called a list. You can put
lists on paper.

~~~
cperciva
In Canadian federal elections, the vote counting process is:

1\. Open the box. 2\. Dump the ballots onto the table. 3\. Make sure the box
is empty. 4\. Pick up ballots one by one, say "this looks like a vote for "Mr.
X", and place into the appropriate pile. 5\. Count how many ballots are in
each pile.

This _particular_ process doesn't work if you have multiple choices on one
ballot. I'm not saying that you can't use paper ballots for more complex
elections -- you absolutely should, for the well-known verifiability reasons
-- just that the counting process is never going to be as simple as the
Canadian (or UK) process.

~~~
lolc
Where I live, the ballots we use are cut into one piece per question. Then the
pieces are counted separately.

There was a court argument over the use of scales by some municipalities. The
scales are used to weigh piles of votes to determine vote count. So ballots
with multiple question are cut, sorted, then weighed. I'm looking into lead
pens to give my vote more weight :-)

------
alexandercrohde
I think it's high time we start taking these concerns seriously. If state
actors can accomplish stuxnet, then hacking a voting system seems well within
the realm of technical possibility.

Fortunately, there are pretty simple policies we can enact to prevent fraud
and give faith in elections (both in America, as well as other countries). If
you care, I'd perhaps start at
[https://www.verifiedvoting.org/](https://www.verifiedvoting.org/)

~~~
empath75
They don't even need to throw the election. Two or three machines with absurd
results in favor of Clinton or Trump would be enough to push the county into
civil unrest.

~~~
Pinckney
Absurd results aren't what you want, since they're readily dismissed as
localized, and people could believe that hacking had no effect on the overall
result. You want to prove that hacking took place, but subtly, so that people
can imagine it was widespread.

More effective would be to preselect a precise number of votes for a few
machines in a swing state, with totals just 3-4 percentage points higher than
what polling indicates for that precinct. Email a few journalists before the
election: "I'm a engineer working to hack the election for Clinton, but I'm
sickened by it and I want to blow the whistle... attached are encrypted
tallies for the voting machines we compromised in precinct XXX. I know we have
a team in YYY and I think in ZZZ, but I wasn't able to get data for those
machines out. Decryption keys will follow Nov 15th."

~~~
rblatz
If you used a one time pad you could skip the whole hack the election part and
generate a key that reflects the actual totals after they've been published.

~~~
newjersey
Hm... Is it a crime to write an email, not under oath, to a journalist
accepting responsibility for a crime that one didn't commit (and had no idea
was taking place)? I'd like to answer no but I'm sure a judge would use the
"fire!" In a crowded movie theater analogy to answer in the affirmative.

------
mpweiher
I really don't see what problem these machines are solving, except for "as an
operative, I would like additional vectors to manipulate the election".

In Germany, we get

(a) a paper ballot

(b) a pen

Works perfectly. And quickly.

~~~
rblatz
How are the paper votes tabulated? If it's by machine you've just kicked the
can further down the road.

~~~
mpweiher
By hand.

~~~
jackweirdy
Same in the UK. Anyone who can vote can also take part in "The Count", where
groups of volunteers count the votes in regional centres.

~~~
chipperyman573
Wouldn't that be easy to spoof numbers? Getting a few hundred people to add 10
or 15 to a candidate in a swing state could make a huge difference.

~~~
tajen
There are 3 volunteers to tell, write and cross-check the paper ballot; and
it's a public audience, meaning that there are a bunch of witnesses, including
families who want to teach kids why the votes can be trusted, and party
representatives who want to check that the election is not tampered with. It's
hard to cheat when so many people can testify.

------
noir-york
Democracy must not only be done, but also seen to be done. Trust in that most
essential of democratic processes - vote counting - must be absolute.

Approaching vote counting as a mere technical problem that can be solved with
enough technical safeguards misses the point. You cannot just ask a democracy
to beta test vote counting and fix the bugs post-election - that will kill
trust in the process.

Politics is polarised enough as is and you will find demagogues who will latch
on to anything to reduce the legitimacy of an election.

It shouldn't even be up for discussion that trust and legitimacy are the most
important goals in vote counting. Stick to paper voting and only introduce
e-voting in parallel and not as the authoritative and final vote counting
solution.

------
sfifs
I wonder why countries don't use India's simple and scalable electronic voting
systems. The latest ones have voter verified paper audit trails. They even
have pooling systems to prevent counts from any single voting booth become
known to prevent voter intimidation.

[https://en.m.wikipedia.org/wiki/Electronic_voting_in_India](https://en.m.wikipedia.org/wiki/Electronic_voting_in_India)

~~~
tribby
I believe you've answered your own question, unfortunately.

------
jakeogh
Why Electronic Voting is a BAD Idea - Computerphile:
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

------
godelski
Really what it seems is that we need more audits on machines. If democracy is
to be a pivotal part of our election process we need to release the source
code of these machines to ensure that we find and solve problems.

~~~
seanwilson
Seems like a decent place to apply formal verification as well to show the
machines are bug free. Voting machines are critically high impact if they have
bugs and (famous last words) the complexity of the software seems low.

~~~
kijin
The counting app itself might be low-complexity, but I'm pretty sure the app
runs on some kind of off-the-shelf OS with hundreds of millions of lines of
code and at least a few known vulnerabilities.

A somewhat outdated version of Windows is a common choice, as is some random
non-LTS version of Ubuntu. I don't think OpenBSD is particularly popular among
self-serve kiosk manufacturers.

~~~
DSMan195276
I think it's worth adding that if it _doesn 't_ use some off-the-shelf OS,
then the complexity of the software just jumped a few levels because you're
talking about writing a lot more lower-level components to make it work. Using
an off-the-shelf OS is almost definitely the better way to go unless there's
some obvious reason that it won't work (Like architecture issues). I would
also add that the choice of OS matters a lot less then configuration - If you
do your configuration carefully and strip down the active components in the
system, then you can make any of them secure enough for this task. And if you
do a poor job of it, then even OpenBSD isn't going to save you.

That said, while I do agree the voting software should be open-source in
principle, I'm not really as concerned with hackable bugs in that software
that can only be exploited through physical means. If they have physical
access to the machine like in this video then you're already shot - ideally
you have preventive measures that will make it obvious when physical access
has occurred. If you don't physically secure the machine, then it doesn't
really matter how good the code is.

------
seanwilson
Is there any way you can prevent hacks like this that require physical access?
I guess cryptographically signing the updates, adding tamper proof seals and
requiring multiple people to approve updates would help. The general mantra
however is that once a hacker has physical access to your machine all bets are
off.

Also, what happens if there's a random hardware/software glitch where
incrementing one vote actually increments 10 votes? Is this checked for? How
much reliance is there on the software and hardware being error free?

~~~
Shank
We definitely have seals, but for technical solutions, look at how Apple
secures their devices. Signed firmware updates, public key crypto, and a well
thought chain of trust solve these issues.

The problem is that the actual poll creation is done on a per county basis. I
don't know how you would do this in such a way that every random county an
precinct in America could have signing keys, firmware updates, etc., just
sitting around ready to roll to build elections with.

~~~
seanwilson
> The problem is that the actual poll creation is done on a per county basis.
> I don't know how you would do this in such a way that every random county an
> precinct in America could have signing keys, firmware updates, etc., just
> sitting around ready to roll to build elections with.

You mean creating and distributing the keys would be problematic if every
county had their own keys? Are there any practical solutions to this?

Couldn't you only have a few keys that are used for many counties and updates
should be verified and signed by multiple people? Each county could still
verify the contents of the update was correct (e.g. correct names on the
ballot).

------
imode
lovely! more paranoia about the upcoming competition for a single political
position.

as if I needed more of a reason to say "wow, this is rigged", now I see this!

I can't imagine how well this will go. november is a cake walk. january is
where the fun starts.

------
based2
[https://www.schneier.com/blog/archives/2006/11/voting_techno...](https://www.schneier.com/blog/archives/2006/11/voting_technolo.html)

------
top_post
"The decision to announce the research findings was intended to encourage
increased sales and revenue for Q4 2016."

~~~
rsobers
Ugh.

~~~
code_duck
not sure are aware, but the actual quote is "The decision to announce the
research findings was intended to encourage remediation of the vulnerabilities
prior to Election Day".

~~~
campuscodi
3 days before the election.... sure it was...

~~~
code_duck
It doesn't seem likely they were seeking contracts or revenue at this time
either. Perhaps making a political statement?

