Hacking the El Paso Election

As some of you know, three of Veronica Escobar opponents filed a lawsuit demanding that the voting machines be audited, and a new election be held. This got me to thinking about something that has bothered me about electronic voting machines. Voting fraud has existed since elections were first held. Combating the fraud has evolved as technology is introduced. But the latest electronic machines have put easy fraud detection into the backburner. The question I have, is why?

Combatting vote fraud, or ballot stuffing, was relatively easy to detect by the most unsophisticated person, albeit one with time on their hands. With paper ballots, one just needed to physically count each ballot by hand or observe someone else count them to reach a tally. Anyone challenging the vote tally could be shown that the vote was valid by simply counting pieces of paper. You did not need to be sophisticated to understand the process. For this post, we’re only looking at ballot stuffing and not at other voter fraud such as casting multiple votes or unqualified individuals casting vote. The vote tally was easily proven by counting paper ballots.

But with electronic voting, proving ballot stuffing has now become a matter of trust us, the system is secure. Although computer forensics can detect data manipulation, testing the tallies requires a sophisticated understanding of computers, data storage and programming, not to mention systems security.

In other words, when the County of El Paso tells you its voter tallies are accurate, you must accept it as proof. In other words, you must trust the County to do the right thing.

According to the information provided by the Texas Secretary of State, El Paso County uses the Premiere/Diebold AccuVote machines. Besides El Paso, the following Texas counties use this machine, Collin, Guadalupe, Jackson and Lee counties.

The AccuVote machines rely on a memory card to tabulate the votes cast in each machine. The cards are PCMCIA cards, which are about the size of a credit card. Basically, the card is like a USB memory stick where a spreadsheet-like file records the votes cast by each voter, adding a new row of vote for each voter. Like a USB stick, anyone with a computer can access the card and change the data in it. The cards are also susceptible to viruses and trojans. It is important to note that this is only one way to interfere with the vote tabulation systems. There are many other ways, but for simplicity sake, we’ll focus on this method, as it is the easiest to accomplish and most difficult to detect.

Let’s say we were on a mission to change the vote records to favor a specific candidate. The easiest method would be to surreptitiously introduce a computer software trojan to the cards that keep the vote records in the machines. The trojan would be tasked with changing votes in the cards according to a predetermined script.

We don’t need to introduce it to all the machines, just a select few that go to heavy-turn out voting precincts. It is possible to introduce the computer virus at the county headquarters and thus infect all the machines, but the security would be tighter and thus would make it easier to be detected. Plus, there is no need to do so as all we would be after is to change votes in certain precincts to favor our candidate.

Now that we know we will be targeting only specific precincts, we just need to identify which memory cards we need to intervene.

The State of Texas certified the voting machines for use in Texas. In its 2006 report, the Secretary of State set conditions for the security of the machines. Texas requires that each voting machine be assigned a specific memory card that includes a “permanent serial number” on it. There is our first weak link in the security. To keep the “perpetual chain of custody record” required by Texas, a log must be kept of which memory card belongs to which voting machine.

To keep the memory card free from manipulation, the State of Texas requires that once the card is inserted into a voting machine, a “tamper-evident” and serialized label be attached to the door where the card is inserted into the machine. This opens the second weak link in the system. To verify that the memory cards has not been tampered with, the “integrity of the tamper-evident seal must be verified” by the presiding judge of the precinct before any vote is cast on the machine.

This makes one person the weakest link in the security process at each precinct. Whether due to incompetence, or because of corruption, removing the memory card and inserting malicious code may go undetected, because it relies on one person at the precinct to ensure it has not been tampered with.

How many of you that cast a vote in the last election would know to look for the card and the seal?

According to the 2006 State of Texas requirements for the voting machine, at the end of the election cycle, a report of votes cast must be printed at the precinct as well as an audit report. This must be done at the precinct and before the memory card is removed. It is unclear whether El Paso’s protocols require that the memory cards be removed at the precinct and be transported back to the county, or if the cards are removed at the county elections offices.

Regardless, to detect that the memory card was manipulated depends solely on the seal. Keep in mind that we are not adding votes to the memory card. Instead, the malicious code is changing certain votes during the day. By the time the vote report and the audit are printed, the damage has been done.

But wouldn’t the trojan be detected when the card is brought back to the offices? The trojan can be programmed to self-delete as its final activity. Surely, forensically, the county could detect that malicious code was introduced into the memory card?

Two things. The first is that the county would have to want to forensically investigate the election and then it would have to target the specific memory cards that were manipulated. But, even if the county were to order a forensic investigation, the technicality of it brings us back to the “trust” issue. Unless a technically proficient person were to challenge the results, the technical jargon and techniques would overwhelm most challengers to the election results.

But even if the county were to conduct a forensic investigation, the necessary forensic digital footprints in the memory cards could be manipulated as well.

In 2006, Princeton University professors conducted an experiment on the same machines currently used by the County of El Paso. According to their investigation, the machines are “vulnerable to extremely serious attacks.” It is important to note, that the manufacturers of the electronic voting machines refuse to allow their machines to be investigated under the guise of security. In other words, trust us.

The Princeton investigative team had to acquire their test machine from a “private party” that was selling it on the black market. The investigation found that “an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably.” [emphasis mine] The code can circumvent the various encryption systems used to detect intrusion into the systems.

Additionally, the study found that only one machine needed to be intervened and the malicious code could propagate to other machines during the election process.

But is this just theoretical or farfetched for an El Paso election?

Last year, the Virginia Department of Elections decertified several machines after they were “deemed insecure.” Among the voting machines that were decertified by Virginia is the one used by El Paso County, the AccuVote TSR6. El Paso County has 1,030 of these voting machines.

The underlining problem for Virginia was not that the machines could be hacked, but that a paper trail is not provided. When Texas certified that voting machine, it specifically ruled that the “optional AccuView Printer Module” was “not approved for use in Texas elections.”

Without a printed ballot to physically count each vote, it is not possible to show that votes were not manipulated. Were the votes manipulated? That is the underlining question that relies on the notion of “trust”. Therein lies the problem.

Oh, and the Russians intervened in the 2016 elections via social media and hacking. Just a little reminder for some of you.