Report: E-Voting Machines Easily Hacked

e-voting hacker firmware

The study found that by prying one ROM chip from its socket and pushing a new one in, or by replacing the Z80 processor chip, votes could be altered. In addition, the chip can be programmed to run only on Election Day, thereby eluding detection during equipment tests.

"Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges," the report states. There are no paper audit trails on this machine; all electronic records of the votes are under control of the firmware.

The report recommends a system that incorporates "software independence"—votes would be auditable independent of the behavior of any computer software. The only currently available technology that combines computer technology with software independence is the voter-verified paper ballot. An individual paper record of each vote cast is seen and verified by the voter at the time the vote is cast. That vote is then collected in a ballot box so that it can be recounted by hand if necessary.

The researchers found that anyone with undergraduate training in computer science could hack these machines. In addition, they reported that the tampering could also be done by reverse-engineering the firmware and that a hacker does not need full access to the source code to do so.

Sponsored post

Sequoia is vigorously defending the machine's capabilities, claiming that simple, established, and previously used accuracy and security protections - which the manufacturer claims were removed from the Advantages studied in the report -- make the items in their report, "next to impossible," said Edwin Smith, Vice President of Compliance and Fulfillment for Sequoia Voting Systems.

Sequoia released a report of its own, in which it noted that the Princeton team evaluated the AVC Advantage against inappropriate standards.

"For example, the academics declare that the Advantage 'must be correct in all circumstances,'" without explaining that nothing can meet this standard -- not mechanical systems, not electronic systems, and not human systems," according to the Sequoia report.