Hack the vote: Cyber experts say ballot machines easy targets

The recent cyber theft of millions of personnel records from the federal government was sophisticated and potentially crippling, but hackers with just rudimentary skills could easily do even more damage by targeting voting machines, according to security experts.

Voter fraud is nearly as old as elections themselves, and different states and precincts use different voting systems and machines. But in many cases, even the electronic ballots could be manipulated remotely, according to a new report by the Commonwealth Security and Risk Management for the Virginia Information Technologies Agency. That report found that the AVS WINVote machines Virginia has used since 2002 have such flimsy security that an amateur hacker could change votes from outside a polling location.

"Our entire democracy depends on systems with minimal, easily bypassed security.”

— Cris Thomas, Tenable Network Security,

“This means anyone could have broken into the machines from the parking lot,” said Cris Thomas, a strategist with the Columbia, Md.-based Tenable Network Security, one of the nation’s leading cyber and enterprise security firms. “Our entire democracy depends on systems with minimal, easily bypassed security.”

The report was commissioned after one precinct in Virginia reported “unusual activity with some of the devices used to capture votes,” during last November's statewide elections.

“Security deficiencies were identified in multiple areas, including physical controls, network access, operating system controls, data protection, and the voting tally process," the report found. "The combination of critical vulnerabilities in these areas, along with the ability to remotely modify votes discretely, is considered to present a significant risk. This heightened level of risk has led VITA security staff to conclude that malicious third party could be able to alter votes on these devices. These machines should not remain in service.”

Mississippi and Pennsylvania decertified the machines years ago, because they used an outdated version of Windows that had not been updated since 2004 and had default passwords that could allow for wifi access, Thomas noted.

The report is “very alarming,” said Hans von Spakovsky, manager of Election Law Reform Initiative and senior legal fellow for The Heritage Foundation, noting while there is no evidence that a Virginia election was compromised because of these security vulnerabilities in the WINVote machines, but there is no way to really know.

“Anyone who thinks that there are not folks out there – from lone hackers to foreign governments – who are willing to exploit the security vulnerabilities of our election system is living in a fantasy world,” said von Spakovsky, who co-authored the book, “Who’s Counting? How Fraudsters and Bureaucrats Put Your Vote at Risk.”

Similar vulnerabilities have been previously discovered in machines from Diebold, Premier Elections Solutions, Sequoia, Hart, ES&S and others, Thomas said. FoxNews.com reported in 2011 about problems with Diebold Accuvote TS electronic voting machines.

The problems fall into two areas, Thomas said. Manufacturers are not sufficiently testing systems before selling them to municipalities, often using off-the-shelf hardware and software with minimal security; and local government certification agencies seldom have the time, resources or knowledge to properly test machines for vulnerabilities and often just accept the manufacturer’s claims for security.

The National Institute of Standards and Technology and the Election Assistance Commission has a program to help municipalities certify election machines, but, Thomas noted, participation in the program is voluntary.

Reports in Virginia and other states over the past few years about the low quality of the software and hardware used in electronic voting machines, make it even more important that the standards for such machines be upgraded, said von Spakovsky.

John Fund, co-author of two books on voter fraud, agreed.

"We trust ATM's with our money, but companies spend a lot on the technology to make them reliable,” said Fund, who details many election vulnerabilities in his book, “Who’s Counting? How Fraudsters and Bureaucrats Put Your Vote at Risk.” “We spend a tenth of the cost of an ATM on our voting machines even though they carry the currency of our democracy. We need to spend more on them to increase public confidence in their results."

Many critics to call for voting machines to have a voter-verified paper audit trail to allow the voter to verify that the vote that was cast was in fact the vote they placed, however, Thomas noted while they do offer one more layer and allow for an audit trail, VVPATs are not a foolproof solution, they do increase costs, and can be difficult to install and manage.

A “better alternative”, von Spakovsky said, is the opti scan ballot, which counts votes at the speed of a computer scanner, while keeping original paper ballots so any question over the software or other issues can easily be resolved.

Evidence that the interest in tampering with U.S. elections could extend beyond our shores came recently when the federal government declassified dozens of books found in Usama bin Laden's Pakistan compound during the May 2, 2011 raid in which the terror kingpin was killed by Navy SEALs.

Among the titles was “Black Box Voting: Ballot Tampering in the 21st Century,” by Bev Harris.