http://www.blackboxvoting.org
1/3/2006
Dec. 13, 2005: Harri Hursti performs devastating hack in
Leon County Florida with Diebold optical scan system, proving he could control
votes by manipulating a credit-card-sized memory card..
Jan. 3, 2006: Information received pointing to similar
vulnerabilities in the ES&S and Sequoia "Optech" optical scan
machines.
In an exclusive interview by BBV investigator Jim March with
Dr. Douglas Jones, University of Iowa associate professor and a former voting
machine examiner for the state of Iowa, it was learned that one of the most
widely-used voting machines over the last 15 years may suffer from design flaws
broadly similar to Diebold's version 1.94 and 1.96 optical scan system.
The first problem is that memory chip contents can be
modified with easy to obtain reprogramming devices, in ways that could enable
Hursti-style hacking.
The second problem is that Sequoia and ES&S have been
able to force their way into intimate access to the mechanics of democracy. The
electronic ballot controls were maintained exclusively by the vendors at the
vendor's headquarters rather than by county election staff.
Diebold took over total control of elections in counties
that allowed it. ES&S and Sequoia didn't give them a choice because of the
system's design. This effectively removed county officials from their proper
oversight role.
ORIGINS OF THE OPTECH MACHINE
Two of the four major voting machine companies have been
using an identical machine, the Optech, originally produced by Business Records
Corp (BRC).
BRC was the largest voting machine company in America when
ES&S purchased it in 1997. The SEC objected on anti-trust grounds, and in
the resulting decision, allowed ES&S to purchase BRC, splitting the Optech
scanners up between ES&S (service contracts for existing machines) and
Sequoia Voting Systems (sales of new machines).
Although now being phased out, Optechs have been used for 15
years without a peep from the federal testing labs, and without the public ever
being told of their vulnerabilities, nor of the vendor’s extraordinary level of
control over local elections.
SYSTEM DESIGN
According to Dr. Jones, the Optech machines are precinct
optical scanners originally developed in the late 1980s. They reflect the
technology of that period. They are
broadly similar to the Global/Diebold optical scanners designed around the same
time: These voting machines store votes on removable electronic memory devices
and print out an "end of day ticker tape" on paper similar to a cash
register tape, providing a precinct total of votes for each candidate and
issue.
The Optech machines don't use a credit card-sized memory
card – rather, they use a memory pack about the size of a pack of cigarettes.
This cigarette pack-sized device plugs into the body of the
scanner with a proprietary connection. The memory pack provides three things:
- A chip ("ROM" memory) which is difficult to
modify outside of a factory and contains the programming for the machine
("firmware") - An "EPROM" chip which is easier to modify
(more on that to follow) containing the ballot layout and precinct information
- Battery-powered memory chips to hold the vote totals
THE GOOD NEWS
As Dr. Jones points out, there's one advantage to this pack
design. Honest election officials can separate the scanner body from the pack
and send the large bulky scanner out to the field (precinct) days or weeks
ahead of the election. Tampering with
scanners that are missing the pack isn't really possible (other than to simply
vandalize it) because the "brains" aren't present to tamper with.
It’s the "memory pack" that needs to be held in strict security. The
memory pack can later be hand-carried to the precinct by a group of poll
workers and plugged into the scanner on election morning.
THE BAD NEWS
One reason the Hursti hack in Leon County resulted in a
failure is that Diebold's memory device holding the votes and critical programs
is both read-write (tamperable) and reader/writer devices like the Crop Scanner
are available commercially to alter the cards.
The ES&S/Sequoia memory pack has a funky connector. It
should be even more secure, right?
Not exactly.
JIM'S RIG-A-VOTE RECIPE
1. Unscrew the top of the pack.
The most critical chip holding the ballot/candidate/precinct
layouts is sitting right there in an easy-access socket.
2. Find a chip burner. Once the chip is out with a
screwdriver, you can find alteration devices (chip burner) for that chip even
more easily that you can find the Crop Scanner.
Tip for finding a read/write device: The chips is called an
"EPROM" - Electrically Programmable Read Only Memory .
Here are some examples:
http://www.stag.co.uk/products/EEprom_programmer.htm
http://www.action2k.com/topmax.htm
http://www.elettronicaceleste.com/celeste/programmatore_eeprom/sp280_uk.htm
3. Put the chip in the chip burner device connected to a PC
and read the contents. Edit at will
using your PC.
4. Peel the sticker off the back of the EPROM, exposing a
glass window. This makes the actual silicon surface visible through the glass.
It's a neat looking critter, shiny and with lots of tiny circuits that geeks
will love.
5. Put the chip in a tiny mouse-sized tanning booth. No,
we’re not kidding – exposure to UV light for 25 minutes erases EPROMs.
(Warning: We do not recommend putting in an actual mouse unless you can find
very small sunglasses for him.)
PICTURE:
http://testequip.com//sale/used/pictures/HES2152.jpg
6. Put the sticker back on the chip’s glass window and put
it into the chip burner connected to the PC, and download your tampered code
from your PC back to the chip.
7. Put the chip back into the "pack" and you’re
done.
We have no reason to think that the security of the chip's
contents is any better than in the Diebold environment. While this needs
testing, it appears that hacking could cause all votes to be switched between
any two candidates simply by altering the chip data.
Dr. Jones suggests the possibility of causing a minor party
candidate's votes to go to a major party candidate, in addition to the major
party candidate's proper votes. This
would have the "benefit" of harming a small parties, possibly denying
them ballot access. Each major party has at least one smaller party that tends to
take a small chunk out of them – the Democrats always lose a few candidates to
the Greens, the GOP loses a few to the Libertarians. Each major party would
like to see their smaller more radical cousin go away, and that sort of hacking
could do it.
THE WORSE NEWS
While moderately advanced hackers should be able to alter
the contents of these packs fairly easily, county election officials can’t.
Therefore, by design, the memory cards need to be programmed inside the
vendor’s corporate headquarters.
WILL THEY DO IT CORRECTLY?
Well let’s see: ES&S was partially owned by now-Senator
Chuck Hagel at the time Hagel won his first major political victory to get into
congress. Hagel’s victory in the primary was so stunning that it made national
news. According to CNN’s "All Politics," Hagel hoped he could make
lightening strike twice by winning the big prize – and he did. He defeated popular Democratic Governor Ben
Nelson who led in the polls since the opening gun in what the Washington Post
called "The major Republican upset in the November [1996] election."
(more: http://www.blackboxvoting.org/BBV_chapter-3.pdf)
Louisiana state elections chief Jerry Fowler was convicted
on felony charges of taking bribes from Sequoia officials for system purchase
decisions – one of Sequoia’s key people, Phil Foster, was indicted but the
charges were dropped after a judge concluded that his immunized grand jury
testimony couldn’t be used against him. (more:
http://www.blackboxvoting.org/BBV_chapter-8.pdf)
So, is turning over the very foundation of Democracy to
ES&S and Sequoia a good idea? We think not.
CONCLUSION
Nobody at the Federal or state testing labs seems to think
like a hacker and tries to find ways to defeat these things. For that matter,
nobody is paying attention to the basic ethics of the situation. No one ever
asked the American citizens whether we choose to remain a Constitutional
Republic versus a Corporate Republic.
Black Box Voting would like to do a "test hack" on
the Optech with the blessing of public officials in any jurisdiction. Because
these machines are not HAVA compliant, they are being phased out. We ask your
help in facilitating this opportunity.
"There is only one force in the nation that can be
depended upon to keep the government pure and the governors honest, and that is
the people themselves. They alone, if
well informed, are capable of preventing the corruption of power, and of
restoring the nation to its rightful course if it should go astray. They alone
are the safest depository of the ultimate powers of government."
-- Thomas Jefferson - END
-Black Box Voting is a nonpartisan, nonprofit 501c(3)
elections watchdog group supported entirely by citizen donations.
To support our work, go to
http://www.blackboxvoting.org/donate.html or mail to
330 SW 43rd St Suite K PMB 547 Renton WA 98055Black Box Voting