Brad Blog: National Security Lab Hacks Diebold Touch-Screen Voting Machine by Remote Control With $26 in Computer Parts

Hack team leader: 'Can do similar things on pretty much every e-voting machine'...

-By Brad Friedman

September 27, 2011- The Vulnerability Assessment Team (VAT) at the U.S. Dept. of Energy's Argonne National Laboratory in Illinois has managed to hack a Diebold Accuvote touch-screen voting machine in what I describe at my exclusive today at Salon as perhaps "one of the most disturbing e-voting machine hacks to date."

As noted by the computer scientists and security experts at Argonne's VAT, largely all that's needed to accomplish this hack is about $26 and an 8th grade science education.

"This is a national security issue," VAT team leader Roger Johnston told me, echoing what I've been reporting other computer scientists and security experts telling me for years. "It should really be handled by the Department of Homeland Security."

Johnston should know. While the VAT folks have been dabbling in the security (or lack thereof) of e-voting systems in their spare time of late, most of the work they do is related to issues like nuclear safeguards and non-proliferation.

What makes this hack so troubling --- and different from those which have come before it --- is that it doesn't require any actual changes to, or even knowledge of, the voting system software or its memory card programming. It's not a cyberattack. It's a "Man-in-the-middle" attack where a tiny, $10.50 piece of electronics is inserted into the system between the voter and the main circuit board of the voting system allowing for complete control over the touch-screen system and the entire voting process along with it.

Add an optional $15 radio frequency remote control device, and votes can be changed, without the knowledge of the voter, from up to half a mile away. Without the remote, the attack can be turned on and off at certain times, or by other triggers. The voter would have no idea that their votes have been changed after they've already approved them as "correct" on the various confirmation screens, and even on the so-called "paper-trail" (on e-voting machines which offer them --- though VAT has learned how to manipulate those as well, see photo at right.)

The inserted chip can later be removed after the election without there being any way to ever know that someone had completely manipulated the system. But since election officials rarely --- if ever --- examine the inside of their voting machines, it doesn't much matter, in truth.

"The level of sophistication it took to develop the circuit board" used in the attack "was that of basically an 8th grade science shop," says Argonne's John Warner. "Anybody with an electronics workbench could put this together."

The team, he says, had no knowledge of the voting machine's computer circuit diagram or owner's manual when they devised the attack. Moreover, VAT team leader Roger Johnston told me they believe they "can do similar things on pretty much every electronic voting machine." Indeed, in 2009, with little fanfare, they were able to carry out a similar manipulation of a Seqouia AVC Advantage e-voting system (as used across most of the state of New Jersey, for example). You can see that video demo here.

The team at Argonne has shared their demo video of the new Diebold Accuvote hack exclusively with The BRAD BLOG, as posted below. But please go check out the full details over at Salon (where we've embedded the video as well). The full details are chilling --- particularly as about 20% to 30% of U.S. voters are still set to use Diebold touch-screen systems, and others very similar to it, across the nation in the 2012 election cycle, no matter how many years The BRAD BLOG has been desperately trying to illustrate that these systems are simply antethetical to American democracy.

Among the states where voters will use these systems on Election Day in 2012, according to VerifiedVoting.org: Georgia, Maryland, Utah, Nevada, New Jersey, Pennsylvania, Indiana, Missouri, Texas and many more.

Almost five years ago to the day, I broke the story of Princeton's landmark Diebold Virus Hack in another exclusive for Salon. So while I'm delighted to break the news of this new type of hack over there today, it's somewhat frustrating that it's even necessary at this point, as we head into yet another Presidential election cycle having changed so little despite all that we've learned. Nonetheless, please go check out my story over there today.

* * *

Beyond that, the video demonstration itself from Argonne, of the remote hack of a Diebold Accuvote touch-screen system follows below...

VIEW IN ORIGINAL CONTEXT: