Hacking Voting Machines For Election Security
IRA FLATOW, host:
You're listening to SCIENCE FRIDAY from NPR News. I'm Ira Flatow. Up next, keeping an eye on voting technology. Hanging chads, pregnant chads, dimpled chads, I'm sure you remember those from the 2000 presidential election. And no one wants to relive that, and manufacturers of electronic voting machines promise to rid us of punched-paper problems.
But have we exchanged one ballot-box bogeyman for another? Now computer scientists have demonstrated just how easy it is to hack into electronic voting systems and steal votes.
Our next guest pioneered a new technique that can hack into older, seemingly more secure voting machines used in New Jersey and Louisiana. Hovav Shacham joins us by phone from Palo Alto to discuss the hackability of electronic voting machines, election security, and the best way to run an election with the machines you have.
Dr. Shacham is a professor of computer science at UC San Diego Jacobs School of Engineering, and he was member of California's 2007 top-to-bottom review of the voting machines used in California. Welcome to SCIENCE FRIDAY.
Dr. HOVAV SHACHAM (Computer Scientist): Thanks for having me.
FLATOW: What did you do?
Dr. SHACHAM: Well, so I should say that this is research that we conducted in a collaborative team with other folks at UC San Diego, as well as University of Michigan and Princeton, and what we did is study the security of the Sequoia AVC Advantage Voting Machine, which, as you said, is an older design.
FLATOW: How did you get one?
Dr. SHACHAM: We were allowed to study the machine by Andrew Apell(ph), who bought the machines at auction when a county in North Carolina decommissioned them. He paid, I believe, $82 for a lot of five machines.
FLATOW: Eighty-two bucks for five machines. What a deal.
Dr. SHACHAM: Plus $900 shipping.
(Soundbite of laughter)
FLATOW: Shipping and handling is always a lot more than the product. Anyhow, I'm digressing. Go ahead. Tell us what you did.
Dr. SHACHAM: So what we found is that an attacker who has brief physical access to the machine the night before an election - for example, when it's left unattended outside a polling place - is able to manipulate the machine in such a way that he can induce it to misbehave the next day, on election day, and appear to run the election faithfully but then shift votes at the end of the day from one candidate to another.
And in this way, the findings dovetail with those that previous studies have found for other voting machines, and in fact for other studies of the same voting machine, but along the way we had a couple of different features to - what we found that we think have larger implications for voting security.
FLATOW: Such as?
Dr. SHACHAM: Well, first, our study, unlike most of the previous studies, was conducted without source code. Source code is the blueprints that specify how a machine's software behaves, and the voting venders, and in fact most software manufacturers, keep the source code carefully guarded.
They don't distribute it or make it available to researchers and certainly don't make it available to attackers, and because many of the previous studies actually have used the source code because they were conducted under the aegis of, for example, a secretary of state who was able to negotiate access, some critics, some venders, some voting officials, in fact, have argued that these studies represented an unrealistic amount of access, that the researchers could study the machines using information that would simply not be available to actual attackers, and that therefore the breaks that they described would not have been found by those attackers.
FLATOW: So you were able to go in without having to have that propriety source code.
Dr. SHACHAM: Exactly. The only thing that we had to study was the physical artifacts themselves, which is something that an attacker could get, again, by, for example, taking a truck to a polling place and stealing a machine. And it might cost a little bit more. The information is in form that's less convenient and less accessible, but I would argue that the cost in time and money for our study was still quite reasonable and small compared to the amount of money that people actually spend on elections.
FLATOW: Well, if you could get - steal a machine - I shouldn't say steal a machine. If someone could steal a machine, or you could buy a machine and look at the machine and not have to have the source code and then go in and hack the machine the night before, it doesn't say very much about the security of electronic voting, does it?
Dr. SHACHAM: Well, I think more than that, what it says is, first of all, that writing software and designing systems is hard, and software has bugs, and that's not altogether surprising. Certainly all the software that we use every day has bugs, and perhaps what it says more is that relying on either having software and systems that are perfect and never make mistakes or on having the system make mistakes only in ways that attackers would not be smart enough to be able to find, for example by stealing and analyzing a machine, is not a good way to build trust in elections.
FLATOW: So what would be the best way to do that? What would you recommend for - your best list, your best way to run an election?
Dr. SHACHAM: So I think what we need is we need some system whereby the voters can see an independent record of their vote so that they can check is actually what is recorded the way that they intended the vote to be cast, and right now the best way that we know how to do that is with paper.
In other words, if I see that I wanted to vote a particular way, and I see paper that has that writing, then I can check that that's correct, and then that can be counted separately from any sort of machine misbehavior, whether intentional or unintentional, later by the voting officials or by other observers.
FLATOW: So if you had a paper ballot that was marked, and then that ballot was kept and fed through the machine and stored later, you'd have a paper record, and you'd be able to match and verify what it said on the machine versus what you put on the paper.
Dr. SHACHAM: Exactly. And at the very least, you would have two independent records - namely, what the machine thinks the outcome the election was and what the stack of paper thinks the outcome of the election was, if you recounted it all by hand. And you would be able to compare and, in an ideal scenario, to perform audits that give you statistical confidence that the election was, in fact, decided the way that you think it was.
FLATOW: If I hear you saying that basically any machine can be hacked because they're computers, and these machines are secured, it says to me that remote voting, like we talk about possibly some day Internet voting, is an even less secure way of voting, and we shouldn't be aiming for that. Would that be correct?
Dr. SHACHAM: So Internet voting brings a whole bunch of additional complications, but certainly Internet voting in the typical formulation, where people actually vote at home on their home computers, is voting with computers, because computers are involved, and so all the same risks apply, and all the same reasons apply why you might want to have paper records, at least as an additional component.
When you vote on the Internet, you have the additional complications, for example, of having the votes transmitted over a public network that someone might want, for example, to shut down to keep certain people in a district that he knows to lean the wrong way from voting.
FLATOW: 1-800-989-8255. We're also on Twitter. You can tweet us @scifri, @-S-C-I-F-R-I. Let's go to Otis in Louisiana. Hi, Otis.
OTIS (Caller): Hi, how are you, sir?
FLATOW: Fine. How are you? Go ahead, please.
OTIS: All right. Since we happen to use those machines in Louisiana, my question is, is that if you manipulate one machine, can you use that same information to manipulate the machine next to it, or would you have to create a different thing for the different machine? Are the machines unique?
FLATOW: Good question.
Dr. SHACHAM: So I should say first that the version of the Sequoia AVC Advancers that we studied is not exactly the version that's in use in Louisiana, and so the particular flaw that we exploited, we don't know whether it applies to the Louisiana machines.
Beyond that, based on the machines that we studied, most of the hard work that's required to come up with the attack is something that can be done once for the particular class of machines.
Dr. SHACHAM: The particular thing that you need to stick into the machine the night before, when you have your few moments' access, is slightly different depending on the machine that you're - the actual physical machine that you're working on, but that's not really a lot of work to produce.
OTIS: But once you've figured out what you're doing, you would have to have access to each machine.
Dr. SHACHAM: That's right. This is not a wholesale attack in the sense that it's possible to take over an entire county's machines without having to manipulate each one.
FLATOW: But would anybody who operates the machine know that it had been hacked?
Dr. SHACHAM: Our demonstration attack, as far as we know, leaves really just one small signal that something is not quite right, and we think that that might easily be missed. Otherwise, it's a perfect simulation, as far as we know, of an election, and certainly an attacker who was more motivated to keep his attack stealthy might be able to improve on what we did.
FLATOW: Could you make it show any number of votes that you want to, from one to, what, a million or a thousand more in the machine?
Dr. SHACHAM: Absolutely. We are effectively, and this is the other new twist to our findings - we're effectively running arbitrary code on the machine despite the fact that we're not injecting code, and so we are able simply to rewrite the machine's conception of what has happened, of what votes were cast and how they were cast, however it is that we want.
So we can have a machine report that of the five votes cast four went to Benedict Arnold and one went to George Washington rather than all five to Washington. Or we could claim that, in fact, a million votes had been cast. That is, of course, something that might stand out when the officials are looking at their machine.
FLATOW: Yeah. That would be, as we say, a dead giveaway. But if you want it to be - if all the machines - if you have 100 machines locked up in the same place, how fast could you change 100 machines overnight?
Prof. SHACHAM: We haven't timed the actual procedure that's required. There's a certain element of practice. You have to pick some of the locks that are on the outside. But certainly it's a paralizable operation in the sense that if you have 100 machines all in a warehouse, then you might have 10 people go in and each one do 10. And that would be faster than having one person run through all the machines.
FLATOW: David in Kansas City, hi. Welcome to SCIENCE FRIDAY.
DAVID (Caller): Hey, Ira.
FLATOW: Hi there.
DAVID: I'm actually an election worker here for the - for Johnson County, Kansas. And I've got sort of two comments on this. One is, you know, it strikes me that the notion of affecting a single machine or even a handful of machines in a way he described is sort of ineffective.
I mean, it's sort of low-payoff behavior. To affect one machine in one precinct is going to have a real minimal effect compared to, say, hacking into the central tabulation machines in the state capital.
FLATOW: Well, you might want to ask Norm Coleman about that in Minnesota.
(Soundbite of laughter)
DAVID: Well, I know that, I know that, you know, there's a lot of people who think that, you know, impact on a few individual machines, you know, could have a big effect.
And then the other comment I've got is on the notion of having a sort of a receipt. You know, we've got several hundred years of practicing elections, the whole point of which has been to keep the ballots secret, to not have any kind of proof as to how a particular - which way a particular person voted. You know, the notion of that was to prevent voter fraud. You give him a receipt, they take it back to, you know, whoever put them up to this and they can prove how they voted…
DAVID: …you know, in order to get their payoff or whatever. The whole notion was to keep it secret. This really hasn't been an issue until, you know, the last few years, where suddenly now the entire process has become untrustworthy.
So, you know, I think it's more a matter of - it may take a while for people's perceptions and ideas about how a ballot, you know, an election ought to be run to change.
FLATOW: Yeah. Well, thanks for calling.
DAVID: All right. Thanks.
FLATOW: Good luck to you. 1-800-989-8255. We're talking about voting machine problems on SCIENCE FRIDAY from NPR News.
I'm talking with Hovav Shacham. So where do you go from here? Do you have another trick up your sleeve here?
Prof. SHACHAM: Well, I should say that the one trick that we have already had up our sleeve is that the voting machine that we studied, the AVC Advantage, when we were performing the reverse engineering, we discovered that it included a defense that appeared to prevent exactly the attacks that we were able to carry out.
And the way that that defense worked was that the traditional way when an attacker, for example, finds a flaw in Windows or Firefox or some other software program, that he takes advantage of that flaw is that he loads into that program's memory new code, new machine instructions that specify how he wants that program to misbehave. And then he uses the flaw to induce the program to run that code effectively. This is like installing a new program on your computer and having that program run. And then the program does whatever it is that the attacker wants to have happen, to send out spam, for example.
The Sequoia AVC Advantage does not allow that. It has a defense where it will simply not execute new instructions, a new program loaded into its writable memory, the memory that we're able to affect. The only place that it'll load programs from is from the writable - sorry - from the unwritable, read-only chips that are stored inside the machine that we would have to open up the case to replace by hand.
FLATOW: So you sort of have invented sort of a vaccine to prevent the infection?
Prof. SHACHAM: So in a sense, I think the designers of the AVC Advantage thought that they had…
Prof. SHACHAM: …created this vaccine. But, in fact, using a new technique called return-oriented programming, we were able to work around that.
FLATOW: I see.
Prof. SHACHAM: And the way that return-oriented programming works in the somewhat morbid analogy that my co-author, Alex Halderman, came up with is the way that a kidnapper, instead of writing down a ransom note in his own handwriting, would take magazine headlines and cut them up and rearrange the pieces to form the message that he wants to send.
FLATOW: Is there a way to protect your kind of hacking in these machines?
Prof. SHACHAM: We don't believe that return-oriented programming can be effectively defended…
Prof. SHACHAM: …defended against. But the - kind of the bigger lesson with this sort of attack that recombines instructions that are already present and puts them together to create the functionality that we actually wanted to induce the machine to undertake, the vote stealing functionality, is that it wasn't actually devised until 2007, which was some two decades after the machine was created.
And so what this really says is that when you design a voting machine that's going to have a service lifetime of two decades, three decades, even more, you have to design to defend not against just the attacks that you know about, but even attacks that haven't even been devised, unknown attacks.
And that, to us, seems like an extremely difficult engineering challenge because you have to build in effectively security tolerances that we don't really understand.
FLATOW: All right.
Prof. SHACHAM: And so we think that the right way to proceed is to sidestep this whole thing and, again, to go to paper.
FLATOW: To go to paper and then do the - and then you have the ballots and you'll have the ability to re-read them over and over again. And you can actually take the paper offsite, right? You can store the real ballots, the used ballots someplace else and be able to read them again.
Prof. SHACHAM: That's right. I should mention, by the way, in answer to the call, that I didn't mean to imply that there's a receipt that the voter gets to take home, because, again, that is exactly what enables vote buying or voter coercion. You either have what's called the voter-verifiable paper audit trail attached to these electronic voting machines that's sort of under glass in a printer where the voter can observe, but not manipulate or take home that printout, or you have paper ballots. And in either case, this has to make it back to county headquarters and be audited and recounted.
FLATOW: Okay. Thank you very much for those suggestions.
Prof. SHACHAM: Thank you.
FLATOW: We're talking with Hovav Shacham, who is joining us by Palo Alto, California. He's professor of computer science at UC San Diego Jacobs School of Engineering.