At a recent DefCon security conference, organizers wanted to test how voting machines could be hacked. The result? It took just 90 minutes for the hackers to get into the machines. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, in Washington, DC, says the hack took that long only because the individual had to leave the facility to go buy a USB keyboard. “When he came back, there were two open USB ports on the back of this machine, which was a decertified AVS WINVote,” Hall explains. “He did the ‘three-fingered salute’— the Windows control-alt-delete — and it dropped to Task Manager. Then he could load whatever he wanted. They installed Winamp and played the now-famous Rick Astley song, ‘Never Gonna Give You Up.’” Some of the machines the hackers “attacked” are still in use, but for the most part, they were purchased on eBay or GovDeals (the government version of eBay), Hall says. Most were two or three years old and not running the most current software. Nevertheless, the experiment exposed serious flaws in virtually every type of machine.
Ed Felten, a professor of computer science and public affairs and director of the Center for Information Technology Policy at Princeton University, successfully installed a virus on one of the machines. This surprised even him. “We didn’t realize, when we first started studying these machines about 12 years ago, how vulnerable they would turn out to be,” Felten says. “But over the years, a lot of research [has been done] on the electronic voting machines and in every case, we have found troubles and vulnerabilities.”
Most voting machines are basically computers with a voting interface, so “all of the usual ways of installing software on computers will work,” Felten notes.
“If you’re in a polling place, people might look at you strangely if you were to stick a USB keyboard into a voting machine or something like that, but there are ways to get physical access — hands-on — to voting machines in other settings,” he points out. “And in every case we’ve seen, if you can get your hands on a machine, then you can change what it does. I have a machine in a lounge area outside my office at Princeton that some students reprogrammed into a Pac-Man machine.”