Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

E-Voting Hacks Facts

What every security pro should know about the potential for e-voting hackery

As election day comes to a head, so does the discussion of security in electronic voting systems. All over the country, TV news reports indicate operational problems and vulnerabilities with e-voting machines. Change the channel to HBO, and you might catch "Hacking Democracy," the cable network's documentary on security flaws in voting systems. And you can't escape it by going to the movies: Robin Williams' "Man of the Year" is all about a TV commentator who wins the presidency through a glitch in an e-voting system.

And if you're a security professional -- even one who has nothing to do with e-voting -- you're probably getting a lot of questions from friends, executives, and end users about whether e-voting hacks can really happen. Need some fodder to feed these inquiring minds? We thought so.

Here, for use at the water cooler or over election night cocktails, is a look at some of the news and research that have come out on e-voting security since the beginning of September. Keep this little ditty handy and amaze your friends and colleagues into believing you really do know something about security.

  • As of this writing, major news agencies and wire services have reported no security-related problems with voting machines today. There have been scattered reports in several states of programming errors and operations problems in which votes couldn't be cast or were not accurately recorded.

    "Lots of fender benders, but no major tie-ups," said Doug Chapin, director of Electionline.org, a nonpartisan group that tracks voting changes, in a wire report. "It's been a steady drumbeat but nothing that rises to the level of 'This could compromise the results.'"

  • Diebold, the company that makes many of the voting systems covered in "Hacking Democracy," has issued a statement asking HBO to pull the documentary off the air because it contains "significant factual errors." The company says it was "not in the electronic voting business" in 2000, when the events that predicated the documentary occurred.

  • Despite Diebold's protests, two independent university studies released in the last six weeks indicate that there are significant security flaws in its machines. Researchers at Princeton in Sept. issued a report which states that Diebold's AccuVote-TS machines are vulnerable to malware and viruses that could make it easy to steal votes or stuff the ballot box.

    On Oct. 30, researchers at the University of Connecticut's Voting Technology Research Center issued a separate report which states that Diebold's Optical Scan Voting Terminal can be compromised "with off-the-shelf equipment in a matter of minutes" even if its removable memory card is sealed in place. This basic attack could be used to swap votes between candidates or to prevent one candidate's votes from being counted, the researchers say.

  • Problems with voting machines are not limited to Diebold. A study completed last month by a Dutch group called "We Do Not Trust Voting Computers" offers details on flaws in the Nedap/Groenendaal ES3B voting machine, which is used in 90 percent of the voting in the Netherlands as well as some parts of Germany and France.

    The study offers details on how "anyone, when given brief access to the devices at any time before the election, can gain complete and virtually undetectable control over the election results." Following the report, the Dutch government banned the use of some voting machine models for its Nov. 22 election, and officials in Ireland put their plans to use the machines on hold.

    Despite the reports, governments across the U.S. and in other countries continue to ramp up their use of e-voting devices, and experts are calling for tougher security assessments of the equipment.

    David Wagner, a professor in the Computer Science Division at U.C.-Berkeley, told Congress earlier this year that independent testing authorities used by federal and regional governments are not catching key flaws in voting systems before they allow them to be used. He reported that systems in Tarrant County, Texas counted 100,000 votes that were never cast by voters in 2004.

    "The state of electronic voting security is not good," said Wagner. "Many of today's electronic voting machines have security problems."

    — Tim Wilson, Site Editor, Dark Reading

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-3142
    PUBLISHED: 2021-01-28
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
    CVE-2020-35124
    PUBLISHED: 2021-01-28
    A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
    CVE-2020-25782
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
    CVE-2020-25783
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
    CVE-2020-25784
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.