Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

E-Voting Hacks Facts

What every security pro should know about the potential for e-voting hackery

As election day comes to a head, so does the discussion of security in electronic voting systems. All over the country, TV news reports indicate operational problems and vulnerabilities with e-voting machines. Change the channel to HBO, and you might catch "Hacking Democracy," the cable network's documentary on security flaws in voting systems. And you can't escape it by going to the movies: Robin Williams' "Man of the Year" is all about a TV commentator who wins the presidency through a glitch in an e-voting system.

And if you're a security professional -- even one who has nothing to do with e-voting -- you're probably getting a lot of questions from friends, executives, and end users about whether e-voting hacks can really happen. Need some fodder to feed these inquiring minds? We thought so.

Here, for use at the water cooler or over election night cocktails, is a look at some of the news and research that have come out on e-voting security since the beginning of September. Keep this little ditty handy and amaze your friends and colleagues into believing you really do know something about security.

  • As of this writing, major news agencies and wire services have reported no security-related problems with voting machines today. There have been scattered reports in several states of programming errors and operations problems in which votes couldn't be cast or were not accurately recorded.

    "Lots of fender benders, but no major tie-ups," said Doug Chapin, director of Electionline.org, a nonpartisan group that tracks voting changes, in a wire report. "It's been a steady drumbeat but nothing that rises to the level of 'This could compromise the results.'"

  • Diebold, the company that makes many of the voting systems covered in "Hacking Democracy," has issued a statement asking HBO to pull the documentary off the air because it contains "significant factual errors." The company says it was "not in the electronic voting business" in 2000, when the events that predicated the documentary occurred.

  • Despite Diebold's protests, two independent university studies released in the last six weeks indicate that there are significant security flaws in its machines. Researchers at Princeton in Sept. issued a report which states that Diebold's AccuVote-TS machines are vulnerable to malware and viruses that could make it easy to steal votes or stuff the ballot box.

    On Oct. 30, researchers at the University of Connecticut's Voting Technology Research Center issued a separate report which states that Diebold's Optical Scan Voting Terminal can be compromised "with off-the-shelf equipment in a matter of minutes" even if its removable memory card is sealed in place. This basic attack could be used to swap votes between candidates or to prevent one candidate's votes from being counted, the researchers say.

  • Problems with voting machines are not limited to Diebold. A study completed last month by a Dutch group called "We Do Not Trust Voting Computers" offers details on flaws in the Nedap/Groenendaal ES3B voting machine, which is used in 90 percent of the voting in the Netherlands as well as some parts of Germany and France.

    The study offers details on how "anyone, when given brief access to the devices at any time before the election, can gain complete and virtually undetectable control over the election results." Following the report, the Dutch government banned the use of some voting machine models for its Nov. 22 election, and officials in Ireland put their plans to use the machines on hold.

    Despite the reports, governments across the U.S. and in other countries continue to ramp up their use of e-voting devices, and experts are calling for tougher security assessments of the equipment.

    David Wagner, a professor in the Computer Science Division at U.C.-Berkeley, told Congress earlier this year that independent testing authorities used by federal and regional governments are not catching key flaws in voting systems before they allow them to be used. He reported that systems in Tarrant County, Texas counted 100,000 votes that were never cast by voters in 2004.

    "The state of electronic voting security is not good," said Wagner. "Many of today's electronic voting machines have security problems."

    — Tim Wilson, Site Editor, Dark Reading

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Commentary
    How SolarWinds Busted Up Our Assumptions About Code Signing
    Dr. Jethro Beekman, Technical Director,  3/3/2021
    News
    'ObliqueRAT' Now Hides Behind Images on Compromised Websites
    Jai Vijayan, Contributing Writer,  3/2/2021
    News
    Attackers Turn Struggling Software Projects Into Trojan Horses
    Robert Lemos, Contributing Writer,  2/26/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: George has not accepted that the technology age has come to an end.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-26814
    PUBLISHED: 2021-03-06
    Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
    CVE-2021-27581
    PUBLISHED: 2021-03-05
    The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
    CVE-2021-28042
    PUBLISHED: 2021-03-05
    Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
    CVE-2021-28041
    PUBLISHED: 2021-03-05
    ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
    CVE-2021-3377
    PUBLISHED: 2021-03-05
    The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.