11/17/2004

Republican IT Security Expert: How to Hack the Vote: the Short Version

YOU CAN’T DO A RECOUNT! There’s no paper trail. It’s the perfect crime.



Q: How'd you get involved with this? Aren't you a Republican?

A: I get asked this a lot, and it really shows how focused our country is on partisan politics. I am a voter, first and foremost. That being said, yes, I am a Republican and have been since being sent to Republican Indoctrination Camp at age 2. That's where we are taught supply-side economics and the values of mutually assured destruction. :-)

I got involved with this because I have been against the adoption of these voting systems for years. It's a dumb-ass idea to implement them this way - our votes are too important. I wouldn't trust my Bank with computer systems this insecure; Hell, I wouldn't keep recipes on a system this insecure. When I saw all of the documentation regarding Diebold and their heavy partisan leanings, and then when the results came flooding in with a clear Bush victory when I seriously expected Kerry to win, I put two and two together. I am, by trade, a professional White-Hat Hacker, so I know how easily "secure" systems can be breached, especially by insiders. Roughly 80% of all computer crimes are perpetrated by insiders, so that's always the best place to look first. When the insiders also write the code and roll the machines out, there is no question that they have too much power and can not be trusted, whether they support my party or not. It's called "Segregation of Duties" in the professional world, and it is vital for system integrity.

But that was all theory and conceptual before I tried it myself. I knew that the descriptions and ideas were bad, but I hadn't actually seen a copy of the software. So I went to BlackBoxVoting.org following a link off of some website, I don't remember which, and saw Bev's plea - "Computer Guys - Test it yourself!". I thought, all right, I will. After all, this IS what I do for a living. It's like asking an accountant to balance debits and credits - nothing special, and besides, I was curious. Surely if our states are rolling this out to Hundreds of Millions of voters, somebody checked it. It can't be as bad as these liberal whiners are making it out to be - they're just pissed off that our folks turned out in mass.

What I found truly shocked me, and made me physically ill. That's what is documented on the other page. It IS that bad. I personally don't have conclusive evidence that voter fraud was perpetrated, but I can tell you as an Information Security professional that it would have been very, very easy to do. If I had to choose between someone conspiring with exit poll workers nationwide or someone changing values in an Access Database as the cause of the difference between the poll numbers and the "actual" results, I'll go with the easier, more effective option every time. Why choose the hard way when it's more trouble and you're less likely to succeed? Again, I'm staying clear of making specific allegations - I'll leave that to the activists who are gathering data - but I would be much more surprised if the election weren't hacked than to find out that it was.

It was too easy, the companies were too partisan and unethical, and there was too much at stake for them NOT to hack it. It looked like Bush was going to lose, and they had this tool available to pull out a victory.

Why do I call Diebold partisan and unethical, you ask? How's this:

"I am committed to helping Ohio deliver its electoral votes to the president." - Walden O'Dell, Diebold's CEO in a fundraising letter to Republicans, Fall 2003. O'Dell and other Diebold Senior Executives are Republican "Pioneers", which is the designation you get when you raise over $100,000. His brother is President of ES&S, the #2 vote machine maker, and is also a "Pioneer". Is that partisan enough for you? Well, what about calling them unethical?

Check this out - No less than 5 of Diebold's developers are convicted felons, including Senior Vice President Jeff Dean, and topping the list are his twenty-three counts of felony Theft in the First Degree. According to the findings of fact in case no. 89-1-04034-1:

“Defendant’s thefts occurred over a 2 1/2 year period of time, there were multiple incidents, more than the standard range can account for, the actual monetary loss was substantially greater than typical for the offense, the crimes and their cover-up involved a high degree of sophistication and planning in the use and alteration of records in the computerized accounting system that defendant maintained for the victim, and the defendant used his position of trust and fiduciary responsibility as a computer systems and accounting consultant for the victim to facilitate the commission of the offenses."

To sum up, he was convicted of 23 felony counts of theft from by - get this - planting back doors in his software and using a "high degree of sophistication" to evade detection. Do you trust computer systems designed by this man? Is trust important in electronic voting systems?

So here we are - Means, Motive, Opportunity - the whole package. And since the systems are so poorly designed, no audit trail to show any wrongdoing. Add some cries of "conspiracy theories" and "sore losers", and you've got yourself a mandate. Four more years, indeed. Surprise, surprise.

BUT - what happens in 2006 or 2008, now that tens of thousands of activists know about the holes and how easy it is to steal votes? Well, it'll be interesting, that's for
sure. These systems appear to be DESIGNED to be easy to Hack, so one can only imagine what will happen. But I for one will embrace President Homer Simpson and will fully support his new 2008 doughnut agenda as a welcome change. I hope that we can all stand together and welcome him as we Republicans continue to bring "dignity back to the White House."




How to Hack the Vote: the Short Version
11/13/2004 Chuck Herrin, CISSP, CISA, MCSE, CEH

http://www.chuckherrin.com/

Enron was a conspiracy theory, too. Were their whistleblowers Crackpots? Were the people who lost their retirements to those corporate criminals just "sore losers"?I've never been part of the "Tin Foil Hat" conspiracy theory crowd. I'm just a voter who happens to be a Professional IT Auditor.
Author’s Note – Did our votes count? More importantly, will they count next time? We in Information Security have been protesting the use of the poorly designed voting machines from Diebold and others, and as a result of their poor implementation and widespread use, our election remains in question and our country remains bitterly divided. Many people feel that their votes didn’t count, and for good reason. THESE SYSTEMS ARE NOT WORTHY OF OUR TRUST! In an effort to bring this to your attention, I have put together this shortened document that will show you exactly how easy it would be to break into Diebold’s GEMS software, which is the software used to tabulate regional voting results. This software runs on regular Windows machines and counts the votes from multiple precincts that may have used touch screens (which have their own problems), optically scanned punch cards, or other balloting methods. It is responsible for the accurate reporting of tens of millions of votes cast using many different types of ballots.
That’s right – even if you used the older systems like punch cards, your vote can still be Hacked when the numbers all come together. Wanna see how easy it is?
I am going to show you, step by step and with screenshots, how an attack against our election system could very easily steal a Statewide or even a National election without leaving a trace. This attack would be easy to carry out, difficult to detect, and exert enormous influence on the results, leaving the humble voter coldly left out of the decision-making process.
Here we go…. Oh wait – let me do some CYA stuff first.

**Important** - I would like to stress that this demonstration was performed locally on a system totally under my control, and no unauthorized access to any computer system occurred. The voting database used was the sample obtained from http://www.blackboxvoting.org/, and this election does not reflect data for any election currently taking place. I want to be very clear that this is only a proof-of-concept demonstration, and at no time was actual voter fraud committed in order to prove a point. THIS IS A DEMONSTRATION ONLY, very similar to the well-documented demonstration Bev Harris performed for Governor Howard Dean recently on National television. Also, GEMS software is a trademark of Diebold, and Windows and Access are both copyrights of Microsoft, Inc.**

REQUIREMENTS:

Windows-based PC with 150megs free
disk space and 128megs RAM (minimum)

A copy of MS Access.
The GEMS software - http://freespeech.metacolo.com/GEMSIS-1-18-17.zip is one place to get it. There are plenty other places on the web.

A Sample Election Database - http://speakeasy.seattle.wa.us/jmarch/cobb-corrected-100102-backup.zip is one from Cobb county, GA. Again, there are several out there.

With all that out of the way – OK! Let’s get started!

Step One: The Before Picture.
This is the summary report run based on our sample election from Colorado Springs, CO. This is what the actual, official results looked like before I decided to cast “my vote”.

To get the results, we open GEMS, (username "admin", password "password")
Figure 1: The opening GEMS screen.

Go to GEMS > Election Summary Report,

Figure 2: Choose the Election Summary Report for our Before Pictures
and here we go! The official Election Summary Report, as of right now. Note the timestamp at 23:59:07 - we'll come back to that in the Audit Log section.
Figure 3: Election summary report – before.

Pay attention to District 3. Here we have Sallie Clark in District 3 winning by a 2/3 majority. But let’s say that for this scenario, Sallie’s daughter is my ex, or she supports gay marriage, or maybe she’s against deficit spending. Whatever – let’s say maybe she’s a Pinko Commie and must be stopped, so let’s have some fun…..
*Note – I do not actually know Sallie Clark or any of these election participants, and therefore cannot speak to her character. Again, this is just a demonstration.*
OK - now we know how the election was supposed to turn out. I do not need the GEMS software to see the results - I could use a software package called JResult (included with the GEMS software) to poll it, or as we'll see below, just go straight to the backend database and view the numbers from there. Having a copy of the GEMS software is not required to Hack the votes. It does show us what the Election Workers can see and what the ultimate vote counts will be.
Step 2: Getting in. The “Hard” Part.
The biggest part of step two is getting into the Windows PC in question, either locally or over a network. This is the hardest part, but if anybody thinks that hacking into a Windows PC is hard, you should not be online right now. As anyone confronted with the continuing barrage of viruses, worm, and Hackers can attest, this part is not really a problem. In fact, let’s run through a few sample ways in, just off the top of my head:
If the GEMS machine is networked - (I have heard conflicting reports as to whether they are or not)
1) Wander into the building, and quietly put a wireless access point on the same network segment as the Tabulation PC, maybe behind a copier somewhere, and then casually come in from across the street using a laptop and wireless card.
We know they're connected by modems, so:
2) Find the telephone number of the office the PC is located in, and use a “war-dialing” program such as ToneLoc to dial all of the numbers in that exchange looking for a hanging modem. This technique was made famous by the 1983 movie “Wargames” and it still works today. These machines typically have hanging modems installed, so this should be a fairly easy way in.
3) Come in through the Internet. It is reported that many of these machines are connected to the Internet to enable results to be queried using Jresult to pull data from the central PCs. Windows PCs on the Internet are inherently vulnerable, particularly if they’re not behind a firewall. Since a firewall would prevent the legitimate Jresult queries from being made, these machines are likely at extreme risk for being compromised through their Internet connection.
Then there are the REALLY easy ways….
4) If you’re an insider, you already have the phone numbers and any usernames and passwords you may need. Dial into the machine, authenticate normally, and then manipulate the data as explained below.
5) Again, if you’re an insider - walk up to the machine and use the keyboard and mouse. Most poll workers, despite being good, caring people, tend to be political enough to motivate them to volunteer. It’s just human nature to use the tools at your disposal to your advantage, and people have a remarkable knack for justifying even the worst acts if they can convince themselves that the cause is worthwhile.
For more on physical access and ways in, check out Jim March's excellent review at
With a little time and creativity, other ways in are possible. You have probably already thought of a couple more, haven’t you?
Diebold's best defense to this point, as pointed out by following the link above, is the physical security - if you can't get to them, you can't hack them. But we KNOW that election workers, poll volunteers, and Diebold staff all have access and CAN get in. It would be very easy to write a little script to call into the GEMS machines or have the GEMS machines call back out and modify the results at any time. As Mr. March also points out, the IP address listed in the memo referenced on his site is part of a known block that would have bridged that machine to the Internet. Let's face it, a lot can go on when a machine is connected to a big bank of modems and a lot of people have the numbers, usernames, and passwords.
Also, there is home video of voting machines being taken home and stored by election volunteers. Watch the video at http://www.votergate.tv/. No physical security in that case.
Note for non-technical folks - did you know that in Windows, C: drives are shared out by default? No? Well, they are. But there’s a super-secret Hacker trick to connect to them. You have to call it C$ instead of just C. The $ means it’s a “hidden” drive, but it is still accessible via the network! Pick any Class C (classes are how network addresses are broken up) range of network addresses on the Internet and I’ll guarantee that you can simply “map” someone else’s C: drive over the Internet and browse their hard drives without their knowledge.
Think this couldn't happen? Are you kidding? This happens every minute of every single day. American companies spend Billions of dollars a year trying to protect corporate computer systems from attack - would they do that for no reason?
In any case, once we have access we simply browse the C: drive of the server and go to the C:program filesGEMSlocalDB directory. Here we will find an Access database for each election named .mdb. With a copy of Microsoft Access, we open it and find that no, it is not even password protected. The directory it’s in isn’t protected or restricted in any way. The data is not encrypted or even encoded. It is as open as an email message, and this is where all of our voting data is stored. From here, you could add candidates, drop them from the ballots, or delete entire precincts, but all of that is too obvious. A very simple trick would be to switch candidate IDs (see Figure 3 to see what candidate IDs look like), which would cause the vote tallies to simply reverse. In fact, this looks like what may have happened in some Florida counties, where the vote totals were fine, but the party affiliations were almost exactly the reverse of the vote counts. This type attack would be unlikely to raise much suspicion, since the total number of votes cast and turnout numbers would not change. And since Hacking rule #1 is to not get caught, rather than add Homer Simpson to the race and have him win, we’ll be more “subtle” and just change the results.
Figure 4: The c:program filesGEMSlocalDB folder where all of our valuable data is stored.

This is the Access database that is the back end for the entire system. Potentially hundreds of thousands of votes could be stored here on a central computer with no access control, no passwords, etc. When we open the database and view the Candidate table inside, we see:
Figure 5: The Candidate table
Ah ha! Look at the first and second columns - Sallie’s opponent, Linda Barley, was assigned 550 as a candidate number, and Sallie is candidate number 551.
From the CandV Table in the same database, we see that the Race ID is 221, and that their Key IDs are 541(Linda) and 542 (Sallie). The Key IDs are what we need to change the vote counts for. Remember that the original vote results were 4209 to 8291, Linda to Sallie. Let’s change that from a 2/3s victory to a shutout victory for the candidate who should have lost.
Step 3: Changing the Votes
I located the Linda’s ID, #541, in the CandidateCounter table and simply by clicking on the cell and typing with my number keys, I gave Linda 111 votes for every reporting unit. This isn’t really hacking – this is changing values in a table. Anybody who’s ever used an Excel spreadsheet has done this before.
There were 71 reporting units, so she should have 7881 votes now, an increase of over 3600 votes. I finally found a way to make my vote count! We’ll come back and check the math later to make sure there are no surprises. When you’re stealing an election, you want to make sure it comes out the right way!
Figure 6: Changing the votes inside the CandidateCounter table. This is repeated in the CandidateSummary table, since some records are cross-linked, and I want to know exactly how many votes I’m changing.
Once I was done adding 3672 votes to Linda’s tally, I decide to just wipe out all of Sallie’s votes, making her total 0. Pay attention – I just added 3672 votes to one candidate's results and deleted 8291 votes from another in about 45 seconds! Just click the cell, type 0, click the cell, type 0; I’m wiping out votes by the hundreds. Sallie now has 0 votes - hopefully she was so over-confident that she didn’t bother to vote for herself ;-). A real attacker would likely be more subtle to avoid suspicion, but again, this is a demonstration. Unfortunately, since many of the new machines do not produce a paper ballot, a manual recount would be very difficult, if not altogether impossible. This is a clear violation of many state election laws, but elections officials put them in place anyway. I wouldn’t withdraw $20 from an ATM without a receipt, but I guess my vote isn’t worth that much trouble.
Anyway, now that our results are changed, we save the database, and viola!
Step 4: Run the new summary report and declare my candidate the winner!
Figure 7: The new summary report with the results the way I wanted them.

Note the final numbers for District 3 – 7881 to 0. Just as I expected, I was able to override the wishes of 11,963 voters and replace their ballots with my own. How hard was that?

My candidate wins in a landslide, although the voters actually voted 2-to-1 for her opponent. This took me about 5 minutes and a moderate exercise of skill. There were no passwords to crack, and all I had to do was figure out the way things were stored in an unprotected, clear text Access database, which fortunately, has been available on the web for quite some time for Hacker-types to practice on. In fact, with the widespread availability of the GEMS software, you can go in and create your own elections to practice on before ever venturing out to touch the real thing.
Step 5: Those Pesky Audit Trails.

But what if someone notices? Now that my work fixing the election is done, all that remains is clearing up the audit trail.
From within the GEMS software, let's look at the audit log:
Figure 8: GEMS > Audit Log
Figure 9: Looking for evidence of tampering. See anything?

Above, we see at 23:59 where I viewed the summary report (Figure 3), then closed the GEMS software at 00:00:16. The next entry is at 00:44:56, when I logged back into GEMS and ran another summary report (Figure 7) at 00:45:08 showing the Hacked results. Note the timestamps on the 2 Summary reports earlier in this document - they correspond exactly to the Election Summary Reports that show our candidate winning, and then losing in a shutout. Do you see any evidence AT ALL in the Audit Logs that the votes were tampered with? We know they were - I just showed you step by step that it was done.
Nope! No evidence - so feel free to ridicule anyone who complains as a conspiracy theorist or whining sore loser!
Now, Diebold officially insists that this cannot be done, but as with this example, this has repeatedly been shown to be false. Diebold's staff knows it - in fact, in a memo by Diebold principal engineer Ken Clark in 2001, he says “Being able to end-run the database has admittedly got people out of a bind though. Jane (I think it was Jane) did some fancy footwork on the .mdb file in Gaston recently. I know our dealers do it. King County is famous for it. That's why we've never put a password on the file before.” (http://www.blackboxvoting.org/Oct2001msg00122.html)
In a particularly humorous and distressing response to Diebold’s assertion that “Generated entries on the audit log cannot be terminated or interfered with by program control or by human intervention”, the folks at http://www.blackboxvoting.org/ actually trained a chimpanzee to delete the audit logs from an election database. You read that right – a chimp. Well, since it wasn’t a human or computer, I guess they’re technically correct. Here’s a link. http://blackboxvoting.org/baxter/baxterVPR.mov
Another audit log incident occurred during the Washington State primary just six weeks ago. Two interesting events took place here:
1) all entries are absent from the audit log between 9:52 pm and 1:31 am. This includes records of summary reports being printed during that time frame, which is something that is always logged by the system, and shows up when they are printed before and after that block of time. Here is the audit log:
2) Here are copies of the 5 sets of summary reports printed off during that missing time period, complete with timestamps showing that they were printed during that block of time and signed by the elections chief, Dean Logan.
Can anybody guess what it means when you are missing audit logs for a specific block of time, and known events took place that should be reflected in the logs?
Look at our results again. It means you were Hacked.

Conclusions:
Would you trust your bank account balance if their systems were this easy to hack? As a result of my hands on testing, I have absolutely no faith that my vote was counted or will be in future elections where this software is used. It is simply too easy to change! Any motivated insider or Hacker of moderate skill can change hundreds of thousands of votes with very little effort and almost no chance of being caught.

The best part is that if anyone tries to question the results, you can ridicule them and call them sore losers! Conspiracy theorists! But won’t this be caught in a recount? Check this out - with the new machines, YOU CAN’T DO A RECOUNT! There’s no paper trail. It’s the perfect crime.

This is the democracy we’re exporting to the rest of the world.

You are free to distribute this document in its entirety or link to this page to help get the word out and change the system. Good luck! Let's get this stupid, stupid system fixed and get our democracy back!
Anybody who wants to try this themselves can get the GEMS software and this same sample database from http://www.blackboxvoting.org/ or the links earlier in the document. Go for it! Try it yourself - you'll see that it works. For any wannabe Hackers reading this, it doesn’t get any easier than that!
Chuck Herrin, CISSP, CISA, MCSE, CEH
CISSP – Certified Information Systems Security Professional
CISA – Certified Information Systems Auditor
MCSE – Microsoft Certified Systems Engineer
CEH – Certified Ethical Hacker
Email: me at chuckherrin.com

0 Comments:

Post a Comment

<< Home