- Hursti Hack
Three voting machines hacking tests have been performed by Finnish Computer expert
Harri Hurstifor the nonprofit elections watchdog group Black Box Voting[ [http://www.blackboxvoting.org Black Box Voting site] ] and the producers of the HBO documentary Hacking Democracy [ [http://www.hackingdemocracy.com hackingdemocracy.com website] ] who filmed it. The first two Hursti Hacks were set up in Leon County, Floridawith the authorization of Supervisor of Elections Ion Sanchoand these tests examined a Diebold Election Systems (DES) Accu-Vote OS 1.94w (optical scan) voting machine. The third Hursti test was conducted for Black Box Voting in collaboration with Bruce Funk, then-County Clerk of Emery County, Utah, on a Diebold TSx touch-screen.
Hursti Memory Card Hacks
The tests by Hursti were the third (May 26, 2005) and fourth (Dec. 13, 2005) in a series of five voting machine examinations produced by the Black Box Voting group. The first four tests were authorized by Supervisor of Elections for Leon County, Ion Sancho to ascertain whether votes could be altered on a Diebold voting machine. Tests on Feb. 14, 2005 and May 2, 2005 were conducted on the Diebold GEMS central tabulator by
Herbert Hugh Thompson, who proved that results reports could be altered without a password by using a Visual Basic script. The third and fourth tests were memory card tests performed by Hursti. The fifth test took place with both Hursti and Thompson in Emery County Utah.
During Hursti's first memory card hack on May 26, 2005, he altered the program that creates the "poll tapes", or voting machine results reports. However, this hack would be detected if the supervisor of elections compared the poll tape results with the GEMS central tally report. The GEMS tally report can be hacked to match, as demonstrated during two earlier Black Box Voting projects in Leon County with Herbert Thompson. Thompson successfully manipulated the GEMS tally program using a Visual Basic script.
The May 26 version of the Hursti memory card hack would require two steps to succeed without detection in a vigilant election setting: Both the memory card and the GEMS tabulator program would need to have matching hacks. [ [http://www.blackboxvoting.org/BBVreport.pdf Black Box Voting "Hursti I" Report: Critical Security Problem with Diebold Optical Scan] ]
During a videotaped meeting in
Cuyahoga County, Ohio, DES Research and Development chief Pat Green stated that checks and balances would detect the tampering and that it would not be possible to alter the votes themselves on the memory card.
However, during the Dec. 13 2005 testing, Hursti successfully altered the votes on the memory card. His memory card manipulations falsified both the voting machine results tapes and the GEMS central tabulator report. Leon County Supervisor of Elections Ion Sancho stated that he would have had no way to detect the tampering and would have certified the election. [ [http://www.hackingdemocracy.com Cuyahoga meeting and Sancho statement shown in film "Hacking Democracy"] ]
The Hursti memory card hack performed in Leon County on Dec. 13, 2005 is a variation on stuffing the
ballot boxprior to any votes being cast. Hursti had pre-loaded the memory card giving one candidate 5 positive votes and one candidate 5 negative votes to create a "zero report." This keeps the machine accurate in votes cast compared to number of voters.
Actual paper ballots were used pre-printed with the following question: "Can the votes on this Diebold system be hacked using the memory card?"
The participants were:
*Ion Sancho, Supervisor of Elections, Leon County, Florida.
*Thomas James, Information Systems Officer for Leon County, Florida
Bev Harris, Black Box Votingfounder
Kathleen Wynne, Black Box Voting Associate Director
Harri Hursti, computer programmer and security expert
*Hugh Thompson, application security expert and Ph.D. in math
Susan Bernecker, former Republican candidate for New Orleanscity council.
Susan Pynchon, Director of Florida Fair Elections Coalition
The test election
Since Hursti was the the
technical advisorhe was asked by Sancho to remain outside of the test area. Selection of the voting machine was done by random draw. Machine #15191 was pulled as the random machine. [Transcribed from "Hacking Democracy" DVD] . Hursti only touched the memory card but did not come in to contact with any machines.
Seven participants made out their ballots using the opti-scan paper sheets (Hursti remaining outside the test area). Sancho then went to Hursti and gave him a ballot which Hursti filled-out. Hursti then gave Sancho the memory card to insert in to the machine. The operation of the machine was explained by Sancho to those in attendance and the card inserted and machine turned on which then produced the "zero total tape." The tape produced zero votes cast. The test ballots were then inserted in to the Diebold machine followed by the "ender card" (same size as ballot) was inserted telling the machine to turn off its counting function and start its reporting function. The machine then produced a paper tape with 7 yes votes and 1 no vote.
This test demonstrated that DES made misrepresentations to Secretaries of State across the nation when DES claimed votes could not be changed on the memory card, the
credit card-sized ballot box used by computerized voting machines.
Furthermore, DES wrote a press release referring to the famous vote changing 'Hursti Hack', stating that - "Harri Hursti is shown attacking a DES machine in Florida. But his attack proved later to be a complete sham." [ [http://www.hackingdemocracy.com/ Diebold Attacks "Hacking Democracy"] ] In response to the test election, California's Secretary of State commissioned a special report by scientists at
UC Berkeleyto investigate the Hursti Hack. Page 2 of their report states - "Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server." [ [http://www.hackingdemocracy.com/ Diebold Attacks "Hacking Democracy"] ] [ [http://www6.diebold.com/dieboldes/pdf/hbo_letter.pdf Letter From Diebold] ]
A spokesman for DES said it was similar to "leaving your car unlocked, with the windows down and keys left in the ignition and then acting surprised when your car is stolen." [ [http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR2006032500805_pf.html Washington Post, March 25, 2006] ]
The test election was filmed and shown in the conclusion of the 2006 HBO Emmy award nominated documentary, "
Hacking Democracy", which premiered November 2, 2006." [ [http://www.hbo.com/docs/programs/hackingdemocracy/synopsis.html "Hacking Democracy," HBO documentary. Retrieved October 16, 2006] ] [ [http://www.hbo.com/docs/programs/hackingdemocracy/index.html HBO Documentary Films. retrieved Nov. 6, 2006] ]
Examination of the DES TSx touch-screens in Utah
In 2006, Black Box Voting was invited by Emery County Utah County Clerk Bruce Funk to examine the DES TSx touch-screen. Black Box Voting arranged for the services of Hursti and Black Box board member Jim March, who traveled to Utah March 1 and 2, 2006. Hursti discovered numerous security flaws, the most egregious being the ability to reload the entire operating system and the ability to replace the boot loader simply by inserting a member card with a specific program name. [ [http://www.blackboxvoting.org/BBVreportIIunredacted.pdf Unredacted Black Box Voting Hursti report on TSx] ] Hursti discovered that the system would accept macros in a manner that posed a risk to election security. Jim March opened the case of the TSx and photographed its interior, discovering a hidden SD wireless slot and piggyback connectors under the standard modem, both enabling the machine to be equipped for wireless communications without the knowledge of election directors. [ [http://www.blackboxvoting.org/BBVreportII-supplement-unredacted.pdf Unredacted supplement to Black Box Voting TSx report] ]
After seeing how serious the problems were, Black Box Voting engaged the services of Herbert Thompson, then head of the security company Security Innovations, to provide an independent opinion. Both Hursti and Thompson conducted a second series of tests on March 16 and 17, 2006 to confirm findings, which prompted emergency warnings and last minute corrective actions in Pennsylvania, California, and other states. [Technology Daily: States Still Concerned About New Voting Equipment; May 30, 2006 ]
Wikimedia Foundation. 2010.