CHUCK HERRIN: How to Hack the Vote: the Short Version
chuckherrin.com
11/13/2004 rev. 11/17/2004
by Chuck Herrin, CISSP, CISA, MCSE, CEH
chuckherrin.com
Enron was a conspiracy theory, too. Were their whistleblowers Crackpots? Were the people who lost their retirements to those corporate criminals just "sore losers"? I've never been part of the "Tin Foil Hat" conspiracy theory crowd. I'm just a voter who happens to be a Professional IT Auditor.
Author’s Note – Did our votes count? More importantly, will they count next time? We in Information Security have been protesting the use of the poorly designed voting machines from Diebold and others, and as a result of their poor implementation and widespread use, our election remains in question and our country remains bitterly divided. Many people feel that their votes didn’t count, and for good reason. THESE SYSTEMS ARE NOT WORTHY OF OUR TRUST! In an effort to bring this to your attention, I have put together this shortened document that will show you exactly how easy it would be to break into Diebold’s GEMS software, which is the software used to tabulate regional voting results. This software runs on regular Windows machines and counts the votes from multiple precincts that may have used touch screens (which have their own problems), optically scanned punch cards, or other balloting methods. It is responsible for the accurate reporting of tens of millions of votes cast using many different types of ballots.
That’s right – even if you used the older systems like punch cards, your vote can still be Hacked when the numbers all come together. Wanna see how easy it is?
I am going to show you, step by step and with screenshots, how an attack against our election system could very easily steal a Statewide or even a National election without leaving a trace. This attack would be easy to carry out, difficult to detect, and exert enormous influence on the results, leaving the humble voter coldly left out of the decision-making process.
Here we go…. Oh wait – let me do some CYA stuff first.
**Important** - I would like to stress that this demonstration was performed locally on a system totally under my control, and no unauthorized access to any computer system occurred. The voting database used was the sample obtained from www.blackboxvoting.org, and this election does not reflect data for any election currently taking place. I want to be very clear that this is only a proof-of-concept demonstration, and at no time was actual voter fraud committed in order to prove a point. THIS IS A DEMONSTRATION ONLY, very similar to the well-documented demonstration Bev Harris performed for Governor Howard Dean recently on National television. Also, GEMS software is a trademark of Diebold, and Windows and Access are both copyrights of Microsoft, Inc.**
REQUIREMENTS:
Windows-based PC with 150megs free disk space and 128megs RAM (minimum)
A copy of MS Access.
The GEMS software - freespeech.metacolo.com is one place to get it. There are plenty other places on the web.
A Sample Election Database - speakeasy.seattle.wa.us is one from Cobb county, GA. Again, there are several out there.
With all that out of the way – OK! Let’s get started!
Step One: The Before Picture.
[SEE WEBSITE FOR SCREEN EXAMPLES.]
This is the summary report run based on our sample election from Colorado Springs, CO. This is what the actual, official results looked like before I decided to cast “my vote”.
To get the results, we open GEMS, (username "admin", password "password")
Figure 1 - The opening GEMS screen.
Go to GEMS > Election Summary Report,
Figure 2: Choose the Election Summary Report for our Before Pictures
and here we go! The official Election Summary Report, as of right now. Note the timestamp at 23:59:07 - we'll come back to that in the Audit Log section.
Figure 3: Election summary report – before.
Pay attention to District 3. Here we have Sallie Clark in District 3 winning by a 2/3 majority. But let’s say that for this scenario, Sallie’s daughter is my ex, or she supports gay marriage, or maybe she’s against deficit spending. Whatever – let’s say maybe she’s a Pinko Commie and must be stopped, so let’s have some fun…..
*Note – I do not actually know Sallie Clark or any of these election participants, and therefore cannot speak to her character. Again, this is just a demonstration.*
OK - now we know how the election was supposed to turn out. I do not need the GEMS software to see the results - I could use a software package called JResult (included with the GEMS software) to poll it, or as we'll see below, just go straight to the backend database and view the numbers from there. Having a copy of the GEMS software is not required to Hack the votes. It does show us what the Election Workers can see and what the ultimate vote counts will be.
Step 2: Getting in. The “Hard” Part.
The biggest part of step two is getting into the Windows PC in question, either locally or over a network. This is the hardest part, but if anybody thinks that hacking into a Windows PC is hard, you should not be online right now. As anyone confronted with the continuing barrage of viruses, worm, and Hackers can attest, this part is not really a problem. In fact, let’s run through a few sample ways in, just off the top of my head:
If the GEMS machine is networked - (I have heard conflicting reports as to whether they are or not)
1) Wander into the building, and quietly put a wireless access point on the same network segment as the Tabulation PC, maybe behind a copier somewhere, and then casually come in from across the street using a laptop and wireless card.
We know they're connected by modems, so:
2) Find the telephone number of the office the PC is located in, and use a “war-dialing” program such as ToneLoc to dial all of the numbers in that exchange looking for a hanging modem. This technique was made famous by the 1983 movie “Wargames” and it still works today. These machines typically have hanging modems installed, so this should be a fairly easy way in.
3) Come in through the Internet. It is reported that many of these machines are connected to the Internet to enable results to be queried using Jresult to pull data from the central PCs. Windows PCs on the Internet are inherently vulnerable, particularly if they’re not behind a firewall. Since a firewall would prevent the legitimate Jresult queries from being made, these machines are likely at extreme risk for being compromised through their Internet connection.
Then there are the REALLY easy ways….
4) If you’re an insider, you already have the phone numbers and any usernames and passwords you may need. Dial into the machine, authenticate normally, and then manipulate the data as explained below.
5) Again, if you’re an insider - walk up to the machine and use the keyboard and mouse. Most poll workers, despite being good, caring people, tend to be political enough to motivate them to volunteer. It’s just human nature to use the tools at your disposal to your advantage, and people have a remarkable knack for justifying even the worst acts if they can convince themselves that the cause is worthwhile.
For more on physical access and ways in, check out Jim March's excellent review at
equalccw.com
With a little time and creativity, other ways in are possible. You have probably already thought of a couple more, haven’t you?
Diebold's best defense to this point, as pointed out by following the link above, is the physical security - if you can't get to them, you can't hack them. But we KNOW that election workers, poll volunteers, and Diebold staff all have access and CAN get in. It would be very easy to write a little script to call into the GEMS machines or have the GEMS machines call back out and modify the results at any time. As Mr. March also points out, the IP address listed in the memo referenced on his site is part of a known block that would have bridged that machine to the Internet. Let's face it, a lot can go on when a machine is connected to a big bank of modems and a lot of people have the numbers, usernames, and passwords.
Also, there is home video of voting machines being taken home and stored by election volunteers. Watch the video at www.votergate.tv. No physical security in that case.
Note for non-technical folks - did you know that in Windows, C: drives are shared out by default? No? Well, they are. But there’s a super-secret Hacker trick to connect to them. You have to call it C$ instead of just C. The $ means it’s a “hidden” drive, but it is still accessible via the network! Pick any Class C (classes are how network addresses are broken up) range of network addresses on the Internet and I’ll guarantee that you can simply “map” someone else’s C: drive over the Internet and browse their hard drives without their knowledge.
Think this couldn't happen? Are you kidding? This happens every minute of every single day. American companies spend Billions of dollars a year trying to protect corporate computer systems from attack - would they do that for no reason?
In any case, once we have access we simply browse the C: drive of the server and go to the C:program filesGEMSlocalDB directory. Here we will find an Access database for each election named <NameOfElection>.mdb. With a copy of Microsoft Access, we open it and find that no, it is not even password protected. The directory it’s in isn’t protected or restricted in any way. The data is not encrypted or even encoded. It is as open as an email message, and this is where all of our voting data is stored. From here, you could add candidates, drop them from the ballots, or delete entire precincts, but all of that is too obvious. A very simple trick would be to switch candidate IDs (see Figure 3 to see what candidate IDs look like), which would cause the vote tallies to simply reverse. In fact, this looks like what may have happened in some Florida counties, where the vote totals were fine, but the party affiliations were almost exactly the reverse of the vote counts. This type attack would be unlikely to raise much suspicion, since the total number of votes cast and turnout numbers would not change. And since Hacking rule #1 is to not get caught, rather than add Homer Simpson to the race and have him win, we’ll be more “subtle” and just change the results.
Figure 4: The c:program filesGEMSlocalDB folder where all of our valuable data is stored.
This is the Access database that is the back end for the entire system. Potentially hundreds of thousands of votes could be stored here on a central computer with no access control, no passwords, etc. When we open the database and view the Candidate table inside, we see:
Figure 5: The Candidate table
Ah ha! Look at the first and second columns - Sallie’s opponent, Linda Barley, was assigned 550 as a candidate number, and Sallie is candidate number 551.
From the CandV Table in the same database, we see that the Race ID is 221, and that their Key IDs are 541(Linda) and 542 (Sallie). The Key IDs are what we need to change the vote counts for. Remember that the original vote results were 4209 to 8291, Linda to Sallie. Let’s change that from a 2/3s victory to a shutout victory for the candidate who should have lost.
Step 3: Changing the Votes
I located the Linda’s ID, #541, in the CandidateCounter table and simply by clicking on the cell and typing with my number keys, I gave Linda 111 votes for every reporting unit. This isn’t really hacking – this is changing values in a table. Anybody who’s ever used an Excel spreadsheet has done this before.
There were 71 reporting units, so she should have 7881 votes now, an increase of over 3600 votes. I finally found a way to make my vote count! We’ll come back and check the math later to make sure there are no surprises. When you’re stealing an election, you want to make sure it comes out the right way!
Figure 6: Changing the votes inside the CandidateCounter table. This is repeated in the CandidateSummary table, since some records are cross-linked, and I want to know exactly how many votes I’m changing.
Once I was done adding 3672 votes to Linda’s tally, I decide to just wipe out all of Sallie’s votes, making her total 0. Pay attention – I just added 3672 votes to one candidate's results and deleted 8291 votes from another in about 45 seconds! Just click the cell, type 0, click the cell, type 0; I’m wiping out votes by the hundreds. Sallie now has 0 votes - hopefully she was so over-confident that she didn’t bother to vote for herself ;-). A real attacker would likely be more subtle to avoid suspicion, but again, this is a demonstration. Unfortunately, since many of the new machines do not produce a paper ballot, a manual recount would be very difficult, if not altogether impossible. This is a clear violation of many state election laws, but elections officials put them in place anyway. I wouldn’t withdraw $20 from an ATM without a receipt, but I guess my vote isn’t worth that much trouble.
Anyway, now that our results are changed, we save the database, and viola!
Step 4: Run the new summary report and declare my candidate the winner!
Figure 7: The new summary report with the results the way I wanted them.
Note the final numbers for District 3 – 7881 to 0. Just as I expected, I was able to override the wishes of 11,963 voters and replace their ballots with my own. How hard was that?
My candidate wins in a landslide, although the voters actually voted 2-to-1 for her opponent. This took me about 5 minutes and a moderate exercise of skill. There were no passwords to crack, and all I had to do was figure out the way things were stored in an unprotected, clear text Access database, which fortunately, has been available on the web for quite some time for Hacker-types to practice on. In fact, with the widespread availability of the GEMS software, you can go in and create your own elections to practice on before ever venturing out to touch the real thing.
Step 5: Those Pesky Audit Trails.
But what if someone notices? Now that my work fixing the election is done, all that remains is clearing up the audit trail.
From within the GEMS software, let's look at the audit log:
Figure 8: GEMS > Audit Log
Figure 9: Looking for evidence of tampering. See anything?
Above, we see at 23:59 where I viewed the summary report (Figure 3), then closed the GEMS software at 00:00:16. The next entry is at 00:44:56, when I logged back into GEMS and ran another summary report (Figure 7) at 00:45:08 showing the Hacked results. Note the timestamps on the 2 Summary reports earlier in this document - they correspond exactly to the Election Summary Reports that show our candidate winning, and then losing in a shutout. Do you see any evidence AT ALL in the Audit Logs that the votes were tampered with? We know they were - I just showed you step by step that it was done.
Nope! No evidence - so feel free to ridicule anyone who complains as a conspiracy theorist or whining sore loser!
Now, Diebold officially insists that this cannot be done, but as with this example, this has repeatedly been shown to be false. Diebold's staff knows it - in fact, in a memo by Diebold principal engineer Ken Clark in 2001, he says “Being able to end-run the database has admittedly got people out of a bind though. Jane (I think it was Jane) did some fancy footwork on the .mdb file in Gaston recently. I know our dealers do it. King County is famous for it. That's why we've never put a password on the file before.” (http://www.blackboxvoting.org/Oct2001msg00122.html)
In a particularly humorous and distressing response to Diebold’s assertion that “Generated entries on the audit log cannot be terminated or interfered with by program control or by human intervention”, the folks at www.blackboxvoting.org actually trained a chimpanzee to delete the audit logs from an election database. You read that right – a chimp. Well, since it wasn’t a human or computer, I guess they’re technically correct. Here’s a link. blackboxvoting.org
Another audit log incident occurred during the Washington State primary just six weeks ago. Two interesting events took place here:
1) all entries are absent from the audit log between 9:52 pm and 1:31 am. This includes records of summary reports being printed during that time frame, which is something that is always logged by the system, and shows up when they are printed before and after that block of time. Here is the audit log: blackboxvoting.org
2) Here are copies of the 5 sets of summary reports printed off during that missing time period, complete with timestamps showing that they were printed during that block of time and signed by the elections chief, Dean Logan.
blackboxvoting.org
Can anybody guess what it means when you are missing audit logs for a specific block of time, and known events took place that should be reflected in the logs?
Look at our results again. It means you were Hacked.
Conclusions:
Would you trust your bank account balance if their systems were this easy to hack? As a result of my hands on testing, I have absolutely no faith that my vote was counted or will be in future elections where this software is used. It is simply too easy to change! Any motivated insider or Hacker of moderate skill can change hundreds of thousands of votes with very little effort and almost no chance of being caught.
The best part is that if anyone tries to question the results, you can ridicule them and call them sore losers! Conspiracy theorists! But won’t this be caught in a recount? Check this out - with the new machines, YOU CAN’T DO A RECOUNT! There’s no paper trail. It’s the perfect crime.
This is the democracy we’re exporting to the rest of the world.
Here are more links for your reference:
blackboxvoting.org
blackboxvoting.com
equalccw.com
ustogether.org
ustogether.org
rubberbug.com
ustogether.org
thehill.com
blackboxvoting.org
votergate.tv
thomhartmann.com
raba.com
dailykos.com
You are free to distribute this document in its entirety or link to this page to help get the word out and change the system. Good luck! Let's get this stupid, stupid system fixed and get our democracy back!
Anybody who wants to try this themselves can get the GEMS software and this same sample database from www.blackboxvoting.org or the links earlier in the document. Go for it! Try it yourself - you'll see that it works. For any wannabe Hackers reading this, it doesn’t get any easier than that!
Chuck Herrin, CISSP, CISA, MCSE, CEH
CISSP – Certified Information Systems Security Professional
CISA – Certified Information Systems Auditor
MCSE – Microsoft Certified Systems Engineer
CEH – Certified Ethical Hacker |
