Feeds

Ohio voting machines have 'backdoor', lawsuit claims

Security of e-voting called into question – again

5 things you didn’t know about cloud backup

Video The software used in Ohio voting machines contain a backdoor that would allow third-parties to change electronic votes, claims a lawsuit filed by local Green Party candidate Bob Fitrakis.

The lawsuit, filed on Monday afternoon against Ohio's Republican Secretary of State John Husted, claims that on September 18 he hired Election Systems & Software (ES&S) to provide the electronic voting systems used by the state. ES&S' software is suspect, the complaint states, and it asks the court to allow the use of paper voting in Tuesday's election.

"ES&S has installed a 'back door' into such hardware and software that enables persons who are not under the supervision and control of defendant Husted, and who are not under the supervision and control of Ohio's boards of elections, to access the recording and tabulation of votes," the complaint states.

The software contract was signed off without public bidding or scrutiny, and without being signed off by the state technology review board as is required by local law, the suit claims. There is also an "imminent risk" of outsiders hacking the election results, it states.

In his day job, complainant Fitrakis is a professor of political science at Columbus State Community College and editor of the Freepress.org left-leaning news outlet. He has lined up security experts to testify on his behalf, he says, and the Ohio court is now sitting to consider the issue in a last-minute session.

"An expert, who worked for 37 years for the National Security Agency just told that court that the uncertified and untested software has created vulnerabilities for the Ohio election system and could allow for both a backdoor to tamper the vote and allow for viruses to be inserted," Fitrakis said.

He also claims that the voting machines in question have received untested patches on October 31 that haven't been reviewed or certified as safe for use. A similar round of patching occurred just before the 2004 election, he said.

He has also released footage claiming to show problems with voting screens in a Pennsylvania election booth. Votes for Obama were automatically being reassigned for Romney, the video appears to show.

Legal representatives for the Secretary of State are contesting the suit, saying Fitrakis' claims are "ridiculous," Matt McClellan, a spokesman for Husted told SF Gate. A "reporting tool" was installed into the code that is intended to ease the viewing of results, he said, but that would not affect their integrity.

"We did not touch, update, patch or do anything to the tabulation systems or the voting machines," McClellan said. "There's no vulnerability to the system whatsoever."

In response to the lawsuit, ES&S said it was "frivolous and without merit," and that Fitrakis filed it "with the sole intent of undermining voter confidence." It is confident that the court will find in its favor, it said.

Fitrakis does certainly have an axe to grind on the issue. Last month he claimed that Mitt Romney's son Taggart Romney is a partial owner of Hart Intercivic, which provides election machines used in some of the Ohio districts. The investment house Solamere, set up by Tagg with $10m in seed capital from his parents, along with equity managers HIG Capital, bought control of Hart Intercivic in July last year, he claims.

According to Factcheck.org HIG Capital does own Hart Intercivic, but there's no proof that Tagg's company Solamere has any stake in the voting machine manufacturer, although it does invest in some HIG projects.

"Tagg Romney does not own or control voting machines in Ohio," Factcheck.org states. "There's no evidence that he is even invested in them. There is a lot of money flowing from HIG executives to Romney’s political committees, but that's not evidence of wrongdoing."

Whatever the rights and wrongs of the Ohio case, there are serious problems with electronic voting and security. Around a third of the votes today are going to be cast electronically, especially if you were in the path of "Superstorm Sandy", and the results of most elections will be tabulated on computer.

A case study presented at this year's RSA conference showed how a team of students hacked the Washington DC election board software in a public trial held three weeks before it was to be used in an actual election. In a couple of hours they had spotted a vulnerability and used it to get the drunken Futurama bag o' bolts Bender elected to the head of the Washington DC school board.

None of the voting systems used in US elections is secure, according to Dr. David Jefferson from Lawrence Livermore National Labs, and election hacking is very hard to detect, since the results are seldom examined after the result for evidence of hacking.

"The states are in the habit of certifying voting systems, typically without testing them or seeing the source code," he said. "In many cases the voting system uses proprietary code that government can't legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse." ®

Bootnote

In a tradition American readers would probably consider quaint, we Britons don't use electronic voting in national elections. There's a very simple reason: pen and paper is more efficient.

To rig an election held in such an archaic manner is very difficult, indeed. For a start, you need a large number of people to fill in the ballot papers needed to turn an election result, and someone is bound to let slip. Secondly, you need to get access to the ballot boxes to swap out the votes, and security on them is very tight and in some cases very public.

Attempts to modernize the system have proven fraught with problems. The introduction of postal ballots has increased voting fraud, and moves to go electronic are being fiercely resisted on the grounds that it would make the situation even more unsafe. Yes, getting the results can be slow, but they can also be checked and verified.

Actually going to a polling booth once every few years isn't a great deal of effort for people, and the resulting surety of a result gives citizens far greater confidence that the end result is fair and just.

Maybe the Americans need to take a look at how things are down in the old country, and learn a little.

Update

US District Court Judge Gregory Frost has refused to issue an injunction to stop electronic voting in the middle of the election. He has however left the case open so that it can be returned too later if there is evidence of election fraud.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.