Feeds

Ohio voting machines have 'backdoor', lawsuit claims

Security of e-voting called into question – again

Secure remote control for conventional and virtual desktops

Video The software used in Ohio voting machines contain a backdoor that would allow third-parties to change electronic votes, claims a lawsuit filed by local Green Party candidate Bob Fitrakis.

The lawsuit, filed on Monday afternoon against Ohio's Republican Secretary of State John Husted, claims that on September 18 he hired Election Systems & Software (ES&S) to provide the electronic voting systems used by the state. ES&S' software is suspect, the complaint states, and it asks the court to allow the use of paper voting in Tuesday's election.

"ES&S has installed a 'back door' into such hardware and software that enables persons who are not under the supervision and control of defendant Husted, and who are not under the supervision and control of Ohio's boards of elections, to access the recording and tabulation of votes," the complaint states.

The software contract was signed off without public bidding or scrutiny, and without being signed off by the state technology review board as is required by local law, the suit claims. There is also an "imminent risk" of outsiders hacking the election results, it states.

In his day job, complainant Fitrakis is a professor of political science at Columbus State Community College and editor of the Freepress.org left-leaning news outlet. He has lined up security experts to testify on his behalf, he says, and the Ohio court is now sitting to consider the issue in a last-minute session.

"An expert, who worked for 37 years for the National Security Agency just told that court that the uncertified and untested software has created vulnerabilities for the Ohio election system and could allow for both a backdoor to tamper the vote and allow for viruses to be inserted," Fitrakis said.

He also claims that the voting machines in question have received untested patches on October 31 that haven't been reviewed or certified as safe for use. A similar round of patching occurred just before the 2004 election, he said.

He has also released footage claiming to show problems with voting screens in a Pennsylvania election booth. Votes for Obama were automatically being reassigned for Romney, the video appears to show.

Legal representatives for the Secretary of State are contesting the suit, saying Fitrakis' claims are "ridiculous," Matt McClellan, a spokesman for Husted told SF Gate. A "reporting tool" was installed into the code that is intended to ease the viewing of results, he said, but that would not affect their integrity.

"We did not touch, update, patch or do anything to the tabulation systems or the voting machines," McClellan said. "There's no vulnerability to the system whatsoever."

In response to the lawsuit, ES&S said it was "frivolous and without merit," and that Fitrakis filed it "with the sole intent of undermining voter confidence." It is confident that the court will find in its favor, it said.

Fitrakis does certainly have an axe to grind on the issue. Last month he claimed that Mitt Romney's son Taggart Romney is a partial owner of Hart Intercivic, which provides election machines used in some of the Ohio districts. The investment house Solamere, set up by Tagg with $10m in seed capital from his parents, along with equity managers HIG Capital, bought control of Hart Intercivic in July last year, he claims.

According to Factcheck.org HIG Capital does own Hart Intercivic, but there's no proof that Tagg's company Solamere has any stake in the voting machine manufacturer, although it does invest in some HIG projects.

"Tagg Romney does not own or control voting machines in Ohio," Factcheck.org states. "There's no evidence that he is even invested in them. There is a lot of money flowing from HIG executives to Romney’s political committees, but that's not evidence of wrongdoing."

Whatever the rights and wrongs of the Ohio case, there are serious problems with electronic voting and security. Around a third of the votes today are going to be cast electronically, especially if you were in the path of "Superstorm Sandy", and the results of most elections will be tabulated on computer.

A case study presented at this year's RSA conference showed how a team of students hacked the Washington DC election board software in a public trial held three weeks before it was to be used in an actual election. In a couple of hours they had spotted a vulnerability and used it to get the drunken Futurama bag o' bolts Bender elected to the head of the Washington DC school board.

None of the voting systems used in US elections is secure, according to Dr. David Jefferson from Lawrence Livermore National Labs, and election hacking is very hard to detect, since the results are seldom examined after the result for evidence of hacking.

"The states are in the habit of certifying voting systems, typically without testing them or seeing the source code," he said. "In many cases the voting system uses proprietary code that government can't legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse." ®

Bootnote

In a tradition American readers would probably consider quaint, we Britons don't use electronic voting in national elections. There's a very simple reason: pen and paper is more efficient.

To rig an election held in such an archaic manner is very difficult, indeed. For a start, you need a large number of people to fill in the ballot papers needed to turn an election result, and someone is bound to let slip. Secondly, you need to get access to the ballot boxes to swap out the votes, and security on them is very tight and in some cases very public.

Attempts to modernize the system have proven fraught with problems. The introduction of postal ballots has increased voting fraud, and moves to go electronic are being fiercely resisted on the grounds that it would make the situation even more unsafe. Yes, getting the results can be slow, but they can also be checked and verified.

Actually going to a polling booth once every few years isn't a great deal of effort for people, and the resulting surety of a result gives citizens far greater confidence that the end result is fair and just.

Maybe the Americans need to take a look at how things are down in the old country, and learn a little.

Update

US District Court Judge Gregory Frost has refused to issue an injunction to stop electronic voting in the middle of the election. He has however left the case open so that it can be returned too later if there is evidence of election fraud.

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.