Feeds

Ohio voting machines have 'backdoor', lawsuit claims

Security of e-voting called into question – again

Choosing a cloud hosting partner with confidence

Video The software used in Ohio voting machines contain a backdoor that would allow third-parties to change electronic votes, claims a lawsuit filed by local Green Party candidate Bob Fitrakis.

The lawsuit, filed on Monday afternoon against Ohio's Republican Secretary of State John Husted, claims that on September 18 he hired Election Systems & Software (ES&S) to provide the electronic voting systems used by the state. ES&S' software is suspect, the complaint states, and it asks the court to allow the use of paper voting in Tuesday's election.

"ES&S has installed a 'back door' into such hardware and software that enables persons who are not under the supervision and control of defendant Husted, and who are not under the supervision and control of Ohio's boards of elections, to access the recording and tabulation of votes," the complaint states.

The software contract was signed off without public bidding or scrutiny, and without being signed off by the state technology review board as is required by local law, the suit claims. There is also an "imminent risk" of outsiders hacking the election results, it states.

In his day job, complainant Fitrakis is a professor of political science at Columbus State Community College and editor of the Freepress.org left-leaning news outlet. He has lined up security experts to testify on his behalf, he says, and the Ohio court is now sitting to consider the issue in a last-minute session.

"An expert, who worked for 37 years for the National Security Agency just told that court that the uncertified and untested software has created vulnerabilities for the Ohio election system and could allow for both a backdoor to tamper the vote and allow for viruses to be inserted," Fitrakis said.

He also claims that the voting machines in question have received untested patches on October 31 that haven't been reviewed or certified as safe for use. A similar round of patching occurred just before the 2004 election, he said.

He has also released footage claiming to show problems with voting screens in a Pennsylvania election booth. Votes for Obama were automatically being reassigned for Romney, the video appears to show.

Legal representatives for the Secretary of State are contesting the suit, saying Fitrakis' claims are "ridiculous," Matt McClellan, a spokesman for Husted told SF Gate. A "reporting tool" was installed into the code that is intended to ease the viewing of results, he said, but that would not affect their integrity.

"We did not touch, update, patch or do anything to the tabulation systems or the voting machines," McClellan said. "There's no vulnerability to the system whatsoever."

In response to the lawsuit, ES&S said it was "frivolous and without merit," and that Fitrakis filed it "with the sole intent of undermining voter confidence." It is confident that the court will find in its favor, it said.

Fitrakis does certainly have an axe to grind on the issue. Last month he claimed that Mitt Romney's son Taggart Romney is a partial owner of Hart Intercivic, which provides election machines used in some of the Ohio districts. The investment house Solamere, set up by Tagg with $10m in seed capital from his parents, along with equity managers HIG Capital, bought control of Hart Intercivic in July last year, he claims.

According to Factcheck.org HIG Capital does own Hart Intercivic, but there's no proof that Tagg's company Solamere has any stake in the voting machine manufacturer, although it does invest in some HIG projects.

"Tagg Romney does not own or control voting machines in Ohio," Factcheck.org states. "There's no evidence that he is even invested in them. There is a lot of money flowing from HIG executives to Romney’s political committees, but that's not evidence of wrongdoing."

Whatever the rights and wrongs of the Ohio case, there are serious problems with electronic voting and security. Around a third of the votes today are going to be cast electronically, especially if you were in the path of "Superstorm Sandy", and the results of most elections will be tabulated on computer.

A case study presented at this year's RSA conference showed how a team of students hacked the Washington DC election board software in a public trial held three weeks before it was to be used in an actual election. In a couple of hours they had spotted a vulnerability and used it to get the drunken Futurama bag o' bolts Bender elected to the head of the Washington DC school board.

None of the voting systems used in US elections is secure, according to Dr. David Jefferson from Lawrence Livermore National Labs, and election hacking is very hard to detect, since the results are seldom examined after the result for evidence of hacking.

"The states are in the habit of certifying voting systems, typically without testing them or seeing the source code," he said. "In many cases the voting system uses proprietary code that government can't legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse." ®

Bootnote

In a tradition American readers would probably consider quaint, we Britons don't use electronic voting in national elections. There's a very simple reason: pen and paper is more efficient.

To rig an election held in such an archaic manner is very difficult, indeed. For a start, you need a large number of people to fill in the ballot papers needed to turn an election result, and someone is bound to let slip. Secondly, you need to get access to the ballot boxes to swap out the votes, and security on them is very tight and in some cases very public.

Attempts to modernize the system have proven fraught with problems. The introduction of postal ballots has increased voting fraud, and moves to go electronic are being fiercely resisted on the grounds that it would make the situation even more unsafe. Yes, getting the results can be slow, but they can also be checked and verified.

Actually going to a polling booth once every few years isn't a great deal of effort for people, and the resulting surety of a result gives citizens far greater confidence that the end result is fair and just.

Maybe the Americans need to take a look at how things are down in the old country, and learn a little.

Update

US District Court Judge Gregory Frost has refused to issue an injunction to stop electronic voting in the middle of the election. He has however left the case open so that it can be returned too later if there is evidence of election fraud.

Intelligent flash storage arrays

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.