Tests in Leon County, Florida, Demonstrate Ease of Vote Count Hacking

Election officials shown need for paper ballots

By Tony Bridges 
First published by the Tallahassee Democrat, June 4, 2005

All it takes is the right access.

Get that, and an election worker could manipulate voting results in the computers that read paper ballots – without leaving any digital fingerprints.

That was the verdict after Leon County Elections Supervisor Ion Sancho invited a team of researchers to look for holes in election software.

The group wasn’t able to crack the Diebold system from outside the office. But, at the computer itself, they changed vote tallies, completely unrecorded.

Sancho said it illustrates the need for tight physical security, as well as a paper trail that can verify results, which the Legislature has rejected.

Black Box Voting, the non-profit that ran the test and published a report on the Internet, pointed to the findings as proof of an elections system clearly vulnerable to corruption.

But state officials in charge of overseeing elections pooh-poohed the test process and dismissed the group’s report.

“Information on a blog site is not viable or credible,” said Jenny Nash, a spokeswoman for the Department of State.

It went like this:

Sancho figured Leon County ‘s security could withstand just about any sort of probing and wanted to prove it.

He went to one of the most skeptical – and vocal – watchdogs of election procedures. Bev Harris, founder of Black Box Voting, had experience with voting machines across the country.

She recruited two computer-security experts and made the trip to Tallahassee from her home in Washington state three times between February and late May.

Leon County is one of 30 counties in Florida that use Diebold optical scanners. Voters darken bubbles on a sheet of paper, sort of like filling in the answers on the SAT, and the scanners read them and add up the numbers.

So the task was simple. Get in, tamper with vote numbers, and get out clean.

They made their first attempts from outside the building. No success.

Then, they sat down at the vote-counting computers, the sort of access to the machines an employee might have. For the crackers, security protocols were no problem, passwords unnecessary.

They simply went around them.

After that, the security experts accomplished two things that should not have been possible.

They made 65,000 votes disappear simply by changing the real memory card – which stores the numbers – for one that had been altered.

And, while the software is supposed to create a record whenever someone makes changes to data stored in the system, it showed no evidence they’d managed to access and change information.

When they were done, they printed the poll tapes. Those are paper records, like cash register tape, that show the official numbers on the memory cards.

Two tapes, with different results. And the only way to tell the fake one?

At the bottom, it read, “Is this real? Or is it Memorex?”

“That was troubling,” Sancho said.

Leon County more secure

A disaster?

Not exactly.

In Leon County , access to the machines is strictly controlled, limited to a single employee. The memory cards are kept locked away, and they’re tracked by serial number.

Those precautions help prevent any tampering.

“You’ve got to have security over the individual who’s accessing the system,” Sancho said. In fact, “you’ve got to have good security and control over every step of this process.”

The trouble is, not every county is as closely run.

In Volusia County , her group has found what they think was memory-card tampering during the 2000 election. More than 16,000 votes for Al Gore vanished.

Harris said her research turned up memos – obtained from the elections supervisor’s office – that blamed the failure on an extra memory card that showed up, and disappeared, without explanation.

She believes that was an attempt to change the outcome of the election, but one carried out clumsily. The test in Leon County proved it was possible, if done by more experienced computer programmers, she said.

So what does the Department of State say?

Nash, the spokeswoman, said that the Diebold systems were designed to be used in secure settings, and that, by giving the testers direct access to the computers, Sancho had basically allowed them to bypass security.

In other words, not much of a test.

Except that the security experts were given only as much opportunity as any other election worker would have. Less so, considering that Sancho did not provide them with passwords or any other way to actually get into the programming.

As for the exact vulnerabilities that Harris reported – and Sancho confirmed – Nash said no one from the state could comment, since they hadn’t been present at the test.

She added later that Sancho could request help from state certifiers if he had concerns, but had not asked yet.

© 2005 Tallahassee Democrat