RAW STORY's coverage of the news, and the release of the video demonstration of how to hack a Sequoia AVC Advantage electronic voting machine, began this way last week:
"We wanted to find if a real criminal could do this, starting from scratch, with no access to source code or other closely guarded technical information," the announcer begins. "We faced several challenges: getting a voting machine, figuring out how it works, discovering a weakness, overcoming the machine's security features and constructing attack software."
"In the end we found that it is possible to undetectably change votes and that such an attack takes a lot less time and money than one might expect," the announcer said.
A Princeton professor was able to acquire five voting machines for just $82 that had been resold on a government surplus website. The acquired machines were originally sold by Sequoia Voting Systems.
Hacks of our electronic voting systems used to be big news. Now though, it's been done so many times, and is apparently so simple to do, that the news hardly registers in the corporate mainstream media (if it ever did in the first place). Yet, almost nothing has been done about virtually any of it to date.
We reported on the Princeton professor, Andrew Appel, acquiring the five Sequoia AVC machines two and a half years ago, that he was able to pick the lock "in seven seconds", and change the chips inside to do anything he might want the machine to do, including change votes after the close of polls on Election Day. The five machines that Appel purchased for $82 on the Internet were purchased by New Jersey just a few years earlier for $10,000 a piece. The state still uses the same hackable, 100% unverifiable voting machines, despite numerous failures during actual elections.
At the time of Appel's purchase, Sequoia Voting System had been touting their "tamperproof products, including ... the AVC Advantage," which, they said, "are sought after from coast to coast for their accuracy and reliability."...
The video tape demonstration of the new hack (posted below), avers that the chip swap used in the hack can be done while the voting machine is left unattended, which is, as the video notes, a "common practice in many polling places." It certainly is. (See Sequoia voting machines left unattended in two different Riverside County polling locations in 2006, at right.)
While the hack could be accomplished, as suggested by the scientists, by an outsider, an insider, such as an election official, voting machine company employee, or a poll worker who takes the voting machine home in the days prior to the election (a common practice, which has come to be known as a voting machine "sleepover") proves the greatest threat to such systems. As acknowledged by virtually all computer scientists and security experts, and even confirmed by the highly compromised, GOP-operative-created Baker/Carter National Election Reform Commission years ago, the greatest threat to such systems comes from insiders. As even the phony Baker/Carter commission noted: "There is no reason to trust insiders in the election industry any more than in other industries." Thus, there is almost nothing that can be done to protect against such exploits.
But whoever accomplishes this particular hack, the UC San Diego scientists note, the exploit leaves no trace behind and is therefore unlikely to ever be discovered.
In the UC San Diego video demonstration, 3 votes are seen being cast for George Washington during a mock election. But, "after the polls closed, the attacker's invisible software shifts votes." Instead of Washington, the electronic Sequoia voting machine prints out the winner as Benedict Arnold by a 2 to 1 vote margin.
No known electronic voting system, the scientists now argue, is safe. "We demonstrated practical attacks against a specific computer voting machine, the AVC Advantage, but the implications are broader," they note in the video. "Computer security features may not stand the test of time. Providing a lasting safeguard requires a system that voters can verify, such as paper ballots."
They are correct, of course, and no "Luddites" either, as computer scientists and security experts. Though, it should be noted, that while paper ballots --- by definition, "verified" by the voter when they actually fill them in by hand --- are needed, unless they are counted publicly, those too can be easily exploited without detection. [Ed Note: I'll have more on that point shortly, in an article and op/ed I recently wrote for the Commonweal Institute, where I am a Fellow. - BF]
Congressman Rush Holt (D-NJ)'s "Voter Confidence and Increased Accessibility Act" (H.R. 2894) legislation, which we've analyzed in detail, is now working its way through the U.S. House as the leading piece of voting system reform in either chamber. While eventually banning the type of electronic voting systems used in the UC San Diego team's experiment, it would allow them for continued use in the next two federal election cycles, including the 2012 Presidential race. It would then allow for the tabulation of paper ballots by similarly hackable optical-scan systems forever.
Sequoia Voting Systems hackable voting machines are used in fifteen states, including New Jersey (Rush Holt's home state), Missouri, Virginia and the entire state of Nevada, as well as the District of Columbia.
The team that documented this latest hack includes several members of the Princeton team who hacked Diebold's AccuVote touch-screen system in 2006 after we supplied them with the voting machine, as given to us by a Diebold insider. Though it made big quite a splash at the time --- even live on Fox "News" --- when, as with the latest hack, Benedict Arnold was able to defeat George Washington after eye-witnesses watched all the votes being cast in favor of Washington, the same, ironically named Diebold AccuVotes are still in use today. Just like the Sequoia systems.
Professor Ed Felten, one of the members of the original Princeton team, who also worked on the San Diego study, was threatened with a lawsuit, along with Appel, by Sequoia Voting Systems last year. They would be sued, Sequoia informed them, if they carried out an independent inspection of the AVC Advantage, after election officials in NJ asked them to do so following the revelation that the machines had reported incorrect vote totals during the Super Tuesday primary in 2008. (The same machines also failed to boot up at all in several locations on the morning of the primary, causing NJ Gov. John Corzine --- and an untold number of other voters --- to be delayed for at least 45 minutes while officials tried to get the systems to boot in Hoboken.)
Though Sequoia never sued the Princeton scientists, as they'd threatened, an investigative report by The BRAD BLOG would document, ironically enough, that Sequoia doesn't even own the intellectual property rights to the voting machines bearing their name. Rather, the IP rights are owned by once (and still?) parent company Smartmatic, a Venezuelan firm tied to Hugo Chavez, which Sequoia claimed to have divested from once federal officials from the Committee on Foreign Investment in the United States (CFIUS) began questioning the propriety of foreign ownership in a company which supplies, services and programs electronic voting systems in the U.S.. They have been lying to public officials about that point for years.
Despite our report documenting the continuing direct ties between Sequoia and Smartmatic --- even after the company had falsely claimed to have severed their relationship entirely --- neither the corporate media, nor the U.S. government has re-opened their investigation into the matter to our knowledge. And Sequoia voting machines continue to be used across the country, in election after election, despite failure after failure, and hack after hack.
Several of the previous known exploits of electronic voting systems in the U.S., by independent scientists and academics include:
- Diebold optical-scan system, 2005, hacked by Harri Hursti in Leon County, FL (video)
- Diebold touch-screen system, 2006, hacked by Harri Hursti in Emery County, UT
- Sequoia tabulator, accidentally hacked by Michael Shamos in PA (while trying to demonstrate that the system was not hackable)
- Diebold touch-screen system, 2006, hacked by computer scientists at Princeton
- Sequoia Edge DRE, 2007, hacked by computer scientists at U.C. Santa Barbara (video release in 2008)
- Independent tests commissioned by the states of CA, OH and CO all found they were able to hack every system tested. In seconds.
The video of the latest hack of the Sequoia AVC Advantage voting system, by scientists working out of the University of California, San Diego, follows below...
[Thanks to those BRAD BLOG commenters who linked to this study while we're otherwise on the road this week and next, and were not able to respond as quickly as usual! - BF]