Worried About Voting-Machine Hacking? Get Involved

SAN FRANCISCO -- Anyone concerned about the security of electronic voting machines ought to volunteer to work at a polling place, two experts said Tuesday (April 17) at the RSA Conference here.

An optical-scan voting machine. Credit: Lisa F. Young/Shutterstock

(Image credit: An optical-scan voting machine. Credit: Lisa F. Young/Shutterstock)

"Let election officials get to know who you are," said Kim Zetter, an information-security journalist who has been covering electronic-voting-machine security for 15 years. "Show them that you know how the process works in your local jurisdiction."

Zetter added that she knows one security expert -- she didn't want to name him -- who started as a poll worker and now advises precincts on how to improve their voting security.

Zetter appeared with Dr. Hugh Thompson, who is now chief technology officer at Symantec but in 2006 appeared in an HBO documentary called "Hacking Democracy." In the movie, Thompson showed how you could alter the results of a local election by using the Microsoft Access database-management program on a Windows-based vote-tabulation machine. No password or special skills were needed.

MORE: Best Identity-Theft Protection

"You could go into records and rewrite history," Thompson said in a clip from the movie. "The only record of history would be the record that you changed."

Thompson told the RSA Conference audience Tuesday that the voting-machine maker, Diebold, initially "fixed" the problem by simply removing Microsoft Access from the voting machines. Thompson recalled telling Diebold that that wasn't really a solution, and that any program that could open the tabulated-vote file -- even the primitive Notepad text editor included with every edition of Windows -- could also change the voting tabulation.

"Two days later they called again to say they had systemically fixed the problem -- by removing Notepad," Thompson said.

But overall, he said, this in the mid-2000s by himself, Zetter and others -- not least Bev Harris, who found and publicized the original flaws with Diebold voting machines -- did lead to substantial changes. The entirely touchscreen machines that were widely used from 2001 to 2006, but left no paper record of the votes cast in the event of a recount, were phased out.

Many states switched to optical-scanner machines, in which the machine reads a paper ballot on which the voter has filled in oval bubbles, or to modified touchscreen machines that spooled out a paper tape that Zetter likened to cash-register tape.

MORE: Essential Tips to Avoid Getting Hacked

The voter can then make sure his or her vote has been properly tabulated by looking at the tape, which is kept behind a glass window in the machine.

The problem with the cash-register tape, Zetter remarked, is that the paper is thermally printed. In hot weather, the paper can become unreadable.

However, Zetter and Thompson agreed that voting-machine security was not as awful today as it was 10 years. That's not to say that the problems are solved. For example, Zetter pointed out, no one outside the companies that make the voting machines know how they really work. The companies say that their source code is a trade secret, and that anyone who tries to open a machine to examine the code is committing a crime.

"When academics have tried to get into the machines, voting-machine vendors and states have tried to stop it," she said. "Election officials have signed contracts that give machine vendors total control of the machines."

Asked by an audience member whether there was any evidence of vote tampering by Russian or other hackers in the 2016 presidential election, Zetter replied that nothing definite has ever been found.

"But no one has ever looked," she explained. "And in many cases they're prevented from looking. Courts have always sided with the voting-machine vendors."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.