Recipe for hacking ES&S and Sequoia, Hursti-style

[Guest guest]

A

Tue, 3 Jan 2006 21:15:26 -0800 (PST)

Recipe for hacking ES & S and Sequoia, Hursti-style

 

 

 

 

" update " <update wrote:

 

 

 

Permission to reprint granted, with link to

http://www.blackboxvoting.org

 

Hold on to your lugnuts, ES & S and Sequoia may risk Hursti-style hack

 

Dec. 13, 2005: Harri Hursti performs devastating hack in Leon

County Florida with Diebold optical scan system, proving he could

control votes by manipulating a credit-card-sized memory card..

 

Jan. 3, 2006: Information received pointing to similar

vulnerabilities in the ES & S and Sequoia " Optech " optical scan machines.

 

In an exclusive interview by BBV investigator Jim March with Dr.

Douglas Jones, University of Iowa associate professor and a former

voting machine examiner for the state of Iowa, it was learned that one

of the most widely-used voting machines over the last 15 years may

suffer from design flaws broadly similar to Diebold's version 1.94 and

1.96 optical scan system.

 

The first problem is that memory chip contents can be modified

with easy to obtain reprogramming devices, in ways that could enable

Hursti-style hacking.

 

The second problem is that Sequoia and ES & S have been able to

force their way into intimate access to the mechanics of democracy.

The electronic ballot controls were maintained exclusively by the

vendors at the vendor's headquarters rather than by county election staff.

 

Diebold took over total control of elections in counties that

allowed it. ES & S and Sequoia didn't give them a choice because of the

system's design. This effectively removed county officials from their

proper oversight role.

 

ORIGINS OF THE OPTECH MACHINE

 

Two of the four major voting machine companies have been using an

identical machine, the Optech, originally produced by Business Records

Corp (BRC).

 

BRC was the largest voting machine company in America when ES & S

purchased it in 1997. The SEC objected on anti-trust grounds, and in

the resulting decision, allowed ES & S to purchase BRC, splitting the

Optech scanners up between ES & S (service contracts for existing

machines) and Sequoia Voting Systems (sales of new machines).

 

Although now being phased out, Optechs have been used for 15 years

without a peep from the federal testing labs, and without the public

ever being told of their vulnerabilities, nor of the vendor's

extraordinary level of control over local elections.

 

SYSTEM DESIGN

 

According to Dr. Jones, the Optech machines are precinct optical

scanners

originally developed in the late 1980s. They reflect the

technology of that period. They are broadly similar to the

Global/Diebold optical scanners designed around the same time: These

voting machines store votes on removable electronic memory devices and

print out an " end of day ticker tape " on paper similar to a cash

register tape, providing a precinct total of votes for each candidate

and issue.

 

The Optech machines don't use a credit card-sized memory card –

rather, they use a memory pack about the size of a pack of cigarettes.

 

This cigarette pack-sized device plugs into the body of the

scanner with a

proprietary connection. The memory pack provides three things:

 

- A chip ( " ROM " memory) which is difficult to modify outside of a

factory and

contains the programming for the machine ( " firmware " )

- An " EPROM " chip which is easier to modify (more on that to

follow) containing the ballot layout and precinct information

- Battery-powered memory chips to hold the vote totals

 

THE GOOD NEWS

 

As Dr. Jones points out, there's one advantage to this pack

design. Honest

election officials can separate the scanner body from the pack and

send the

large bulky scanner out to the field (precinct) days or weeks

ahead of the election. Tampering with scanners that are missing the

pack isn't really possible (other than to simply vandalize it) because

the " brains " aren't present to tamper with. It's the " memory pack " that

needs to be held in strict security. The memory pack can later be

hand-carried to the precinct by a group of poll workers and plugged

into the scanner on election morning.

 

THE BAD NEWS

 

One reason the Hursti hack in Leon County resulted in a failure is

that Diebold's memory device holding the votes and critical programs

is both read-write (tamperable) and reader/writer devices like the

Crop Scanner are available commercially to alter the cards.

 

The ES & S/Sequoia memory pack has a funky connector. It should be

even more secure, right?

 

Not exactly.

 

JIM'S RIG-A-VOTE RECIPE

 

1. Unscrew the top of the pack.

 

The most critical chip holding the ballot/candidate/precinct

layouts is sitting right there in an easy-access socket.

 

2. Find a chip burner. Once the chip is out with a screwdriver,

you can find alteration devices (chip burner) for that chip even more

easily that you can find the Crop Scanner.

 

Tip for finding a read/write device: The chips is called an

" EPROM " - Electrically Programmable Read Only Memory .

 

Here are some examples:

 

http://www.stag.co.uk/products/EEprom_programmer.htm

http://www.action2k.com/topmax.htm

 

http://www.elettronicaceleste.com/celeste/programmatore_eeprom/sp280_uk.htm

 

3. Put the chip in the chip burner device connected to a PC and

read the contents. Edit at will using your PC.

 

4. Peel the sticker off the back of the EPROM, exposing a glass

window. This makes the actual silicon surface visible through the

glass. It's a neat looking critter, shiny and with lots of tiny

circuits that geeks will love.

 

5. Put the chip in a tiny mouse-sized tanning booth. No, we're not

kidding – exposure to UV light for 25 minutes erases EPROMs. (Warning:

We do not recommend putting in an actual mouse unless you can find

very small sunglasses for him.)

 

PICTURE: http://testequip.com//sale/used/pictures/HES2152.jpg

 

6. Put the sticker back on the chip's glass window and put it into

the chip burner connected to the PC, and download your tampered code

from your PC back to the chip.

 

7. Put the chip back into the " pack " and you're done.

 

We have no reason to think that the security of the chip's

contents is any better than in the Diebold environment. While this

needs testing, it appears that hacking could cause all votes to be

switched between any two candidates simply by altering the chip data.

 

Dr. Jones suggests the possibility of causing a minor party

candidate's votes to go to a major party candidate, in addition to the

major party candidate's proper votes. This would have the " benefit "

of harming a small parties, possibly denying them ballot access. Each

major party has at least one smaller party that tends to take a small

chunk out of them – the Democrats always lose a few candidates to the

Greens, the GOP loses a few to the Libertarians. Each major party

would like to see their smaller more radical cousin go away, and that

sort of hacking could do it.

 

THE WORSE NEWS

 

While moderately advanced hackers should be able to alter the

contents of these packs fairly easily, county election officials

can't. Therefore, by design, the memory cards need to be programmed

inside the vendor's corporate headquarters.

 

WILL THEY DO IT CORRECTLY?

 

Well let's see: ES & S was partially owned by now-Senator Chuck

Hagel at the time Hagel won his first major political victory to get

into congress. Hagel's victory in the primary was so stunning that it

made national news. According to CNN's " All Politics, " Hagel hoped he

could make lightening strike twice by winning the big prize – and he did.

 

He defeated popular Democratic Governor Ben Nelson who led in the

polls since the opening gun in what the Washington Post called " The

major Republican upset in the November [1996] election. "

(more: http://www.blackboxvoting.org/BBV_chapter-3.pdf)

 

Louisiana state elections chief Jerry Fowler was convicted on

felony charges of taking bribes from Sequoia officials for system

purchase decisions – one of Sequoia's key people, Phil Foster, was

indicted but the charges were dropped after a judge concluded that his

immunized grand jury testimony couldn't be used against him. (more:

p://www.blackboxvoting.org/BBV_chapter-8.pdf)

 

So, is turning over the very foundation of Democracy to ES & S and

Sequoia a good idea? We think not.

 

CONCLUSION

 

Nobody at the Federal or state testing labs seems to think like a

hacker and tries to find ways to defeat these things. For that matter,

nobody is paying attention to the basic ethics of the situation. No

one ever asked the American citizens whether we choose to remain a

Constitutional Republic versus a Corporate Republic.

 

Black Box Voting would like to do a " test hack " on the Optech with

the blessing of public officials in any jurisdiction. Because these

machines are not HAVA compliant, they are being phased out. We ask

your help in facilitating this opportunity.

 

 

" There is only one force in the nation that can be depended upon

to keep the

government pure and the governors honest, and that is the people

themselves. They alone, if well informed, are capable of preventing

the corruption of power, and of restoring the nation to its rightful

course if it should go astray. They alone are the safest depository of

the ultimate powers of government. "

-- Thomas Jefferson - END

 

 

--\

-----

 

-Black Box Voting is a nonpartisan, nonprofit 501c(3) elections

watchdog group supported entirely by citizen donations.

 

To support our work, go to

http://www.blackboxvoting.org/donate.html or mail to

330 SW 43rd St Suite K PMB 547 Renton WA 98055Black Box Voting