Lawsuit Alleges Backdoor Present in Ohio Voting Machine Software

Anthony Freed
By | November 07, 2012

Posted in: Network Security Trends

The elections may be over, but the politics of security in the process will persist unabated. The latest volley in the controversy over the potential for fraud by way of insecure electronic voting machines comes in the form of a lawsuit filed in Ohio by Green Party candidate Bob Fitrakis which alleges that the software provided by contractor Election Systems & Software (ES&S) contains a backdoor which can be exploited to alter vote counts. The suit, filed Monday afternoon, unsuccessfully sought to compel the courts to issue an order to allow only the use of paper ballots in Tuesday's election.

"ES&S has installed a 'back door' into such hardware and software that enables persons who are not under the supervision and control of defendant Husted, and who are not under the supervision and control of Ohio's boards of elections, to access the recording and tabulation of votes," the lawsuit states.

Key to Fitrakis' concerns is the fact that the contract to provide the state with electronic voting systems was not subject to an open bidding process and the technology supplied by ES&S was never scrutinized by the state's technology review board, as is required under existing laws. Fitrakis also claims that on October 31, a series of untested patches to the software were implemented, raising concerns over the security of the systems.

"There is an imminent risk that persons who are not under the supervision and control of defendant Husted, and who are not under the supervision and control of Ohio’s boards of elections, will use the ES&S 'back door' to access the recording and tabulation of votes cast by Ohio voters in the General Election on November 6, 2012 using facilities not under the control of defendant Husted or Ohio’s boards of elections," the complaint filed by attorneys for Fitrakis alleges.

Fitrakis publicly stated that the court heard testimony from an expert with nearly four decades of service with the National Security Agency who confirmed that the use of untested software creates potential vulnerabilities that could be exploited to manipulate the vote count, and Fitrakis pointed to problems with an electronic voting machine in Pennsylvania captured on video as being evidence of weaknesses in these types of automated systems.

"It would be a very significant problem, in more than one way, if election software is buggy," security expert and attorney Rebecca Herold told Security Bistro. "The best way to address the charges would be for the Ohio officials to simply provide documentation that would validate all audits and tests the software had prior to use, and also to validate whether or not patches were actually applied. If such un-tampered documentation does not exist, then they should have an independent and objective third party investigate, do the necessary testing and see if they find any problems and can duplicate the claim that votes were being reassigned as in the provided video."

Representatives for the plaintiff, Ohio Secretary of State John Husted, refuted Fitrakis' claims of any impropriety or vulnerabilities in the software, and assert that the suit was brought in part to undermine citizen' confidence in the use of electronic voting machines.

Fitrakis had also made headlines last month with allegations that Taggart Romney, son of Republican Presidential candidate Mitt Romney, held equity in a company called Hart Intercivic which supplied some of the voting machines used in parts of Ohio. An investigation by watchdog group was unable to confirm Romney had any direct investments in the company, but found he did have investments in other ventures held by the firm HIG Capital, owner of Hart Intercivic.

"In addition to validating the security of the actual software, the other issue that should be looked into is whether or not a relative of a presidential contender has a vested interest in the voting machines and software," Herold said. "Certainly such a situation would present a conflict of interest, and would cast clouds of doubt over any subsequent result (such as in this situation). Why introduce any more controversy into the voting process? Simply prohibit the use of any voting systems and machinery for which one of the candidate's family or team has a vested interest."

This is not the first time the security of electronic voting systems in Ohio has been challenged in court. Filings in the King Lincoln Bronzeville v. Blackwell lawsuit stemming from an unexpected and dramatic shift in the vote count during the 2004 presidential election alleged manipulation by way of a "Man in the Middle" (MitM) type exploit. The suit said tampering may have occurred during the process of transferring the Ohio vote count on election night from one technology vendor to another.

MitM attacks are defined as malicious actors exploiting vulnerabilities in order to insert themselves between digital systems attempting to communicate with one another, allowing attackers potentially alter data. Researchers at Argonne National Laboratory were able to successfully demonstrate an MitM attack on several brands of voting machines that were used in nearly two-dozen states this election cycle, adding fuel to the fire.

Herold notes that with the expected increase in the use of electronic voting devices, proper testing of systems and transparency in the process of certification will help to dispel concerns over vote count manipulation in the future.

"Having voting machine hardware and code tests performed by an objective, approved third party to certify adequate and appropriate security should be part of the voter system certification process. To start doing so now would help to quash these ongoing and legitimate concerns before we get to our next major election," Herold said.

You May Also Be Interested In: