While not an exhaustive treatment, the point of this writing is to explain how a person or group of people with little knowledge of the inside workings of Direct Recording Electronic (DRE) voting machines could influence the outcome of the 2004 President Election. This writing is based on the following assumptions:
There are two primary classes of targets. The first class contains precincts for which you want to increase the number of votes for your candidate or for which you want to decrease the number of votes for your opponent. The other class contains precincts for which you want to effectively disable any vote-counting procedures, rendering all votes from that precinct suspect or invalid.
Precincts that statistically favor your candidate are ideal choices for the first class of attack, especially if they heavily favor your candidate. Election officials are less likely to re-examine totals that indicate a clear victory, especially when the expected outcome is a clear victory. Large counties are particularly ideal targets, as a difference of hundreds or thousands of votes -- not unrealistic in counties with over a half-million voters -- are locally insignificant, but may swing the outcome of a medium-sized state.
Oregon was won by less than seven thousand votes. Democrats attempting to throw the 2004 election could focus on Multnomah County. Gore got 188441 votes to Bush's 83677; a difference of three percent in this one county -- well within the margin of error of any polling methods -- would double the state-wide margin of victory.
Wisconsin was won by less than six thousand votes. Republicans looking to throw the 2004 election could focus on Waukesha County, where Bush won, 133105 to 64319; again, a county-wide difference of three percent would swing the state from Democrat to Republican.
Even choosing two or three key counties in a swing state would allow an attacker to hide their tampering within the statistical margin of error. Tampering could include adding votes to your candidate's total or subtracting votes from your opponent's total. A healthy mix of these two strategies would help hide your induced irregularities.
The second class of attack involves what is essentially a "denial-of-service" attack. The purpose of this attack is to render suspect the votes from as many precincts as possible in a given county or state. While an investigation would follow, so would a drawn-out legal battle and public outcry, similar to Florida in 2000. Public officials, particularly election officials, would likely rush to provide a "close enough" result as soon as possible.
There are two motivating factors that underly this assumption on my part. The first is that the events of Florida have made election officials averse to the appearance of problems, and no one wants to have their name in print as having overseen "the next Florida". The second, but less likely, motivating factor, is the embarrassment of having purchased DRE machines, promoting DRE machines, and then having intense scrutiny come to bear on your now-proven-stupid choice. It is likely that the election officials who become the unwitting victim of such an attacker would perform a cover-up as best they could.
The attackers would need to collect a certain amount of information about the county setup, the internal workings of the DRE machines, and any audit procedures. While this stage is a challenge, the potential benefit is tremendous. An attacker can guess how the flow of federal dollars will change depending on which party sits in the White House, and base their decision of who to "support" on that alone; no coordination with official party members is necessary.
The following information is necessary:
The first item should be possible to obtain from public county and state records. By law, the vendor must register which version of the software they use and keep a copy of that code in escrow with the state prior to the election. (Note, however, the numerous reports state that vendors completely ignore this requirement, updating the software with untested patches right up to the day of the election in blatant violation of election law. For the moment, we'll make the laughable assumption the vendors actually follow the law and only install certified software on their machines.)
The next item is more difficult to obtain, but definitely not impossible. Vendors maintain design documents that a well-placed insider could leak; they may not observe proper document destruction techniques (see: dumpster diving); or they may accidentally hire someone working for the attacker. Note that this person does not have to modify the code themselves, or even be a programmer. This person merely has to obtain sufficient documentation and get it in the hands of the correct person. Less obvious (and more difficult to trace) is an outsider who has access to a DRE machine and can reverse-engineer the data storage format. Commercial software such as VMWare allows the attacker to run the election software in a controlled sandbox and observe every action taken by the software.
The third item is the last item necessary, and is similarly easy to obtain. The attacker merely has to volunteer as an election judge or official. A more sophisticated intruder could hack into the telephone switches connected to precincts and observe the numbers called around the time of the election completion. This is a difficult but viable attack. In 1990, Kevin Poulsen diverted all calls going into a Los Angelos radio station, KIIS-FM, allowing himself to be the 102nd caller and win a Porsche. In the 1990s, Kevin Mitnick gained access to the majority of the telephone switches in Las Vegas, allowing him to eavesdrop or re-route any telephone call; as of 2002, a court case in Las Vegas focused on whether or not a similar attacker had gained such access.
Once you know your target, you can make your final preparations. The centerpiece of this attack is a Windows virus -- available from your friendly local German teenager -- set to modify or destroy results. The virus will alter all records of the final count or will destroy as many ballots as possible. The virus accomplishes this by altering any local copies of the ballots, and altering the contents of any removeable media. Studies have shown that at least one major vendor does not use the security features available on removeable media that supports it, and it is not unreasonable to assume that this is common practice.
It is election night, and the polls are closing. Election officials in the target precinct are collecting removeable media from the DRE machines and inserting them into that precinct's computerized tally. When they are done, the precinct judge goes to modem in the results.
The attacker, monitoring the telephone lines coming into the county or city seat, observes another phone call coming in. The attacker re-routes the call to their local machine, and the precinct machine connects using the Point-to-Point Protocol (PPP). Once the connection is established, the precinct machine transmits its results to the attacker's machine. The attacker accepts the tally, but infects the precinct machine (running, as we know, a pre-determined version of Windows) with our virus. The attacker then phones the county seat, forging the origin of the call, and sends in their modified tally. During the transmission, the county machine is infected as well.
At this point the only valid copies of the votes are on the touchscreen machines and on the removeable media. The "final" tally on each precinct machine and on the county machine have been modified or destroyed. Furthermore, if election officials insert untainted removeable media into an infected machine, the virus will destroy the ballots on that media.
The virus will attempt to seek out other machines to infect. Many DRE machines connect to the tallying computer at their precinct, usually over a standard Local Area Network (LAN). DRE computers that are connected to the same LAN as the infected tallying machine will receive a copy of the virus. The virus will then either modify or erase the ballots on the various parts of the computer. At this point, the only valid copies of the votes would be on the removeable media. Like the tallying computers, the DRE computers would be programmed to overwrite any PC cards, further increasing the odds that valid copies of ballots would be permanently destroyed.
A particularly nasty twist would be for the virus to tinker with the system BIOS. DRE computers from one vendor are the perfect target; a large, homogeneous population is always susceptible to one strain of a virus. The virus installs a new BIOS that enables password protection and disabled boot from external devices. At this point the only way to remove the virus from the system is to open the case, find the CMOS battery on the motherboard, and remove it, thus restoring the BIOS defaults.
Congratulations, you've just hacked the 2004 Presidential Election. Your virus has infected all tallying computers and city/county computers, and has likely infected tons of DRE computers. Depending on your mode of operation, you have either modified the number of votes in a large district and handed a battleground state to your candidate, or you have destroyed as many ballots as possible in a district that heavily favors your opponent. If you were smart enough about covering your tracks, the odds of the authorities actually finding you are pretty small. While it's unlikely that you will actually get Ralph Nader or Harry Brown in the Oval Office -- even technology has its limits -- you've sewn chaos and will likely fan the flames of intense partisanship for the next four years.
Remember to drop a polite letter to Mischelle Townsend and Linda Lamone, thanking them for handing you parts of California, or all of the state of Maryland. Just don't put a return address on the envelope.
-jdm