Hursti Hack
Encyclopedia
The Hursti Hack was a successful attempt to alter the votes recorded on a Diebold
optical scan voting machine. The hack is named after Harri Hursti
.
In a series of four tests conducted in Feb., May, and Dec. 2005, Ion Sancho invited Black Box Voting to Tallahassee after an invitation to check the Diebold machines. Black Box Voting engaged the services of Dr. Herbert Hugh Thompson
and Harri Hursti
. Dr. Thompson and Hursti believed they could change or hack vote totals without the system detecting entry. The first two projects targeted the computer program that adds up all the voting machine results and produces the final report. On Feb. 14 and again on May 2, Thompson successfully hacked the Diebold GEMS central tabulator and bypassed all passwords by using a Visual Basic script. This, however, would be detected in a vigilant environment if the supervisor of elections checks the poll tapes (voting machine results) against the central tabulator report.
For purposes of demonstration, an election was run using Leon High School
as a model. The results of the first hack are shown below.
To show that both the results tapes and the central tabulator could be hacked, Black Box Voting then engaged the services of Hursti to hack the poll tapes. Black Box Voting purchased a card reader from the internet
and Hursti used it to produce counterfeit memory cards, which successfully altered the voting machine results tapes on May 26, 2005.
, and Susan Bernecker
, a former candidate for New Orleans
city council who videotaped Sequoia-brand touch-screen voting machines in her district recording vote after vote for the wrong candidate. During his research, Hursti found that Diebold's cards allowed negative votes. Hursti successfully altered the votes using only a memory card, producing a one-step hack that simultaneously altered both the central tabulator results and the voting machine results tapes for matched (but rigged) results. "I would have had no way of knowing," said Sancho. "I would have certified this election."
Three voting machines hacking tests have been performed by Finnish Computer expert Harri Hursti
for the nonprofit elections watchdog group Black Box Voting
and the producers of the HBO documentary 'Hacking Democracy' who filmed it. The first two Hursti Hacks were set up in Leon County
, Florida
with the authorization of Supervisor of Elections Ion Sancho and these tests examined a Diebold Election Systems (DES) Accu-Vote OS 1.94w (optical scan) voting machine. The third Hursti test was conducted for Black Box Voting in collaboration with Bruce Funk, then-County Clerk of Emery County, Utah, on a Diebold TSx touch-screen.
to ascertain whether votes could be altered on a Diebold voting machine. Tests on Feb. 14, 2005 and May 2, 2005 were conducted on the Diebold GEMS central tabulator by Herbert Hugh Thompson
, who proved that results reports could be altered without a password by using a Visual Basic script. The third and fourth tests were memory card tests performed by Hursti. The fifth test took place with both Hursti and Thompson in Emery County Utah.
During Hursti's first memory card hack on May 26, 2005, he altered the program that creates the "poll tapes", or voting machine results reports. However, this hack would be detected if the supervisor of elections compared the poll tape results with the GEMS central tally report. The GEMS tally report can be hacked to match, as demonstrated during two earlier Black Box Voting projects in Leon County with Herbert Thompson. Thompson successfully manipulated the GEMS tally program using a Visual Basic script.
The May 26 version of the Hursti memory card hack would require two steps to succeed without detection in a vigilant election setting: Both the memory card and the GEMS tabulator program would need to have matching hacks.
During a videotaped meeting in Cuyahoga County, Ohio
, DES Research and Development chief Pat Green stated that checks and balances would detect the tampering and that it would not be possible to alter the votes themselves on the memory card.
However, during the Dec. 13 2005 testing, Hursti successfully altered the votes on the memory card. His memory card manipulations falsified both the voting machine results tapes and the GEMS central tabulator report. Leon County Supervisor of Elections Ion Sancho stated that he would have had no way to detect the tampering and would have certified the election.
The Hursti memory card hack performed in Leon County on Dec. 13, 2005 is a variation on stuffing the ballot box
prior to any votes being cast. Hursti had pre-loaded the memory card giving one candidate 5 positive votes and one candidate 5 negative votes to create a "zero report." This keeps the machine accurate in votes cast compared to number of voters.
Actual paper ballots were used pre-printed with the following question: "Can the votes on this Diebold system be hacked using the memory card?"
Since Hursti was the technical advisor
he was asked by Sancho to remain outside of the test area. Selection of the voting machine was done by random draw. Machine #15191 was pulled as the random machine. Hursti only touched the memory card but did not come in to contact with any machines.
Seven participants made out their ballots using the opti-scan paper sheets (Hursti remaining outside the test area). Sancho then went to Hursti and gave him a ballot which Hursti filled out. Hursti then gave Sancho the memory card to insert in to the machine. The operation of the machine was explained by Sancho to those in attendance and the card inserted and machine turned on which then produced the "zero total tape." The tape produced zero votes cast. The test ballots were then inserted in to the Diebold machine followed by the "ender card" (same size as ballot) was inserted telling the machine to turn off its counting function and start its reporting function. The machine then produced a paper tape with 7 yes votes and 1 no vote.
across the nation when DES claimed votes could not be changed on the memory card, the credit card
-sized ballot box used by computerized voting machines.
Furthermore, DES wrote a press release referring to the famous vote changing 'Hursti Hack', stating that - "Harri Hursti is shown attacking a DES machine in Florida. But his attack proved later to be a complete sham." In response to the test election, California's Secretary of State commissioned a special report by scientists at UC Berkeley to investigate the Hursti Hack. Page 2 of their report states - "Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server."
A spokesman for DES said it was similar to "leaving your car unlocked, with the windows down and keys left in the ignition and then acting surprised when your car is stolen."
The test election was filmed and shown in the conclusion of the 2006 HBO documentary, Hacking Democracy
, which premiered November 2, 2006."
After seeing how serious the problems were, Black Box Voting engaged the services of Herbert Thompson, then head of the security company Security Innovation, to provide an independent opinion. Both Hursti and Thompson conducted a second series of tests on March 16 and 17, 2006 to confirm findings, which prompted emergency warnings and last minute corrective actions in Pennsylvania, California, and other states.
Diebold
Diebold, Inc. is a United States-based security systems corporation that is engaged primarily in the sale, manufacture, installation and service of self-service transaction systems , electronic and physical security products , and software and integrated systems for global financial and...
optical scan voting machine. The hack is named after Harri Hursti
Harri Hursti
Harri Harras Hursti is a Finnish computer programmer and former Chairman of the Board and co-founder of ROMmon where he supervised in the development of the world's smallest 2 gigabit traffic analysis product that was later acquired by F-Secure Corporation.Hursti is well known for participating in...
.
Participants
The participants were:- Ion Sancho, Supervisor of Elections, Leon County, FloridaLeon County, FloridaLeon County is a county located in the state of Florida, named after the Spanish explorer Juan Ponce de León. At the 2010 Census, the population was 275,487. The county seat of Leon County is Tallahassee which also serves as the state capital. The county seat is home to two of Florida's major...
. - Thomas James, Information Systems Officer for Leon County, Florida
- Bev HarrisBev HarrisBev Harris is an American writer, activist, and founder of Black Box Voting Inc., a national nonpartisan, nonprofit elections watchdog group. She helped popularize the term Black Box Voting, while authoring a book of that title....
, Black Box VotingBlack Box VotingBlack box voting signifies voting on voting machines which do not disclose how they operate such as with closed source or proprietary operations. The term, as described by Dr. Arnold Urken of Stephens Institute of Technology, comes from the technical jargon use of the term black box, a device or...
founder - Kathleen Wynne, Black Box Voting Associate Director
- Harri HurstiHarri HurstiHarri Harras Hursti is a Finnish computer programmer and former Chairman of the Board and co-founder of ROMmon where he supervised in the development of the world's smallest 2 gigabit traffic analysis product that was later acquired by F-Secure Corporation.Hursti is well known for participating in...
, computer programmer and security expert - Hugh ThompsonHerbert Hugh ThompsonDr. Herbert Hugh Thompson is an application security consultant.Thompson received his Ph.D. in Applied Mathematics from Florida Institute of Technology. and holds a CISSP certificate...
, application security expert and Ph.D. in math - Susan BerneckerSusan BerneckerSusan S. Bernecker is a former Republican candidate for the Jefferson Parish City Council in suburban New Orleans. She was defeated 33% to 58% by Nick Giambelluca, nephew of the Jefferson Parish election supervisor, Tony Giambelluca....
, former Republican candidate for New Orleans city council. - Susan Pynchon, Director of Florida Fair Elections Coalition
Hacking a Diebold machine
Herbert Hugh Thompson
Dr. Herbert Hugh Thompson is an application security consultant.Thompson received his Ph.D. in Applied Mathematics from Florida Institute of Technology. and holds a CISSP certificate...
and Harri Hursti
Harri Hursti
Harri Harras Hursti is a Finnish computer programmer and former Chairman of the Board and co-founder of ROMmon where he supervised in the development of the world's smallest 2 gigabit traffic analysis product that was later acquired by F-Secure Corporation.Hursti is well known for participating in...
. Dr. Thompson and Hursti believed they could change or hack vote totals without the system detecting entry. The first two projects targeted the computer program that adds up all the voting machine results and produces the final report. On Feb. 14 and again on May 2, Thompson successfully hacked the Diebold GEMS central tabulator and bypassed all passwords by using a Visual Basic script. This, however, would be detected in a vigilant environment if the supervisor of elections checks the poll tapes (voting machine results) against the central tabulator report.
For purposes of demonstration, an election was run using Leon High School
Leon High School
Leon High School is a public high school in Tallahassee, Florida. For the 2007-2008 school year, the Florida Department of Education gave the school an "A" rating after its students scored well above the state average on standardized tests in reading and in math...
as a model. The results of the first hack are shown below.
| Leon High School (pre-hack) | |||
|---|---|---|---|
| Candidate | Votes | Percentage | |
| Bud Baker | 623 | 54.79% | |
| Thomas Guthrie | 192 | 16.89% | |
| Nadiyah Smith | 322 | 28.32% | |
| Leon High School (post-hack) | ||
|---|---|---|
| Candidate | Votes | Percentage |
| Bud Baker | 623 | 10.71% |
| Thomas Guthrie | 192 | 3.30% |
| Nadiyah Smith | 5000 | 85.98% |
To show that both the results tapes and the central tabulator could be hacked, Black Box Voting then engaged the services of Hursti to hack the poll tapes. Black Box Voting purchased a card reader from the internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
and Hursti used it to produce counterfeit memory cards, which successfully altered the voting machine results tapes on May 26, 2005.
One-Step hack
A fourth trip to Tallahassee was made on Dec. 13, 2005. Black Box Voting and the producers of the film Hacking Democracy organized the test. Attending were Harris and Kathleen Wynne from Black Box Voting, Hursti, Thompson, along with Susan Pynchon of Florida Fair Elections Coalition from Volusia County, FloridaVolusia County, Florida
Volusia County is a county located in the state of Florida. The U.S. Census Bureau 2010 official county's population was 494,593 . Its county seat is DeLand, and its most populous city is currently Deltona....
, and Susan Bernecker
Susan Bernecker
Susan S. Bernecker is a former Republican candidate for the Jefferson Parish City Council in suburban New Orleans. She was defeated 33% to 58% by Nick Giambelluca, nephew of the Jefferson Parish election supervisor, Tony Giambelluca....
, a former candidate for New Orleans
New Orleans, Louisiana
New Orleans is a major United States port and the largest city and metropolitan area in the state of Louisiana. The New Orleans metropolitan area has a population of 1,235,650 as of 2009, the 46th largest in the USA. The New Orleans – Metairie – Bogalusa combined statistical area has a population...
city council who videotaped Sequoia-brand touch-screen voting machines in her district recording vote after vote for the wrong candidate. During his research, Hursti found that Diebold's cards allowed negative votes. Hursti successfully altered the votes using only a memory card, producing a one-step hack that simultaneously altered both the central tabulator results and the voting machine results tapes for matched (but rigged) results. "I would have had no way of knowing," said Sancho. "I would have certified this election."
Three voting machines hacking tests have been performed by Finnish Computer expert Harri Hursti
Harri Hursti
Harri Harras Hursti is a Finnish computer programmer and former Chairman of the Board and co-founder of ROMmon where he supervised in the development of the world's smallest 2 gigabit traffic analysis product that was later acquired by F-Secure Corporation.Hursti is well known for participating in...
for the nonprofit elections watchdog group Black Box Voting
Black Box Voting
Black box voting signifies voting on voting machines which do not disclose how they operate such as with closed source or proprietary operations. The term, as described by Dr. Arnold Urken of Stephens Institute of Technology, comes from the technical jargon use of the term black box, a device or...
and the producers of the HBO documentary 'Hacking Democracy' who filmed it. The first two Hursti Hacks were set up in Leon County
Leon County, Florida
Leon County is a county located in the state of Florida, named after the Spanish explorer Juan Ponce de León. At the 2010 Census, the population was 275,487. The county seat of Leon County is Tallahassee which also serves as the state capital. The county seat is home to two of Florida's major...
, Florida
Florida
Florida is a state in the southeastern United States, located on the nation's Atlantic and Gulf coasts. It is bordered to the west by the Gulf of Mexico, to the north by Alabama and Georgia and to the east by the Atlantic Ocean. With a population of 18,801,310 as measured by the 2010 census, it...
with the authorization of Supervisor of Elections Ion Sancho and these tests examined a Diebold Election Systems (DES) Accu-Vote OS 1.94w (optical scan) voting machine. The third Hursti test was conducted for Black Box Voting in collaboration with Bruce Funk, then-County Clerk of Emery County, Utah, on a Diebold TSx touch-screen.
Hursti Memory Card Hacks
The tests by Hursti were the third (May 26, 2005) and fourth (Dec. 13, 2005) in a series of five voting machine examinations produced by the Black Box Voting group. The first four tests were authorized by Supervisor of Elections for Leon County, Ion SanchoIon Sancho (politician)
Ion Voltaire Sancho is an elected public official serving Leon County, Florida, USA as Supervisor of Elections. His family first moved to Louisiana and then to Columbus, Ohio. As the eldest child, he cared for his younger siblings. He moved to Florida after high school...
to ascertain whether votes could be altered on a Diebold voting machine. Tests on Feb. 14, 2005 and May 2, 2005 were conducted on the Diebold GEMS central tabulator by Herbert Hugh Thompson
Herbert Hugh Thompson
Dr. Herbert Hugh Thompson is an application security consultant.Thompson received his Ph.D. in Applied Mathematics from Florida Institute of Technology. and holds a CISSP certificate...
, who proved that results reports could be altered without a password by using a Visual Basic script. The third and fourth tests were memory card tests performed by Hursti. The fifth test took place with both Hursti and Thompson in Emery County Utah.
During Hursti's first memory card hack on May 26, 2005, he altered the program that creates the "poll tapes", or voting machine results reports. However, this hack would be detected if the supervisor of elections compared the poll tape results with the GEMS central tally report. The GEMS tally report can be hacked to match, as demonstrated during two earlier Black Box Voting projects in Leon County with Herbert Thompson. Thompson successfully manipulated the GEMS tally program using a Visual Basic script.
The May 26 version of the Hursti memory card hack would require two steps to succeed without detection in a vigilant election setting: Both the memory card and the GEMS tabulator program would need to have matching hacks.
During a videotaped meeting in Cuyahoga County, Ohio
Ohio
Ohio is a Midwestern state in the United States. The 34th largest state by area in the U.S.,it is the 7th‑most populous with over 11.5 million residents, containing several major American cities and seven metropolitan areas with populations of 500,000 or more.The state's capital is Columbus...
, DES Research and Development chief Pat Green stated that checks and balances would detect the tampering and that it would not be possible to alter the votes themselves on the memory card.
However, during the Dec. 13 2005 testing, Hursti successfully altered the votes on the memory card. His memory card manipulations falsified both the voting machine results tapes and the GEMS central tabulator report. Leon County Supervisor of Elections Ion Sancho stated that he would have had no way to detect the tampering and would have certified the election.
The Hursti memory card hack performed in Leon County on Dec. 13, 2005 is a variation on stuffing the ballot box
Ballot box
A ballot box is a temporarily sealed container, usually square box though sometimes a tamper resistant bag, with a narrow slot in the top sufficient to accept a ballot paper in an election but which prevents anyone from accessing the votes cast until the close of the voting period...
prior to any votes being cast. Hursti had pre-loaded the memory card giving one candidate 5 positive votes and one candidate 5 negative votes to create a "zero report." This keeps the machine accurate in votes cast compared to number of voters.
Actual paper ballots were used pre-printed with the following question: "Can the votes on this Diebold system be hacked using the memory card?"
The test election
| Ballots Cast By Participants | ||
|---|---|---|
| Participant | Yes or No | |
| Bev Harris | No | |
| Thomas James | No | |
| Ion Sancho | No | |
| Susan Bernecker | No | |
| Susan Pynchon | No | |
| Kathleen Wynn | No | |
| Hugh Thompson | Yes | |
| Harri Hursti | Yes | |
| TOTAL: | 6 NO 2 YES | |
| Actual Results By Diebold Machine | ||
| YES | NO | |
| 7 | 1 | |
Since Hursti was the technical advisor
Technical advisor
A technical advisor is an individual who is expert in a particular field of knowledge, hired to provide detailed information and advice to people working in that field...
he was asked by Sancho to remain outside of the test area. Selection of the voting machine was done by random draw. Machine #15191 was pulled as the random machine. Hursti only touched the memory card but did not come in to contact with any machines.
Seven participants made out their ballots using the opti-scan paper sheets (Hursti remaining outside the test area). Sancho then went to Hursti and gave him a ballot which Hursti filled out. Hursti then gave Sancho the memory card to insert in to the machine. The operation of the machine was explained by Sancho to those in attendance and the card inserted and machine turned on which then produced the "zero total tape." The tape produced zero votes cast. The test ballots were then inserted in to the Diebold machine followed by the "ender card" (same size as ballot) was inserted telling the machine to turn off its counting function and start its reporting function. The machine then produced a paper tape with 7 yes votes and 1 no vote.
Results
This test demonstrated that DES made misrepresentations to Secretaries of StateSecretary of State (U.S. state government)
Secretary of State is an official in the state governments of 47 of the 50 states of the United States, as well as Puerto Rico and other U.S. possessions. In Massachusetts, Pennsylvania, and Virginia, this official is called the Secretary of the Commonwealth...
across the nation when DES claimed votes could not be changed on the memory card, the credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
-sized ballot box used by computerized voting machines.
Furthermore, DES wrote a press release referring to the famous vote changing 'Hursti Hack', stating that - "Harri Hursti is shown attacking a DES machine in Florida. But his attack proved later to be a complete sham." In response to the test election, California's Secretary of State commissioned a special report by scientists at UC Berkeley to investigate the Hursti Hack. Page 2 of their report states - "Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server."
A spokesman for DES said it was similar to "leaving your car unlocked, with the windows down and keys left in the ignition and then acting surprised when your car is stolen."
The test election was filmed and shown in the conclusion of the 2006 HBO documentary, Hacking Democracy
Hacking Democracy
Hacking Democracy is a 2006 documentary film by producer Robert Carrillo Cohen and producer / directors Russell Michaels and Simon Ardizzone, shown on HBO...
, which premiered November 2, 2006."
Examination of the DES TSx touch-screens in Utah
In 2006, Black Box Voting was invited by Emery County Utah County Clerk Bruce Funk to examine the DES TSx touch-screen. Black Box Voting arranged for the services of Hursti and Black Box board member Jim March, who traveled to Utah March 1 and 2, 2006. Hursti discovered numerous security flaws, the most egregious being the ability to reload the entire operating system and the ability to replace the boot loader simply by inserting a member card with a specific program name. Hursti discovered that the system would accept macros in a manner that posed a risk to election security. Jim March opened the case of the TSx and photographed its interior, discovering a hidden SD wireless slot and piggyback connectors under the standard modem, both enabling the machine to be equipped for wireless communications without the knowledge of election directors.After seeing how serious the problems were, Black Box Voting engaged the services of Herbert Thompson, then head of the security company Security Innovation, to provide an independent opinion. Both Hursti and Thompson conducted a second series of tests on March 16 and 17, 2006 to confirm findings, which prompted emergency warnings and last minute corrective actions in Pennsylvania, California, and other states.