Here’s a press release from ICTE that’s well worth a read if you still trust voting machines:
Concerns expressed by many IT professionals about the security of the
e-voting system chosen for use in Ireland were today shown to be well-founded
when a group of Dutch IT Specialists, using documentation obtained from the
Irish Department of the Environment, demonstrated that the
NEDAP e-voting machines could be secretly hacked,
made to record inaccurate voting preferences, and could even be secretly
reprogrammed to run a chess program.
The recently formed Dutch anti e-voting group, “Wij vertrouwen stemcomputers
niet” (We don’t trust voting
computers), has revealed on national Dutch television program “EenVandaag” on
Nederland 1, that they have successfully hacked the Nedap machines —
identical to the machines purchased for use in Ireland in all important
respects.
ICTE representative Colm MacCarthaigh, who has
seen and examined the compromised Nedap machine in action in Amsterdam, notes
“The attack presented by the Dutch group would not need significant
modification to run on the Irish systems. The machines use the same
construction and components, and differ only in relatively minor aspects such
as the presence of extra LEDs to assist voters with the Irish voting system.
The machines are so similar that the Dutch group has been using only the
technical reference manuals and materials relevant to the Irish machines as a
guide, as those are the only materials publicly available.”
Maurice Wessling, of Wij vertrouwen stemcomputers niet, adds “Compromising
the system requires replacing only a single component, roughly the size of a
stamp, and is impossible to detect just by looking at the machine”.
Both ICTE and Wij vertrouwen stemcomputers niet view this as yet another
demonstration that no voting system which lacks a voter-verified audit trail
can be trusted. According to ICTE spokesperson Margaret McGaley “Any system
which lacks a means for the voter to verify that their vote has been
correctly recorded is fundamentally and irreparably flawed”.
Margaret McGaley highlighted that it is the machines themselves that are at
risk. “This particular issue is not about the vote counting software, which
we already know must be replaced, this is about the machines that the
Taoiseach has claimed were ‘validated beyond any question’. We now have proof
that these machines can be made to lie about the votes that have been cast on
them. It is abundantly clear that these machines would pose a genuine risk to
our democracy if used in elections in Ireland.”
ICTE is repeating its call, which reflects the opinions shared by IT expert
groups, including the E-voting group of the Irish Computing Society, that any
voting system implemented must include a voter-verified audit-trail.
This is a major exploit. Colm’s earlier
mail
noted
As we knew already, the machines run on m64k processors, and it’s
relatively easy to reverse engineer what all of the registers and inputs
correspond to. The dutch group were able to successfull assemble code to
run on the machine, and even burn it on the very eeprom that comes in
the machine.
Since the NEDAP design does not include XBox-style boot-time cryptographic
verification of the EEPROM’s
contents,
undetectable replacement of the operating system is a 2-minute matter
of unsticking the trivial
‘seals’ on
the voting machine’s access panels, popping out an EEPROM chip, and replacing
with a modified one, then closing it up again.
Once that’s done, the election is rigged, as WVSN have demonstrated.
Update: here’s their paper
describing the attack in detail — well worth a read.