Security Group at Santa Barbara Infects Voting Machines With Viruses, Showing Vulnerability

In this contentious election season (like all of them), promises to count every last vote will certainly be a constant refrain leading up to the big day in November.

The old quote from Stalin has gained traction in recent years: “Those who cast the votes decide nothing. Those who count the votes decide everything.” The Computer Security Group, in the department of computer science at the University of California at Santa Barbara, cites the adage in a report examining who — or, rather, what — will count the votes in California.

“Our team focused on the security analysis of the Sequoia voting system,” the group says on its Web site, with a link to the report. “We found a number of major flaws that can be exploited to compromise the integrity, confidentiality, and availability of the voting process. In particular, we developed a virus-like software that can spread across the voting system, modifying the firmware of the voting machines. The modified firmware is able to steal votes even in the presence of a Voter-Verified Paper Audit Trail.”

The group has also produced a sort of how-to video on thwarting democracy, demonstrating a method for delivering the virus to the machine. Parts one and two of the video are below.

“The video shows how one can use a simple USB key to infect the laptop used to prepare the cards that initialize the various voting devices,” the group says. “As a result, the cards are loaded with a malicious software component. When a card is inserted in a voting terminal, the malicious software exploits a vulnerability in the terminal loading procedure and installs a modified firmware, effectively ‘brainwashing’ the terminal…. The movie also shows that the physical security measures being used to limit access to essential parts of the voting systems are ineffective.” —Scott Carlson

Return to Top