Susan Bernecker

The Hursti Hack was a successful attempt to alter the votes recorded on a Diebold optical scan voting machine. The hack is named after Harri Hursti.

Participants

The participants were:
*Ion Sancho, Supervisor of Elections, Leon County, Florida.
*Thomas James, Information Systems Officer for Leon County, Florida
*Bev Harris, Black Box Voting founder
*Kathleen Wynne, Black Box Voting Associate Director
*Harri Hursti, computer programmer and security expert
* Hugh Thompson, application security expert and Ph.D. in math
* Susan Bernecker, former Republican candidate for New Orleans city council.
* Susan Pynchon, Director of Florida Fair Elections Coalition

Hacking a Diebold machine

In a series of four tests conducted in Feb., May, and Dec. 2005, Ion Sancho invited Black Box Voting to Tallahassee after an invitation to check the Diebold machines. Black Box Voting engaged the services of Dr. Herbert Hugh Thompson and Harri Hursti. Dr. Thompson and Hursti believed they could change or hack vote totals without the system detecting entry. The first two projects targeted the computer program that adds up all the voting machine results and produces the final report. On Feb. 14 and again on May 2, Thompson successfully hacked the Diebold GEMS central tabulator and bypassed all passwords by using a Visual Basic script. This, however, would be detected in a vigilant environment if the supervisor of elections checks the poll tapes (voting machine results) against the central tabulator report.

For purposes of demonstration, an election was run using Leon High School as a model. The results of the first hack are shown below.

To show that both the results tapes and the central tabulator could be hacked, Black Box Voting then engaged the services of Hursti to hack the poll tapes. Black Box Voting purchased a card reader from the internet and Hursti used it to produce counterfeit memory cards, which successfully altered the voting machine results tapes on May 26, 2005.

One-Step hack

A fourth trip to Tallahassee was made on Dec. 13, 2005. Black Box Voting and the producers of the film ''Hacking Democracy'' organized the test. Attending were Harris and Kathleen Wynne from Black Box Voting, Hursti, Thompson, along with Susan Pynchon of Florida Fair Elections Coalition from Volusia County, Florida, and Susan Bernecker, a former candidate for New Orleans city council who videotaped Sequoia-brand touch-screen voting machines in her district recording vote after vote for the wrong candidate. During his research, Hursti found that Diebold's cards allowed negative votes. Hursti successfully altered the votes using only a memory card, producing a one-step hack that simultaneously altered both the central tabulator results and the voting machine results tapes for matched (but rigged) results. "I would have had no way of knowing," said Sancho. "I would have certified this election."

Three voting machines hacking tests have been performed by Finnish computer expert Harri Hursti for the nonprofit elections watchdog group Black Box Voting and the producers of ''Hacking Democracy'' who filmed it. The first two Hursti Hacks were set up in Leon County, Florida with the authorization of Supervisor of Elections Ion Sancho and these tests examined a Diebold Election Systems (DES) Accu-Vote OS 1.94w (optical scan) voting machine. The third Hursti test was conducted for Black Box Voting in collaboration with Bruce Funk, then-County Clerk of Emery County, Utah, on a Diebold TSx touch-screen.

Hursti Memory Card Hacks

The tests by Hursti were the third (May 26, 2005) and fourth (Dec. 13, 2005) in a series of five voting machine examinations produced by the Black Box Voting group. The first four tests were authorized by Supervisor of Elections for Leon County, Ion Sancho to ascertain whether votes could be altered on a Diebold voting machine. Tests on Feb. 14, 2005 and May 2, 2005 were conducted on the Diebold GEMS central tabulator by Herbert Hugh Thompson, who proved that results reports could be altered without a password by using a Visual Basic script. The third and fourth tests were memory card tests performed by Hursti. The fifth test took place with both Hursti and Thompson in Emery County Utah.

During Hursti's first memory card hack on May 26, 2005, he altered the program that creates the "poll tapes", or voting machine results reports. However, this hack would be detected if the supervisor of elections compared the poll tape results with the GEMS central tally report. The GEMS tally report can be hacked to match, as demonstrated during two earlier Black Box Voting projects in Leon County with Herbert Thompson. Thompson successfully manipulated the GEMS tally program using a Visual Basic script.

The May 26 version of the Hursti memory card hack would require two steps to succeed without detection in a vigilant election setting: Both the memory card and the GEMS tabulator program would need to have matching hacks.

During a videotaped meeting in Cuyahoga County, Ohio, DES Research and Development chief Pat Green stated that checks and balances would detect the tampering and that it would not be possible to alter the votes themselves on the memory card.

However, during the Dec. 13 2005 testing, Hursti successfully altered the votes on the memory card. His memory card manipulations falsified both the voting machine results tapes and the GEMS central tabulator report. Leon County Supervisor of Elections Ion Sancho stated that he would have had no way to detect the tampering and would have certified the election.

The Hursti memory card hack performed in Leon County on Dec. 13, 2005 is a variation on stuffing the ballot box prior to any votes being cast. Hursti had pre-loaded the memory card giving one candidate 5 positive votes and one candidate 5 negative votes to create a "zero report." This keeps the machine accurate in votes cast compared to number of voters.

Actual paper ballots were used pre-printed with the following question: "Can the votes on this Diebold system be hacked using the memory card?"

The test election

Since Hursti was the technical advisor he was asked by Sancho to remain outside of the test area. Selection of the voting machine was done by random draw. Machine #15191 was pulled as the random machine. Hursti only touched the memory card but did not come into contact with any machines.

Seven participants made out their ballots using the opti-scan paper sheets (Hursti remaining outside the test area). Sancho then went to Hursti and gave him a ballot which Hursti filled out. Hursti then gave Sancho the memory card to insert into the machine. The operation of the machine was explained by Sancho to those in attendance and the card inserted and machine turned on which then produced the "zero total tape." The tape produced zero votes cast. The test ballots were then inserted into the Diebold machine followed by the "ender card" (same size as ballot) was inserted telling the machine to turn off its counting function and start its reporting function. The machine then produced a paper tape with 7 yes votes and 1 no vote.

Results

This test demonstrated that Diebold Election Systems made misrepresentations to Secretaries of State across the nation when the company claimed votes could not be changed on the memory card, the credit card-sized ballot box used by computerized voting machines. More seriously Diebold Election Systems claimed in writing to state election officials that the Diebold memory cards did not contain any executable code. In fact the memory cards did contain executable code - likened to 'a living thing' inside the cards - and it was this executable code that hacking expert, Harri Hursti, used to defraud the Diebold voting system.

Furthermore, DES wrote a press release referring to the famous vote changing 'Hursti Hack', stating that - "Harri Hursti is shown attacking a DES machine in Florida. But his attack proved later to be a complete sham." In response to the test election, California's Secretary of State commissioned a special report by scientists at UC Berkeley to investigate the 'Hursti Hack'.

The UC Berkeley scientists wrote
Special Report On The Diebold Accuvote Voting Machine
Page 2 of their report states:

"Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server."

A spokesman for DES said it was similar to "leaving your car unlocked, with the windows down and keys left in the ignition and then acting surprised when your car is stolen."

The test election was filmed and shown in the conclusion of the Emmy nominated HBO documentary, ''Hacking Democracy'', which premiered November 2, 2006."

Examination of the DES TSx touch-screens in Utah

In 2006, Black Box Voting was invited by Emery County, Utah County Clerk Bruce Funk to examine the DES TSx touch-screen. Black Box Voting arranged for the services of Hursti and Black Box board member Jim March, who traveled to Utah March 1 and 2, 2006. Hursti discovered numerous security flaws, the most egregious being the ability to reload the entire operating system and the ability to replace the boot loader simply by inserting a memory card with a specific program name. Hursti discovered that the system would accept macros in a manner that posed a risk to election security. Jim March opened the case of the TSx and photographed its interior, discovering a hidden SD wireless slot and piggyback connectors under the standard modem, both enabling the machine to be equipped for wireless communications without the knowledge of election directors.

After seeing how serious the problems were, Black Box Voting engaged the services of Herbert Thompson, then head of the security company Security Innovation, to provide an independent opinion. Both Hursti and Thompson conducted a second series of tests on March 16 and 17, 2006 to confirm findings, which prompted emergency warnings and last minute corrective actions in Pennsylvania, California, and other states.Technology Daily: States Still Concerned About New Voting Equipment; May 30, 2006

References

Electronic voting events
Electoral fraud
Diebold