Poll machines prone to hacking -- IT expert
Original Story
The high-tech poll machines that will be used by the Commission on Elections (COMELEC) in the 2010 elections are prone to hacking, an IT expert said Thursday.
“The [poll] machines are only computers, they can be hacked. Someone can insert bad instructions into it and manipulate data,” IT expert Ike Señeres, former director-general of the National Computer Center, told ABS-CBN’s morning show, “Umagang Kay Ganda.”
Señeres explained that computers with vulnerable operating systems (OS) can be infected by viruses.
He said that the machines used by COMELEC in the ARMM elections used Windows, which he said is vulnerable to virus and hacking.
He added that the poll machines can also be manipulated by an “untrustworthy” person.
Señeres said that if COMELEC would allow him, he will sit in a room and if given enough time, he can hack into the poll machines and manipulate the results of the elections.
COMELEC spokesman James Jimenez admitted that there are no “fool-proof” systems and even an automated election can still be rigged.
Jimenez, however, said that critics of the automated elections should be reminded that the COMELEC is trying to replace a “system that is flawed and vulnerable.”
“With the automated system, it is new and it is less vulnerable,” he said.
Señeres, meanwhile, said that the possibility of the automated being hacked can still be prevented by helping COMELEC guard the process.
PCOS not OMR
COMELEC Chairman Jose Melo, meanwhile, said that the poll body will be using precinct count optical scan (PCOS), an improved version of the optical mark reader (OMR), which was used in the ARMM elections.
Melo said that compared with the OMR, PCOS has better security features and less vulnerable to cheating.
He said PCOS can take pictures of the ballots inserted by voters into the voting machines. He said the ballots' images are transmitted to COMELEC for better monitoring of the ballots' conditions.
The COMELEC had said that it will set up at least 80,000 PCOS machines nationwide during the May 2010 elections.
It said 14,000 units will be deployed around Metro Manila, 13,000 units in urban areas, 3,000 units in problem areas and 50,000 to each voting precincts in the rural areas.
OES on standby
Melo, meanwhile, said the COMELEC will put as standby the proposed "open election system" or the half manual, half automated elections.
He said if ever the winning supplier of the PCOS machines fail to meet COMELEC standards, it will be forced to switch to the open system.
"We won't have enough time to conduct another bidding, so we have to go manual," Melo said.
He said the COMELEC will publish the terms of reference for the meeting this month and start the actual bidding by April.
He said they will set the final testing for the poll machines on November 17.
By December 2009, the COMELEC will start educating teachers and their employees on how to use the poll machines.
In a marathon session that started Wednesday night, the Senate approved the supplemental budget bill for the COMELEC to implement automation in the 2010 elections.
Senators approved the budget bill with a provision for "transparency and accuracy in the selection of the relevant technology of the voting machines to be used for the May 10, 2010 automated and local elections."
The Senate passed the supplemental budget on its last session day before it goes on a five-week Lenten recess starting March 7.
House Bill 5715 was passed by the House of Representatives on Monday evening and was then transmitted to the Senate the next day.
The supplemental budget bill will still have to go through a bicameral debate.
Automation shortens the window needed to cheat. Couple that with PCOS, a nice md5sum+timestamp hashing algorithm, a secure way of transmission, and that would be way way better than the system used before.
It could be possible to install trojans prior to the election but that would require physical access to the (possibly hundreds of) machines since I doubt that they would be online prior to the election. And I'm sure (actually hoping) that they're going to be heavily guarded prior to deployment. Weak point could be in the counting mechanism itself. You could somehow sniff the connection, find out the receiving ip address(es), determine the protocol format (probably POST data to a webserver with the md5sum+timestamp I was talking about earlier), send a spoofed corrupted message, and (hopefully?) crash the counting mechanism. A DoS would be enough to undermine the validity of the election. Politically, that would also be enough.
The high-tech poll machines that will be used by the Commission on Elections (COMELEC) in the 2010 elections are prone to hacking, an IT expert said Thursday.
“The [poll] machines are only computers, they can be hacked. Someone can insert bad instructions into it and manipulate data,” IT expert Ike Señeres, former director-general of the National Computer Center, told ABS-CBN’s morning show, “Umagang Kay Ganda.”
Señeres explained that computers with vulnerable operating systems (OS) can be infected by viruses.
He said that the machines used by COMELEC in the ARMM elections used Windows, which he said is vulnerable to virus and hacking.
He added that the poll machines can also be manipulated by an “untrustworthy” person.
Señeres said that if COMELEC would allow him, he will sit in a room and if given enough time, he can hack into the poll machines and manipulate the results of the elections.
COMELEC spokesman James Jimenez admitted that there are no “fool-proof” systems and even an automated election can still be rigged.
Jimenez, however, said that critics of the automated elections should be reminded that the COMELEC is trying to replace a “system that is flawed and vulnerable.”
“With the automated system, it is new and it is less vulnerable,” he said.
Señeres, meanwhile, said that the possibility of the automated being hacked can still be prevented by helping COMELEC guard the process.
PCOS not OMR
COMELEC Chairman Jose Melo, meanwhile, said that the poll body will be using precinct count optical scan (PCOS), an improved version of the optical mark reader (OMR), which was used in the ARMM elections.
Melo said that compared with the OMR, PCOS has better security features and less vulnerable to cheating.
He said PCOS can take pictures of the ballots inserted by voters into the voting machines. He said the ballots' images are transmitted to COMELEC for better monitoring of the ballots' conditions.
The COMELEC had said that it will set up at least 80,000 PCOS machines nationwide during the May 2010 elections.
It said 14,000 units will be deployed around Metro Manila, 13,000 units in urban areas, 3,000 units in problem areas and 50,000 to each voting precincts in the rural areas.
OES on standby
Melo, meanwhile, said the COMELEC will put as standby the proposed "open election system" or the half manual, half automated elections.
He said if ever the winning supplier of the PCOS machines fail to meet COMELEC standards, it will be forced to switch to the open system.
"We won't have enough time to conduct another bidding, so we have to go manual," Melo said.
He said the COMELEC will publish the terms of reference for the meeting this month and start the actual bidding by April.
He said they will set the final testing for the poll machines on November 17.
By December 2009, the COMELEC will start educating teachers and their employees on how to use the poll machines.
In a marathon session that started Wednesday night, the Senate approved the supplemental budget bill for the COMELEC to implement automation in the 2010 elections.
Senators approved the budget bill with a provision for "transparency and accuracy in the selection of the relevant technology of the voting machines to be used for the May 10, 2010 automated and local elections."
The Senate passed the supplemental budget on its last session day before it goes on a five-week Lenten recess starting March 7.
House Bill 5715 was passed by the House of Representatives on Monday evening and was then transmitted to the Senate the next day.
The supplemental budget bill will still have to go through a bicameral debate.
Automation shortens the window needed to cheat. Couple that with PCOS, a nice md5sum+timestamp hashing algorithm, a secure way of transmission, and that would be way way better than the system used before.
It could be possible to install trojans prior to the election but that would require physical access to the (possibly hundreds of) machines since I doubt that they would be online prior to the election. And I'm sure (actually hoping) that they're going to be heavily guarded prior to deployment. Weak point could be in the counting mechanism itself. You could somehow sniff the connection, find out the receiving ip address(es), determine the protocol format (probably POST data to a webserver with the md5sum+timestamp I was talking about earlier), send a spoofed corrupted message, and (hopefully?) crash the counting mechanism. A DoS would be enough to undermine the validity of the election. Politically, that would also be enough.