Gabbard: “Electronic Voting Systems Have Been Vulnerable to Hackers for a Very Long Time”
April 11th, 2025It does get exhausting, decade after decade.
Via: Modernity News:
National Intelligence Director Tulsi Gabbard made a startling revelation during an open cabinet meeting Wednesday, announcing that she has evidence that electronic voting machines have been tampered with to manipulate the results of past US elections.
“I’ve got a long list of things that we’re investigating. We have the best going after this, election integrity being one of them,” Gabbard stated.
“We have evidence of how these electronic voting systems have been vulnerable to hackers for a very long time,” she continued.
…
Gabbard emphasised that the evidence shows that machines are “vulnerable to exploitation to manipulate the results of the votes being cast.”
She told President Trump that the finding “further drives forward your mandate to bring about paper ballots across the country so that voters can have faith in the integrity of our elections.”
I’m shocked, shocked that gambling is going on in here!
http://www.youtube.com/watch?v=SjbPi00k_ME
Given how many hacking contests have gone on focused on the US voting system, I asked Grok:
“examples of hacking into actual voting machines by participants, or did the machine companies make it legally impossible to use actual machines?”
“At events like DEF CON’s Voting Village, participants have hacked into actual electronic voting machines used in U.S. elections, revealing vulnerabilities. However, voting machine companies have imposed legal and practical restrictions that limit access to these machines, though not entirely preventing it. Below are examples of hacks and details on the legal landscape:
Examples of Hacking into Actual Voting Machines
DEF CON 2017 Voting Village:
Machines Hacked: Organizers acquired about a dozen real voting machines (e.g., Diebold, Sequoia, WINVote) from eBay or government auctions, all previously used in U.S. elections.
Hacks Performed:
Within two minutes, Carsten Schürmann exploited a vulnerability to gain remote access to a WINVote machine via its unpatched Windows XP system and open Wi-Fi, potentially allowing vote tampering.
In under 90 minutes, hackers physically opened machines, finding weak security like default passwords and accessible ports. One machine was manipulated to play Rick Astley’s “Never Gonna Give You Up” (Rickrolling), showing system control.
A Diebold machine was compromised in about eight hours, with hackers installing malicious software to alter vote counts.
Impact: Revealed outdated software (e.g., Windows XP, unpatched OpenSSL) and physical vulnerabilities, like unprotected ports, that could allow vote manipulation with physical access.
DEF CON 2018 Voting Village:
Machines Hacked: Included ES&S AccuVote-TSX, a widely studied touch-screen machine used in multiple states.
Hacks Performed:
J. Alex Halderman ran a mock election (George Washington vs. Benedict Arnold) and demonstrated how to insert malware via a memory card to flip results, taking under an hour with physical access.
Hackers found ways to access admin functions using default passwords or by exploiting smart card readers, potentially allowing multiple votes from one card.
Impact: Showed that even machines with known vulnerabilities remained in use, with no evidence of hacks in real elections but clear risks if physical security lapsed.
DEF CON 2019 Voting Village:
Machines Hacked: Over 100 machines, including touchscreens, optical scanners, and electronic poll books, all certified for use in U.S. jurisdictions.
Hacks Performed:
Every machine was compromised, either through new exploits or replicating known ones (some over a decade old). Examples included altering vote tallies, changing displayed ballots, and accessing internal software.
One machine was breached by picking a simple lock to access hardware, taking minutes.
Remote attacks were demonstrated on machines with internet connections, exploiting hardcoded credentials or weak encryption.
Impact: Highlighted persistent issues like poor physical security and outdated firmware, with organizers noting that real-world attackers would have more time and resources.
DEF CON 2022 Voting Village:
Machines Hacked: Included a Chinese-made machine purchased from Alibaba, used in some jurisdictions.
Hacks Performed:
Breached in five hours via a “slow and methodical” process, but organizers estimated a “free-for-all” approach could have compromised it in under 30 minutes. Features like Wi-Fi, Bluetooth, and facial recognition scanners provided attack vectors.
Impact: Demonstrated risks in machines with unnecessary connectivity, though physical access was typically required.
Legal and Practical Restrictions by Voting Machine Companies
Voting machine companies like ES&S, Dominion, and others have created hurdles to testing real machines, citing security and proprietary concerns, but they haven’t made it legally impossible. Here’s how they’ve influenced access:
Limited Access to Machines:
Contracts and Licensing: Companies often include clauses in contracts with election officials prohibiting third-party testing without their consent. This restricts researchers from legally accessing machines still in active use, forcing events like DEF CON to rely on decommissioned units bought secondhand (e.g., eBay, auctions).
Proprietary Systems: Hardware and software are proprietary, and companies rarely share source code or schematics, claiming trade secrets. This makes it harder for researchers to study machines without risking legal action for reverse-engineering.
Legal Threats and Resistance:
ES&S Response (2018): ES&S sent letters to customers before DEF CON 2018, arguing that the Voting Village’s open hacking environment posed a security threat and didn’t reflect real-world conditions (e.g., physical security during elections). They discouraged participation and downplayed findings.
DMCA Concerns: Before a 2016 exemption to the Digital Millennium Copyright Act (DMCA), hacking voting machines for research risked violating copyright law, as it involved bypassing digital locks. The exemption legalized research hacking, but companies still used legal pressure to deter it, citing potential misuse of findings.
Defamation and Pushback: Companies have accused researchers of exaggerating vulnerabilities to undermine trust in elections, though they’ve softened this stance over time, with some considering bug bounty programs.
Practical Barriers:
Controlled Distribution: Machines are sold or leased only to election officials, not researchers, limiting access to current models. DEF CON’s machines are often older, though still in use in some jurisdictions, raising questions about whether findings apply to newer systems.
Certification Processes: Federal and state certification can delay updates to fix vulnerabilities, as companies prioritize compliance over rapid patching, leaving known flaws unaddressed for years.
Not Legally Impossible:
The DMCA exemption since 2016 explicitly allows security research on voting machines, overriding earlier legal risks.
Events like DEF CON operate legally by using publicly obtained machines, and organizers collaborate with officials to share findings responsibly, avoiding direct legal challenges from companies.
Some states (e.g., California) have pushed for open-source voting systems or required vendors to allow independent audits, reducing corporate control, though adoption is slow.”
Must be an accidental oversight that the list leaves out the HBO video made in Wisconsin (?) in which a Dutch computer guy came over and hacked the voting machines in some county where a reporter had found many ballots left illegally in trash bags on a loading dock after the election. That, and the county’s reaction, aroused her suspicions. Around 2005-2010? The county wanted to punish her for touching them.
It was cool. The hacker waited in a hallway while she and a few others ‘voted’ on a suspect machine. They put in Joe Smith, the vote came out for Mary Jones. “They said it couldn’t be done…”