The man in the picture below is UC San Diego Computer Science Ph.D. student Stephen Checkoway. In his hands is a printout that proves that his team’s “return-oriented programming” exploit was successfully able to steal votes from a Sequoia AVC Advantage electronic voting machine. Checkoway was probably like, “Yay! Our democracy is in danger!” Just kidding. Checkoway’s probably feeling awesome because his team – composed of researchers from Princeton University and the University of Michigan and headed by UC San Diego professor Hovav Shacham – was able to hack into the voting machine without the help of the machine’s manual, or even the source code of the software used in the voting machine.
The return-oriented programming approach is a “powerful systems security exploit that generates malicious behavior by combining short snippets of benign code already present in the system.” It was first described in 2007 by Shacham himself. While I have no doubt that it takes brilliant minds to achieve what Checkoway and his peeps achieved, we should instead focus on the implication of the achievement. And it’s quite unsettling: evil dudes “would need just a few minutes of access to the machine the night before the election in order to take it over and steal votes the following day.”
So how should governments react to this turn of events? Schacham recommends that the voting process should be as computer-free as possible. It may sound like a stupid idea – it’s certainly ironic – but if there’s anything we’ve learned from the history of Windows and video game consoles, and now this, it’s that anything can be hacked. Shacham is proposing the use of optical scanners, which would simply read paper ballots. If the scanner is compromised, then the ballots will be a fallback. It’ll take more time to process the votes, but that’s a small price for the truth.
Check out PhysOrg for the full story, plus a video interview with Hovav Shacham.