European e-voting machines cracked by Dutch group

By EDRi · October 11, 2006

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The voting computers used to cast 90% of the votes in Netherlands were
cracked by a Dutch Group called “Wij vertrouwen stemcomputers niet” (We do
not trust voting computers).

In a live public show on 4 October 2006 on the Dutch television channel
Nederland 1, the group proved how the control program of such a voting
machine – called Nedap/Groenendaal ES3B – could be replaced by exchanging 2
EPROMS on the board. The entire demonstration lasted less than 5 minutes.

The demonstration was followed by a public report released on 6 October that
explains how the program works, how the software was created and how they
can gain complete control over the election results. It is almost impossible
for election monitors or voters to detect any change. Moreover, it also
shows how the group discovered that radio emanations from an unmodified ES3B
can be received at several meters distance and be used to tell who votes
what.

The report comes at a delicate moment, with just one month and a half before
the Parliamentary elections in Netherlands where the e-voting machines
should be extensively used. The same computer voting is also being used in
parts of Germany and France, with minor modifications.

Use of this machine in Ireland is now on hold after significant doubts were
raised. Colm MacCarthaigh from Irish Citizens for Trustworthy E-voting,
after looking at the compromised Nedap machines, said that : “The attack
presented by the Dutch group would not need significant modification to run
on the Irish systems”.

Maurice Wessling, of Wij vertrouwen stemcomputers niet, underlined:
“Compromising the system requires replacing only a single component,
roughly the size of a stamp, and is impossible to detect just by looking at
the machine”.

After the Irish reaction, the German NGO Computer Chaos Club has also asked
for a ban on this e-voting machine, considering that it does not meet the
basic standard of the German law.

The Dutch report showed flaws similar to those discovered in Diebold
Election Systems Inc.’s touch-screen voting machine, by Edward Felten,
director of Princeton University’s Center for Information Technology Policy.
The flaws were presented in a public report released in September 2006 –
Security Analysis of the Diebold AccuVote-TS Voting Machine.

“We do not trust voting computers” Foundation
http://www.wijvertrouwenstemcomputersniet.nl/Nedap-en

Nedap/Groenendaal ES3B – voting computer a security analysis (6.10.2006)
http://www.wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf

Dutch citizens group cracks Nedap’s voting computer (7.10.2006)
http://www.webwereld.nl/articles/43217/flaws-found-in-european-voting-machines.html

E-voting machines successfully hacked (5.10.2006)
http://www.siliconrepublic.com/news/news.nv?storyid=single7158

Dutch citizens group cracks Nedap’s voting computer (6.10.2006)
http://www.heise.de/english/newsticker/news/79106

Computer Chaos Club demands prohibition of voting computers in Germany
(5.10.2006)
http://www.ccc.de/updates/2006/wahlcomputer

Security Analysis of the Diebold AccuVote-TS Voting Machine(13.09.2006)
http://itpolicy.princeton.edu/voting/

Video that demonstrates the tempest attack (10.09.2006)