You are here

Leaked Photos show huge security flaw in Wisconsin voting system as recount opposition mounts

Gerry Bello

The battle to launch a recounts in three states by the Green Party lead by Jill Stein heated up today with a switch of court venues from state to federal court in Pennsylvania. President elect Trump was again sighted on twitter without adult supervision to call Stein a “Fraud.” The real focus of the recount effort may be better placed in Wisconsin.

Photos of the back of an Election Systems and Solutions (ES & S) tabulation machine in Wisconsin released to the publicly by Green Party Election Observers show a shocking level of vulnerability at the design level. The machine is equipped with an 8 year old cellular modem.

The DS2000 machine is clearly labeled as having a MTSMC-C2 socket modem made by Multitech for Verizon (Multitech manufactures the devices in batches for both Verizon and Sprint). The device is at least eight years old and retails for $106. This particular machine, used in a rural county on the Minnesota border, was approved for use by the State of Wisconsin no earlier than April 2014. Shockingly, this was less than two months after features were added that allow the device to be reprogrammed remotely.

The tepid and tardy joining of recount efforts by the Democratic party seems focused on what they call “outside interference,” meaning Russian intelligence. What the Democrats do not seem to wish to discuss is the overall systematic vulnerabilities of the system. In this case they are easily catastrophic and serve no useful purpose.

The cellular modem is used to transmit results to a central tabulator. It is not needed if there is some other form of network access, like a phone line or direct internet connection. The DS2000 pictured above is a precinct level tabulator. One fails to see why a precinct poll worker can not phone in the results or have them transmitted via internet from a polling place. There is no reason for a cellular modem in the design at all.

This particular modem has been on the market for at least 8 years and has security vulnerabilities. It can be caused to communicate on multiple channels by entering the following lines of code at the command prompt: “AT+WOPEN=5; <CR> ATD*22899;<cr>” That is all that is needed to push it into CDMA mode.

Once in CDMA mode all it would take is forcing the modem into accepting PDU texts, also a trivial operation and then the modem, and therefore the central tabulation machine, are open to alteration of their memory or a man in the middle attack. The MTSMC-C2 also allows it's firmware, and therefore it start up initialization routine, to be updated via remote access over a network.

Finding this particular vulnerability did not take me 8 years. It took less than an hour. There are additional points of attack that the DS2000 is vulnerable to despite it being federally certified and cleared for use in Wisconsin on April 4 2014. The company NowSMS added text message support and gateway services to and from Windows to the MTSMC-C2 on February 28 2014, prior to it's approval.

Any person with access to the machine could have altered it to do their biding and then changed the firmware back to cover their tracks. This includes the poll workers, county election officials, manufacturers and sales people. These machines were sold in Wisconsin in 2009-2010 by a company called Command Central.

Command Central was at the time located in St. Cloud Minnesota in a strip mall where their offices are literally across the hall from those of Congresswoman Michelle Bachman. Bachman is one of the most partisan tea party Republicans in Congress. Any member of her staff entering Command Central's office either by invitation or subterfuge could have altered any piece of equipment there in mere minutes.

The manufacturer, ES & S, has a long history of adding strange firmware modifications and patches going back 2012 and beyond. Once these modes of entry are activated they can be programed by any person with a cell phone anywhere in the country. Any person with cell phone spoofing technology can attack these machines from up to a mile away.

This weakness in the voting system was built in by assumption by the industry itself and enabled by Democratic Party opposition that only sees Russia agents as possible malicious actors. The simple fact that I can find these weaknesses in less than an hour working from a single photograph shows that a variety of actors can find and exploit weaknesses with 8 years of planning and testing. The price of the modem would allow anyone to test their attack in the privacy of their own home over and over.

Any Wisconsin Recount effort needs to audit the update logs of all firmware on all machines. If the logs are incomplete or not forthcoming the election was a fraud.