In this post I’ll tell you the trick to defeating physical tamper-evident seals.
When I signed on as an expert witness in the New Jersey voting-machines lawsuit, voting machines in New Jersey used hardly any security seals. The primary issues were in my main areas of expertise: computer science and computer security.
Even so, when the state stuck a bunch of security seals on their voting machines in October 2008, I found that I could easily defeat them. I sent in a supplement expert report to the Court, explaining how.
Soon after I sent in my report about how to defeat all the State’s new seals, in January 2009 the State told the Court that it was abandoning all those seals, and that it had new seals for the voting machines. As before, I obtained samples of these new seals, and went down to my basement to work on them.
In a day or two, I figured out how to defeat all those new seals.
- The vinyl tamper-indicating tape can be defeated using packing tape, a razor blade, and (optionally) a heat gun.
- The blue padlock seal can be defeated with a portable drill and a couple of jigs that I made from scrap metal.
- The security screw cap can be defeated with a $5 cold chisel and a $10 long-nose pliers, each custom ground on my bench grinder.
For details and pictures, see “Seal Regime #3” in this paper.
The main trick is this: just to know that physical seals are, in general, easy to defeat. Once you know that, then it’s just a matter of thinking about how to do it, and having a pile of samples on which to experiment. In fact, the techniques I describe in my paper are not the only way to defeat these seals, or the best way—not even close. These techniques are what an amateur could come up with. But these seal-defeats were good enough to work just fine when I demonstrated them in the courtroom during my testimony, and they would almost certainly not be detected by the kinds of seal-inspection protocols that most states (including New Jersey) use for election equipment.
(In addition, the commenters on my previous post describe a very simple denial-of-service attack on elections: brazenly cut or peel all the seals in sight. Then what will the election officials do? In principle they should throw out the ballots or data covered by those seals. But then what? “Do-overs” of elections are rare and messy. I suspect the most common action in this case is not even to notice anything wrong; and the second most common is to notice it but say nothing. Nobody wants to rock the boat.)
(In addition, the commenters on my previous post describe a very simple denial-of-service attack on elections: brazenly cut or peel all the seals in sight. Then what will the election officials do? In principle they should throw out the ballots or data covered by those seals. But then what? “Do-overs” of elections are rare and messy. I suspect the most common action in this case is not even to notice anything wrong; and the second most common is to notice it but say nothing. Nobody wants to rock the boat.)
You’re talking about this as though it was some sort of an attack by somebody wanting to be a jerk. That could be highly useful. Let’s say I’m a Democrat. I pick a couple of districts that are known to vote Republican and send my ops to go and break all the seals. If I make enough noise, I should be able to get the votes of those districts invalidated and potentially get myself the election. I may even be able to garner sympathy if the Republican candidate tries to oppose invalidating the votes. After all, I am trying to help those people vote for who they want and my opponent is a jerk who is willing to let your vote be stolen right?