The Vulnerability of PCOS

There is a reason why in the Philippines some hold that “no politician is defeated; he was merely cheated” or that a politician didn’t win, he bought the election. Elections are sacred. The power of the vote is important more so in a nation that sees so much cheating during the elections, and one revolution in 1986 sparked when members of the Commission on Elections walked out of the count because Mr. Marcos, cheated.

And so the Philippines has been in a quest to solve this. As well as to increase the speed of the count. It has found itself rooting for technology. In 2010, Smartmatic’s PCOS machine entered the fray. It was surprisingly a success. The voter count was done so swiftly that it was almost unbelievable. The doubt gave way to belief that the Philippines may have finally found its answer to a faster, cleaner election.

In 2013, another election with PCOS rode in. Persistent questions were raised on its reliability. Is PCOS actually counting votes? For politicians, people have asked experts “can you hack PCOS for me so I will win?” Or experts have asked Politicians: “You know what? I can hack PCOS for you. For a fee”. This scenario seem to be well validated in ABS-CBN’s report, “How PCOS machines can be used to cheat in elections“.

The title of course leads us to believe that an exploit has been discovered. That the PCOS is vulnerable to cheating. There is a problem with the report. One glaring problem: the people alleging there was a problem just stopped with accusations at the water’s edge.

Leo Querubin, an expert from the Philippine Computer Society that Mr. Umaga-Diaz interviewed suggested that certain technicians from Smartmatic can access PCOS’s transmission servers, and from there manipulate the results.

The news report followed up with an interviewed. Mr. Umaga-Diaz interviewed former Congressman Glenn Chong. Mr. Chong alleges there are two ways for cheating to happen: 1) transmission of the results is manipulated (which seem to concur with Mr. Querubin’s allegations), and 2) CF cards are preloaded with result.

From an I.T. security perspective the allegations are huge. Mr. Querubin and Mr. Chong are suggesting that either an exploit— a man-in-the-middle attack— was used to access PCOS’ transmission server or technicians from Smartmatic (past or present) have accessed to the transmission server, and have used that access right to manipulate the result. Mr. Chong further alleges that Compact Flash cards (CF cards) used by the PCOS machine contain already preloaded results. This exploit, he said is used to ensure victory for local officials.

Both allegations seem plausible to anyone listening. Hollywood has made it to suggest launching attacks require simply just one very smart hacker, and a laptop. Plausibility, and reality are two different things, especially in security research.

Take for example the simple question: “Can Medical Devices be hacked?” The Department of Homeland Security published Alert (ICS-ALERT-13-164-01) on Medical Devices Hard-Coded Passwords. Or even exploits on computer systems like the recent Thunderstrike vulnerability, whose severity isn’t all that high on the list.

The point being two things: 1) there was proper research done to discover the vulnerability, and 2) that vulnerability was reported to the proper authority so patches can be made to protect against that exploit. Commission on Election spokesperson James Jimenez is absolutely right when he said in ABS-CBN’s interview (And I paraphrase): “If people believe that PCOS can easily be hacked/defraud, they must show us (the COMELEC) how to do it.”

The problem is that Mr. Querubin and Mr. Chong are alleging vulnerabilities and exploits that have no proof-of-concepts. Yet. It is easy enough to suppose, for example, to imagine, man-in-the-middle attacks. It is a far cry in a laboratory setting, and it is also different to see it in the wild. Is it possible given the context of PCOS, and transmission servers? How difficult is the attack? How vulnerable? It can only be shown through real world demonstration. You know, the scientific method. The same is true with the question on Compact Flash cards used by PCOS, and the allegation they are filled with preloaded data.

In security research the onus is on the researcher to prove the reality of his claim. If like me, you are seeking the truth to the claim that our democracy is hackable then “How PCOS machines can be used to cheat in elections” doesn’t even come close to answering that question. It is all assertion without scientific method. The veracity of Mr. Querubin’s and Mr. Chong’s allegation can only grow with a demonstration of fact rather than mere assertion, which so far, they have failed to express.


Photo credit: Wikipilipinas, some rights reserved.

Cocoy Dayao

Cocoy is the Chief Technology Officer of Lab Rats Technica, a Digital Consulting company that specialises in DevOps, iOS, and Web Apps, E-Commerce sites, Cybersecurity and Social Media consulting. He is a technology enthusiast, political junkie and social observer who enjoys a good cup of coffee, comic books, and tweets as @cocoy on twitter.

Cocoy is also the Managing Director and Editor-in-Chief of the ProPinoy Project.

Cocoy considers himself to be Liberal.