Join the campaign (Learn More)

The Manila Times - How to hack an automated election system

News & Interviews
30 August 2017

By Nelson Celis | The Manila Times 

HACKING the automated election system (AES) has always been a hot topic since the time the Commission on Elections (Comelec) started to implement the computerized system in the national and local elections in 2003. Nothing has materialized so far, even when the former Chairman Benjamin Abalos challenged ethical hackers to penetrate the AES, offering a huge cash prize. What was the really unforgettable incident last year was not the hacking of the AES but the actual hacking of Comelec’s databases of almost 80 million records, including the personal data of registered voters and Comelec employees, that resulted in the indictment of Chairman Andres Bautista for violating the Data Privacy Act, or RA 10173. That was popularly known as the ComeLeak case.

In the 1960s, hackers were dubbed nerds or geeks that did hardcore computer programming. They were skilled individuals and the most intellectually advanced people who had a keen thirst for knowledge. They were viewed as people who were locked in a room all day programming nonstop.

However, these days, hackers are those who break into computer systems of targeted organizations. Those hackers who break with malicious intent are called black hats and those who penetrate with the knowledge and consent in order to test the code, without malicious intent are called ethical hackers or white hats. There’s another form of hacking called Internet activism or hacktivism. It is the rebellious use of computers to endorse a political agenda or social change. A hacktivist uses the same tools of a hacker to disrupt services of targeted organization/s and draw attention to a political or social cause.

Do you still remember what happened in 2012 when government websites, including Bangko Sentral ng Pilipinas, were defaced by the Anonymous Philippines Group (APG) to protest the Cybercrime Prevention Act of 2012 that penalizes online libel? In 2013, APG defaced the website of the Office of the Ombudsman and their message against oppression and tyranny was seen under the Ombudsman’s press releases! Then after the release of the ruling on the arbitration case filed by the Philippines against China last year, at least 68 government websites were attacked through various forms of cyberattacks like attempts of defacement and denial of service. Initial investigation of the source of attacks tended to point to an entity from the Netherlands.

What about ComeLeak? Was it merely a hacking activity, and for what objective? To gain financially by exposing the records of the registered voters? Or was it merely an act of hacktivism before the May 9, 2016 national and local elections just to show how vulnerable was the Comelec’s information systems and its AES?

Regarding the call for ethical hackers in 2003, what is it for? Was it to prove that the vulnerability assessment and penetration testing (VAPT) by ethical hackers would then give Comelec a clue that the automated counting machines (ACMs) and related systems for supposedly 2004 automated elections could be hacked by black hats? Those were just some of the questions being floated that were left hanging as the Supreme Court stopped the implementation of the AES in January 2004 due to legal impediments of the project. Similarly, the VAPT was also recommended for the 2010, 2013 and 2016 elections but were never granted.

After 14 years of waiting, the hacking of the AES will be shown live in the forthcoming ManilaCon 2017 event of the Information Systems Security Society of the Philippines (ISSSP). It took the ISSSP organization to come up with such an event as Comelec might not have learned from the past on how to mitigate the security risks and breaches that they have actually experienced (e.g., the changing of “?” to “ñ,” presence of digital lines, no digital signing, no source code review, non-implementation of compensating controls as recommended by Systest Labs, etc.). The ISSSP event will be happening on September 11 to 12, 2017, Dusit Hotel, and it will coincide with the group’s 15th anniversary celebration.

The event’s theme is “Secure IT 2020: Protecting the digital YOU.” The event is divided into three tracks: Track 1 – Policies, standards and technologies; Track 2 – Legal matters; and, Track 3 – Data protection officers. The details of each track may be viewed at

The much-awaited live hacking is the showcase of the ManilaCon 2017. And it is under Track 2, Session 206 with the topic title “How to hack an automated election system.” It is divided into three parts, namely: Part 1: Presentation of the Smart Hack IT Intercollegiate Competition winner; Part 2: Live hacking of an election counting machine; and, Par 3: Panel discussion on how to hack an AES.

The objective of Part 1 aims to help the Comelec and other relevant stakeholders be aware of potential hacks, security breaches and weaknesses of AES. The contest is open to all college students forming red teams with five members. The details, mechanics and prize information may be viewed at In Part 2, the hackers will show the audience how to change the election results of a counting machine. Lastly, in Part 3, lawyer Ivan Uy will be the discussant at a panel discussion with election stakeholders.

At the end of the event, ISSSP will come up with resolutions to be submitted to Congress, DICT, Comelec, CHEd, and other relevant agencies on the strategic means of “Protecting the digital YOU.”