Article: Overview of Major Expert Studies on Voting Systems

Clearly, this overview can and should be expanded, given adequate funding.

Reports Reviewed:

1. Brennan Center, The Machinery of Democracy: Protecting Elections in an Electronic World,
2006 http://www.brennancenter.org/programs/downloads/Full%20Report.pdf

2. Compuware Corp. DRE Technical Security Assessment Report for Ohio, November 2003.
Congressional Research Service, Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues. (Order Code RL32139) November 4, 2003. click here

3. Congressional Research Service, Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues. (Order Code RL32139) November 4, 2003. click here

4. Election Science Institute, 2006, "DRE Analysis for May 2006 Primary Cuyahoga County, Ohio"
http://www.cuyahogacounty.us/bocc/GSC/pdf/esi_cuyahoga_final.pdf or see http://www.electionscience.org click on Cuyahoga County Report tab.

5. Princeton Study: Feldman, Ariel J., J.A. Halderman, and E.W. Felten, "Security Analysis of the Diebold AccuVote-TS Voting Machine," Center for Information Technology Policy and Dept. of Computer Science, Woodrow Wilson School of Public and International Affairs, Princeton University, 2006. http://itpolicy.princeton.edu/voting

6. Government Accountability Office, 2005, Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, but Key Activities Need to Be Completed http://www.gao.gov/new.items/d05956.pdf

7. Harry Hursti, Black Box Report Security Alert: July 4, 2005 Critical Security Issues with Diebold Optical Scan Design (1.94w), 2005, http://www.blackboxvoting.org/BBVtsxstudy.pdf

8. RABA Technologies LLC. Trusted Agent Report: Diebold AccuVote-TS Voting System (report prepared for Department of Legislative Services, Maryland General Assembly, Annapolis, Md., January 2004). http://www.raba.com/press/TA_Report_AccuVote.pdf

9. News article: Aviel Rubin, "On My Mind: Pull The Plug," Forbes Magazine, 8/2006 http://www.forbes.com/forbes/2006/0904/040.html?partner=alerts&_requestid=2972

10. News article: U.S. Commission on Federal Election Reform, 2006. "Reversing Course on Electronic Voting: Some Former Backers of Technology Seek Return to Paper Ballots, Citing Glitches, Fraud Fears," Wall Street Journal, May 12, 2006.
click here

Summaries

BRENNAN CENTER: The Machinery of Democracy: Protecting Elections in an Electronic World,
2006. http://www.brennancenter.org/programs/downloads/Full%20Report.pdf

Studied 3 voting systems by type: DRE, DRE w/VVPAT, and Optical Scan. Brennan identified 120 vulnerability points.

Report is limited to identifying the least difficult way to alter results on a statewide Basis. It's also limited to studying attacks that cannot be prevented by physical security and accounting measures taken by election officials.

The analysis further assumed that certain fundamental physical security and accounting procedures were already in place.

Concluded that it would take only one person, with a sophisticated technical knowledge and timely access to the software that runs the voting machines, to change the outcome.

All three voting systems have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections.

The most troubling vulnerabilities of each system can be substantially remedied if proper countermeasures are implemented at the state and local level.

Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute successfully.

For all three types of voting systems:

1. When the goal is to change the outcome of a close statewide election, attacks that involve the insertion of Software Attack Programs or other corrupt software are the least difficult attacks.

2. Voting machines that have wireless components are significantly more vulnerable to a wide array of attacks.

DREs without voter-verified paper trails do not have available to them a powerful countermeasure to software attacks: post-election Automatic
Routine Audits that compare paper records to electronic records.

For DREs w/VVPT and PCOS:

1. The voter-verified paper record, by itself, is of questionable security value. The paper record has significant value only if an Automatic Routine Audit is performed (and a well-designed chain of custody and physical security procedures is followed).

2. Even if jurisdictions routinely conduct audits of voter-verified paper records, DREs w/VVPT and PCOS are vulnerable to certain software attacks or
errors.

*******************

COMPUWARE CORP. DRE Technical Security Assessment Report for Ohio, NOV. 2003. Confidential report prepared for Ohio Secretary of State Ken Blackwell, and later published on the web. High risks include:

With access to the supervisor card, someone could guess the four digit PIN. The four digit PIN is a factory default from Diebold and cannot be changed. In our test it was guessed in less than two minutes of testing.

Smart Card Writer - with access to the small handheld writer, someone could use a voting card more than once while at the voting booth.

Diebold's voting system uses MS Access as the database to store the Ballot definition, Audit logs and Tally results. The Database has no password protection. The audit logs and the tally results can be changed.

*******************

CONGRESSIONAL RESEARCH SERVICE, Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues. (Order Code RL32139) November 4, 2003. click here
This is a comprehensive report on several expert studies of electronic voting systems. Problems noted include:

There appears to be an emerging consensus that in general, current DREs do not adhere sufficiently to currently accepted security principles for computer systems, especially given the central importance of voting systems to the functioning of democratic government.

The ballot itself consists of redundant electronic records in the machine's computer memory banks, which the voter cannot see. This is analogous to the situation with mechanical lever voting machines, where casting the ballot moves counters that are out of view of the voter. In a lever machine, if the appropriate counters do not move correctly when a voter casts the ballot, the voter will not know, nor would an observer. Similarly, with a DRE, if the machine recorded a result in its memory that was different from what the voter chose, neither the voter nor an observer would know.

The same is true with a computerized counting system when it reads punch cards or optical scan ballots. Even if the ballot is tabulated in the precinct and fed into the reading device in the presence of the voter, neither the voter nor the pollworker manning the reader can see what it is recording in its memory.

Malicious computer code, or malware, can often be written in such a way that it is very difficult to detect.

DRE software is moderately complex, and it is generally accepted that the more complex a piece of software is, the more difficult it can be to detect unauthorized modifications.

Most manufacturers of DREs treat their software code as proprietary information and therefore not available for public scrutiny. Consequently, it is not possible for experts not associated with the companies to determine how vulnerable the code is to tampering.

The most extensive examination of security was performed by scientists at the California Institute of Technology and the Massachusetts Institute of Technology. The Caltech/MIT report identified four main security strengths of the electoral process that has evolved in the United States:

" the openness of the election process, which permits observation of counting and other aspects of election procedure;
" the decentralization of elections and the division of labor among different levels of government and different groups of people;
" equipment that produces "redundant trusted recordings" of votes; and
" the public nature and control of the election process.

The report expressed concern that current trends in electronic voting are weakening those strengths and pose significant risks.

*******************

ELECTION SCIENCE INSTITUTE, 2006, "DRE Analysis for May 2006 Primary Cuyahoga County, Ohio"
http://www.cuyahogacounty.us/bocc/GSC/pdf/esi_cuyahoga_final.pdf or see http://www.electionscience.org click on Cuyahoga County Report tab.

The current election system contains significant threats to inventory control of mission critical election assets, error-free vote tabulation, and tabulation transparency.

The machines' four sources of vote totals - VVPAT individual ballots, VVPAT summary, election archive, and memory cards - did not agree with one another.

Due to limits in the data, software computational abnormality contributing to the count inaccuracies cannot be ruled out. Computational abnormality could be the result of a failure to adequately test the voting equipment before the election or to manage the various databases appropriately.

A lack of inventory controls and gaps in the chain of custody of mission critical assets, such as DRE memory cards, DRE units, and VVPAT cartridges, resulted in a significant amount of missing data. Because of the missing data, ESI is unable to give a definitive opinion of the accuracy of the Diebold TSX system.

In multi-precinct polling places, voters could vote on machines located in other precincts. Accordingly, ballots from a number of precincts appeared on the same VVPAT tape. VVPAT ballots, however, lack a header identifying the precinct. Without this information, it is not possible to conduct a precinct-level tally of the VVPAT ballots.

Consider that each machine has a printer and potentially multiple rolls of paper. Paper records of votes (the official records) may be lost without voters' awareness because of paper jams, paper not being loaded properly, ink issues, and other problems.

Lack of a standardized proven manual count process is likely to result in recount error and inefficiency.

*******************

PRINCETON STUDY: Feldman, Ariel J., J.A. Halderman, and E.W. Felten, "Security Analysis of the Diebold AccuVote-TS Voting Machine," Center for Information Technology Policy and Dept. of Computer Science, Woodrow Wilson School of Public and International Affairs, Princeton University, 2006. http://itpolicy.princeton.edu/voting Link to video: http://itpolicy.princeton.edu/voting/videos.html

The Diebold AccuVote-TS and its newer relative the AccuVote-TSx are together the most widely deployed electronic voting platform in the United States [8]. In the November 2006 general election, these machines are scheduled to be used in 357 counties representing nearly 10% of registered voters (~ 15 million).

All of Maryland and Georgia-will employ the AccuVote-TS model. More than 33,000 of the TS machines are in service nationwide.

The machine is vulnerable to a number of extremely serious attacks that undermine the
accuracy and credibility of the vote counts it produces.

1. Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.

2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.

3. AccuVote-TS machines are susceptible to voting-machine viruses-computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.

4. While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.

*******************

GOVERNMENT ACCOUNTABILITY OFFICE, 2005, Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, but Key Activities Need to Be Completed http://www.gao.gov/new.items/d05956.pdf Voting system vulnerabilities and problems found include:

" Cast ballots, ballot definition files, and audit logs could be modified;
" Supervisor functions were protected with weak or easily guessed passwords;
" Systems had easily picked locks and power switches that were exposed and unprotected;
" Local jurisdictions misconfigured their electronic voting systems, leading to election day problems;
" Voting systems experienced operational failures during elections;
" Vendors installed uncertified software;
" Some electronic voting systems did not encrypt cast ballots or system audit logs, and it was possible to alter both without being detected;
" It was possible to alter the files that define how a ballot looks and works so that the votes for one candidate could be recorded for a different candidate.

*******************

HARRY HURSTI, BLACK BOX REPORT Security Alert: July 4, 2005 Critical Security Issues with Diebold Optical Scan Design (1.94w), 2005, http://www.blackboxvoting.org/BBVtsxstudy.pdf Some of the key findings include:

With this design, the functionality - the critical element to be certified during the certification process -- can be modified every time an election is prepared. Functionality is downloaded separately into each and every machine, via memory card, for every election. With this design, there is no way to verify that the certified or even standard functionality is maintained from one voting machine to the next.

Paper trail falsification - Ability to modify the election results reports so that they do not match the actual vote data 1.1) Production of false optical scan reports to facilitate checks and balances (matching the optical scan report to the central tabulator report), in order to conceal attacks like redistribution of the votes or Trojan horse scripts such as those designed by Dr. Herbert Thompson.(19)

Removal of information about pre-loaded votes 2.1) Ability to hide pre-loaded votes 2.2) Ability to hide a pre-arranged integer overflow

The exploits demonstrated in the false optical scan machine reports ("poll tapes") shown on page 16 do not change the votes, only the report of the votes. When combined with the Trojan horse attack demonstrated by Dr. Thompson, this attack vector maintains an illusion of integrity by producing false reports to match the contaminated central tabulator report. The exploit demonstrated in the poll tape with a true report containing false votes, shown on page 18, changes the votes but not the report. This example pre-stuffs the ballot box in such a way as to produce an integer overflow. In this exploit, a small number of votes is loaded for one candidate, offset by a large number of votes for the opposing candidate such that the sum of the numbers, because of the overflow, will be zero. The large number is designed to trigger an integer overflow such that after a certain number of votes is received it will flip the vote counter over to begin counting from zero for that candidate.

*******************

RABA TECHNOLOGIES, Trusted Agent Report: Diebold AccuVote-TS Voting System (report prepared for Department of Legislative Services, Maryland General Assembly, Annapolis, Md., January 2004). http://www.raba.com/press/TA_Report_AccuVote.pdf

The general lack of security awareness, as reflected in the Diebold code, is a valid and troubling revelation. In addition, it is not evident that widely accepted standards of software development were followed.

Knowing the password, a smart card can be replicated, and the voter can vote multiple times. RABA was able to guess the passwords quickly, and access each card's contents (Supervisor Card, Voter Card, and Security Key Card). Given access to the cards' contents it became an easy matter to duplicate them, to change a voter card to a supervisor card (and vice versa) and to reinitialize a voter card so that it could be used to vote multiple times.

The use of hardcoded passwords is surprising both as an inferior design principle and in light of them being published openly in the Hopkins report. It must be assumed these passwords are well known.

The contents of these cards are neither encrypted nor digitally signed. Thus, for example, the
PIN associated with a Supervisor Card23 can be read directly from the card - provided the password is known. This means creating Supervisor Cards is a simple task: a perpetrator could program his card with an arbitrary PIN that the AccuVote-TS would readily accept.

It is reasonable to assume that a working key to the AccuVote hardware is available to an attacker. The hardware consists of a touch-screen voting terminal with two locked bays. Maryland has ordered approximately 16,000 AccuVote-TS terminals each equipped with two locking bays and supplied with two keys accounting for 32,000 locks and keys. Surprisingly, each lock is identical and can be opened by any one of the 32,000 keys. Furthermore, team members were able to have duplicates made at local hardware stores.

One team member picked the lock in approximately 10 seconds. Individuals with no experience (in picking locks) were able to pick the lock in approximately 1 minute.

A sampling of the vulnerabilities found as a result of poor physical security coupled with software that fails to use robust encryption and authentication include six methods of attack. (Not reproduced herein.)

The GEMS server lacks several critical security updates from Microsoft. The team was able to remotely upload, download and execute files with full system administrator privileges.

The server enables the "autorun" feature. Given physical access to the server, one can insert a CD that will automatically upload malicious software, modify or delete elections, or reorder ballot definitions.

The back panel of the GEMS server is not protected. Given physical access to a running device it is possible to insert a USB flash drive and upload malicious software onto the server.

The database files that contain the election definition (and results) are neither encrypted nor authentication protected. By removing the front panel of the server (this is held in place by a small keyed lock), one can insert a CD, power up the server, and have it boot its operating system off the CD. A sophisticated user can automate this procedure requiring only a few minutes access to the server.

Because both the database password and audit logs are stored within the database itself, it is possible to modify the contents without detection. Furthermore, system auditing is not configured to detect access to the database. Given either physical or remote access it is possible to modify the GEMS database.

The procedure by which precincts upload votes to their LBE is vulnerable to a "man-in-the-middle" attack.

The team identified fifteen additional Microsoft patches that have not been installed on the servers. In addition, the servers lack additional measures (all considered best practice) for defense such as the use of firewall antivirus programs as well as the application of least privilege, i.e. turning off the services that are unused or not needed. Each of these represents a potential attack vector for the determined adversary.

*******************

AVIEL RUBIN, National Science Foundation Director of ACCURATE Center, one of the authors with: Tadayoshi Kohno, Adam Stubblefield, and Dan S. Wallach. Analysis of an electronic voting system. In IEEE Symposium on Security and Privacy, May 2004.

Also see www.avirubin.com and "On My Mind: Pull The Plug," Forbes Magazine, 8/2006 http://www.forbes.com/forbes/2006/0904/040.html?partner=alerts&_requestid=2972

Why am I advocating the use of 17th-century technology for voting in the 21st century?

The boot loader controls which operating system, so it is the most security-critical piece of the machine. To (install overwriting software), a night janitor at the polling place would need only a few seconds' worth of access to the computer's memory card slot.

If the defense against the attack is not built into the voting system, the attack will work, and there are virtually limitless ways to attack a(n electronic) system.

*******************

U.S. COMMISSION ON FEDERAL ELECTION REFORM, 2006. See Wall Street Journal article, "Reversing Course on Electronic Voting: Some Former Backers of Technology Seek Return to Paper Ballots, Citing Glitches, Fraud Fears," Wall Street Journal, May 12, 2006.
click here

Former Secretary of State James A. Baker III and former President Jimmy Carter, who were co-chairmen of the bipartisan Commission on Federal Election Reform, warned in their 2005 final report that (fraud) could happen.

"Software can be modified maliciously before being installed into individual voting machines. There is no reason to trust insiders in the election industry any more than in other industries."