Want To Know Just How Bad Security Is For E-Voting Machines?

from the read-this dept

You may recall earlier this month that a judge in New Jersey barred some researchers from releasing their report into the security vulnerabilities found in e-voting machines from Sequoia that were being used in the state. Sequoia had fought hard to stop the research from even being done in the first place, let alone released, even threatening the researchers with lawsuits. Now, one of the researchers who did the research, Andrew Appel, has released a long report detailing a ridiculous number of security problems with Sequoia’s machines. To be honest, it’s not clear from the blog post about the report if this is the same one that’s being suppressed or not, but it’s pretty damning. Because this is an important issue that doesn’t necessarily get enough attention, I’m reposting Appel’s executive summary of just how screwed up these machines are:

Executive Summary

I. The AVC Advantage 9.00 is easily “hacked” by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this “hack” takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County’s Board of Elections uses to add up votes from all the different precincts.)

III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

V. Sequoia’s sloppy software practices can lead to error and insecurity. Wyle’s Independent Testing Authority (ITA) reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.

Happy voting!

Filed Under: , , ,
Companies: sequoia

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Want To Know Just How Bad Security Is For E-Voting Machines?”

Subscribe: RSS Leave a comment
48 Comments
Rich Kulawiec says:

It’s clear that these machines should instantly be removed from use nationwide — but then again, that’s been clear for years. It seems that those who administer our elections either (a) aren’t intelligent enough to grasp this or (b) are, but simply refuse to protect the franchise because it serves them to do otherwise.

Our elections are a joke, and the entire rest of the world is laughing at our ineptness.

Marc says:

Re: Re:

While normally I would say yes, at least we Europeans love to laugh about America, this is not so in this case as governments try to push e-voting here as well and we try to fight that as well as the machines used here are equally insecure and I would even go so far as to say “amateurish”. So what happens in America is bound to happen here as well soon because our politicians are just as dumb and play the deaf monkey when experts tell them about the security risks or the fact that it violates the most important democratic principle: anonymous yet verifyable voting.

reed says:

E-voting is E-retarded

A company that produces such an insecure machine for voting purposes should be fined into non-existence.

That would set a good example for the next “private” venture into electronic voting territory.

Better yet why not have a public non-profit develop the hardware and software with an open source model. I for one would rather be aware of a weakness than be in the dark about where a vote is going.

This is serious stuff, but no-one is addressing it. To me that means there is a real reason to keep the existing machines going and that reason is more than likely voter fraud.

Jesse says:

“Our elections are a joke, and the entire rest of the world is laughing at our ineptness.”

I’m from Canada, and I like nothing more than to laugh at American ineptness. It’s our favorite activity up here. Check out Rick Mercer’s movie “Talking to Americans.” Classic.

I don’t think we do e-voting up here. I vote behind a cardboard wall, with a little half Ikea/golf pencil, and then I put my ballet into a cardboard box. Very secure. Don’t worry, the cardboard box is locked.

Of course, we have like 5 different major parties, so nobody ever “wins” anyways.

Gordon the Beaver says:

Re: Re:

So true … so true. Laughing at Americans is a country wide pastime.

FYI, the carboard box is not let out of sight and is counted right after closing by scrutineers of at least two parties who also match against ballot count.

We vote in minority governments, so one party always gets scrutinized by the other. Keeps ’em hopping, but not much gets done.

Lance says:

Tech hacks of Voting Machines

Your looking at the problem incorrectly. In the past, ballot boxes where stuffed. Which is a electronic hack equivelent. What security surrounding the deployment & use of the units is really what needs to be figured out. Anyway the future is in secured vote from home over the internet. It is going to shake up the whole political system. Pushing out the good old boys, by allowing a greater voting base then we have ever had in history. Imagine casting your voting over the phone. Soldiers in the feild can change their commander in chief at a dial tone!

Michael says:

Re: Tech hacks of Voting Machines

You forgot some important steps, like the receipt from your paper ballot, and the fact that physical ballots can be counted and inspected where e-votes cannot, the fact that Americans aren’t protesting in the streets over this is telling, does no one care that democracy has been stolen? There is a black hat group that wants to cheat the e-voting machines to elect Ron Paul, watch for odd totals on election night.

magdalene says:

Re: Tech hacks of Voting Machines

getting the cardboard boxes and the pencils back out. If the new system
works worst than the last, you revert, you do NOT move up in the ladder
of technology till the next level works better than the one you use now
works phenomenally better than the one you are leaving to go use it. No
matter what they promised it *would* do, if it doesn’t do that, you take
it back if it doesn’t do what they promised. You do that for buying
anything else you buy. Cars, Electronic stereos, TV’s. Hold your
Technology up to the same standards. I know the Government would be
PISSED if they found out the missles they bought from their SCUD
provider actually let the enemy in to deprogram the trajectories. They
would not stand for that. They would be DEMANDING them fix it or take em
back with extreme prejudice. So the questions you should be asking is.
Why aren’t they doing that with these machines?
-Magdalene

I like the box. its a nice cardboard box… nice pencil too… now if we
could just get people out to vote.

KJ says:

In all seriousness, with the scrutineers, the 2 piece ballots (each ballot has a numbered tag that is torn off and is counted separately I believe to ensure that there are no discrepancies with the number of ballots cast vs received), the voting lists (although there are always problems with those) – Canada has a pretty secure system, even if it is lo-tech.

TheOldFart (profile) says:

So much crap that was resolved ages ago

Casino gaming machines and lottery ticket sale terminals solved pretty much all of these problems ages ago.

Casino devices require at least two keys, the main logic boards require a different key than the one used to empty the coin buckets or change paper in the printer. So unauthorized access is much more difficult.

All doors on the machines have access detectors that are extremely difficult to cheat. They’re even battery backed up so they can detect accesses while the machine is turned off.

The machine can be challenged to checksum its its ROM with a seed provided by a host computer. That checksum cannot be calculated without having an actual bit-by-bit copy of the code that it was registered with and since the host selects the seed the values must have the correct data to produce the right answer. In the case of small embedded systems like a Z80 that means the only way to fake it is with a hardware hack that contains both the new/hacked firmware and a complete copy of the original firmware. That’s relatively easy to detect when someone has added memory or replaced the CPU.

There are no “big heists” involving Megabucks and Nevada Nickels and such because it’s a fairly bulletproof system even though it involves multiple manufacturers devices, many of which are still simple micro-controller based systems. If a couple of dozen manufacturers can all hit those levels of security why can’t the vote machine manufacturers?

I’ve designed and built software for such systems, it’s not that difficult to do and it’s not expensive. They run 24×7 for months on end without requiring reset or reboot. All it takes is a commitment to quality and use of external labs to review and test.

A lot of fuss over nothing except corporate sleaze/greed. They want to produce cheap devices and keep costs down by hiring script kiddies to hack code into place. Typical government supplier tactics.

Anonymous Coward says:

Re: So much crap that was resolved ages ago

aww its cute, you’re a sucke–i mean trusting person (like a 5 year old who must be told not to trust strangers) well, when you grow up and realize that people are corrupt and someone may try (and obviosly isnt that hard) to alter the election, you wont give your social security number to the next man with a spanish accent who calls from ‘el FBI’ making sure you’re legal. dont trust the internet, the goverment, or people who offer you candy. (this includes secrataries for all you saps out there)

–poopdog

Peter says:

Re: So much crap that was resolved ages ago

Gaming companies and casinos are protecting their profits. It makes perfect economical sense to make sure that nobody tinkers with those machines.

Does government itself have such “strong” need to make sure votes are counted correctly? Or does it rest on “protecting the principles”, looked after by averagely paid government worker? What about government contractors that stand to gain profit by cutting corners on quality and testing (moral and ethics issues aside)? How do companies like Sequoia even get picked to supply the machines in the first place? Who looks over their shoulders?

My point is, you bring up a great example of how it’s absolutely possible to make these systems secure – IF there is enough motivation (economical or otherwise). Technology is there.

djaybe (user link) says:

so

i agree on the security issues, but what difference does it make? the 2 parties have been preselected by banks and corporations. the election is a charade, giving the appearance of a democracy. we can’t vote for Ron Paul which would be the educated choice. the media has some responsibility in this as well, however they are controlled/owned by the same 4 corporate entities that were part of selected the 2 parties.

can u c?

Mayor Daley says:

The obvious answer isn’t that we can’t build a secure vote-tallying machine, but that those in power don’t WANT a secure vote-tallying machine. Face it, if you’re involved in fraud and have already stolen 2 national elections, why would you want to bring in equipment that you can’t manipulate? You wouldn’t. You’d be willing to pay extra for machines that are extremely EASY to commit voter fraud with, and that’s exactly what we’ve got.

Rich Kulawiec says:

Re: Re:

This is of course entirely correct — Diebold et.al. have every reason to build hackable machines and no reason to build secure machines.

But there’s another reason why building such machines is MUCH more difficult than building gambling systems: the attacker’s budget. No sane person would spend $10M to hack a casino system that pays off a maximum of $100K. But (and see Bruce Schneier’s analysis on this) we must presume that the minimum budget available to an attacker seeking to subvert the US electoral process is $100M. (And Bruce’s estimate, made in the last cycle, seems to me to now be
too low. I’d say $250M, minimum.)

That kind of budget will buy you insiders, custom chip fabrication, and all kinds of things that are way outside the reach and budget of those attacking casino systems.
So while the technological measures suggested upthread are all plausibly good ideas, they’re not even CLOSE to what’s required to secure a voting system.

TheOldFart (profile) says:

Re: Re: Re:

Incorrect on a few points.

First, the reason I cited Megabucks in particular is the size of the jackpots. The last payout on Megabucks was over $21M. These are progressive jackpots, some are limited to certain groups of machines, others are city-wide and state-wide jackpots and the are very significant chunks of money.

Second, the more people involved in the fraud, the higher the odds of it being detected. If someone was spreading $100M around – or even $250M – someone at some point would either make a mistake or intentionally blab because the book and movie rights to the story would be easily worth $100M.

To hack a national or state-wide election would require action on many, many machines in many locations. If only a few machines were hacked the votes would have to be hacked by such a significant amount that simple statistical analysis would show probable cause for an investigation.

$100M to $250M would buy the hijacking and/or stuffing of paper ballot boxes.

re: internet voting – I think an internet based system would be good. Maybe not for placing the votes but definitely for monitoring the voting process. The red flags like the ones in Florida where impossible/unexpected percentages of people were voting for fringe candidates would be very visible if the eyes of the internet were on the voting times/patterns.

Have the poll workers update a counter on a website every time someone entered the polling place and another counter every time someone left. Have the machines do real-time updates of the number of votes they’ve recorded. If the numbers don’t closely match then something has gone wrong or been hacked.

Definitely not foolproof but it’s about impossible to make a foolproof system, they’re always inventing better fools. Perfection is impossible regardless of how votes are counted, all you can aim for with either a paper or electronic system is a high probability of correctness. So aim to maximize correctness and make sure multiple checks are in place to try and detect any problems.

There are lots of clever math and stats types out there who could come up with a lot of ways to check and cross-check the voting stats and it’d be pretty easy to implement those algorithms in software. If the raw numbers are published for post-analysis I can’t imagine a significant bit of hacking going completely undetected.

Bob says:

Like paper voting is any better

I have heard from non-partition election watchers that ballot boxes routinely come in the counting HQ with there seals missing(the ones put on to show no one has opened the boxes holding the ballets when the leave the poling places) and the people unloading the boxes simply attach a new seal before they are taken in to be counted.

Officials said the seals can sometime be broken off in transit so thats why they have to attach new ones. When asked why even use the seals they said to keep the ballets secure.

Here in WA 2 years ago there was basically a tie for the governors race, it went though 2 re-counts and both times the same person came out ahead by like 100 votes. Then about 3 weeks after the election, King County (the states largest, Seattle is in King) came out and said it found several boxes of uncounted ballets. They had been put away and stored in a unsecured room by mistake. After a short court fight (with some saying these ballets could not be verified and could have been filled out by anyone at anytime) the courts let the new ballets be counted and it changed the totals and the winner of the first 2 recounts lost.

Anonymous Coward says:

Re: Like paper voting is any better

Uhh that’s why you don’t move the boxes when you count the ballots. You count them in a distributed fashion, counting each box right there at the poll and then sum the totals from each box. Each polling place counts their boxes, on after another and report by telephone the totals _per box_.

Anonymous Coward says:

Re: Like paper voting is any better

What are you talking about? There was a single hand recount of 2.8 million ballots (which would have been impossible with electronic voting machines), the effect of which was that Rossi lost four votes from the total, pushing Gregoire’s margin to 133. Rossi’s campaign tried to sue, claiming that it was rigged, Judge Bridges ruled against them and that was the end of it.

The point, however, is that paper voting IS better. Clearly better. There WAS A RECOUNT, which would have been utterly impossible with electronic voting machines.

Eric says:

Re: Re: Recount does not make sense

With e-voting, you have a computer chip adding the numbers, and that’s what they do for a living, and there are mathematical+cryptographic ways of ensuring that the counts are correct, given the inputs, so a recount by people is just an opportunity to add human error into the process.

What you need for e-voting is transparency: open-source everything, inspectable by every programmer and mathematician in the world to confirm the answer collecting and counting algorithms and the algorithms that prevent/detect tampering with results or any intermediate stored/transmitted forms of the answers.

Sacha says:

Re: Re: Re: Recount does not make sense

“there are mathematical+cryptographic ways of ensuring that the counts are correct”

Not true. The only way to guarantee that a machine counts your vote correctly is to throw away privacy and publish a list, that everyone can check, of who voted for what. You must trust the machine’s designers.

OTOH, with a paper ballot, you must trust the rest of the election process: the ballot takers, counters, etc.

The difference is the magnitude of possible fraudulent behaviour. A villainous ballot taker, for example, can at affect at most the ballots that they take, and at considerable risk, too, considering that physical paper must be smuggled into and/or out of the box. The designers of a vote counting machine can affect multiple precincts from the safety of their cubicals…

American Voter says:

WHAT ABOUT HARD HACKS?

Forget Software / System hacks …

These things are electronic without (I assume) battery
backups that will run for the required 12 hours of voting
(give or take).

What about – a building power outage caused by a car wreck,
popped circuit breaker, thunderstorm?

What about black spray paint on the screens?

What about JB Weld put in the power plugs?

What about an electrician’s wire cutter?

What about a short circuit device plugged in some other
outlet in the room with the machines?

Seems to me it would be easy to take out an entire polling
place with just a couple of items.

And this is secure? Yeah, right.

Anonymous Coward says:

Re: WHAT ABOUT HARD HACKS?

If a polling station gets taken out in one of these ways, voters will notice. The poll operators would be able to switch to an emergency manual poll, redirect voters to a working polling station, or whatever.

If polling stations get hacked, it could be that nobody ever finds out it happened.

magdalene says:

previous post

oh, and yes, in Canada, we use the boxes, they are counted after the polls close at the polling station and matched to the number torn off the ballot when we put it in the box after we voted. recounted by all party members present, agreed apon and phoned in to elections canada from the polling station.

it works, if it works don’t fix it.

what we do need to fix, is getting lame couch potatoes off their asses and out to vote.

If you don’t vote,
you can’t bitch.
-m

zheembeaux (user link) says:

voting machines that work

i voted on a machine several years ago that had a little window below the electronic touch screen, and a sealed box below.

When i pressed Finish, the machine whirred and a piece of paper like a cash-register receipt came out of the cash register style printer. Turns out it was a top copy and a carbon. The top copy curled up and i took it and the lower copy (which i couldn’t touch) went into the box below. The lower copy was under a window so i could see that it was the same as the upper copy.

So, i had a receipt of my vote, and i saw a copy go into a box. I’m also certain that there was an electronic record that was sent in electronically when the election was finished.

Let’s have more machines like this.. It ain’t perfect but it answers most of my security and recount questions, which none of the other machines do.

Michael A. Keough says:

Undervotes Gone Wild with Electronic Machine Voting Results!!!!

My name is Michael Keough and I am a New Jersey Registered Voter who has voted in every applicable election opportunity since I after I reached the age of eighteen years old. I take my voting rights very seriously – and I am Adamant for Justice!

It clearly appears to me that there has been a huge degree of Undervotes (an intended vote which did not properly process as such and therefore is not counted and the intended voter likely has gotten the “shafteroozy” of injustice!). I will use the Passaic County on-line web site(referred to as “unofficial” results until all provisional votes are not yet fully in) 11/5/2008 reported election results for an example: Totowa Borough Council reports a Whopping 3,555 Undervotes vs 6,978 which counted as properly processed votes; North Haledon Borough Council reports a Whopping 3,628 Undervotes vs 5,847 which counted as properly processed votes; Pompton Lakes Borough Council reports a sad 1,112 Undervotes vs 9,834 properly processed and counted votes; Passaic City Council-at large reports a hugely inappropriate 5,143 Undervotes vs 14,250 properly processed votes which count towards electing the candidates; (and here is the real kicker of injustice) pertaining to Public Question #1 an enormous 105,329 Undervotes are reported vs only 78,882 which actually were properly counted; and pertaining to Public Question #2 106,881 Udervotes are reported vs only 77,256 which were properly processed and counted as votes. The Voters of the United States of America Need to WAKE UP AND SMELL THE UNDERVOTES BECAUSE IT CLEARLY APPEARS THAT THE CURRENTLY USED AND RECENT PAST UTILIZED ELECTRONIC VOTING BOOTHS REALLY STINK! There can be no true democracy in the absence of a Bona-Fide and reasonably effective voting booth system. All the campaigning in the world will and votes intended to be casted will not truly matter until if and when the currently utilized electronic voting booths are replaced with ones that honestly and competently register our votes!

Michael A. Keough, SCRREA, IFA, CTA
My name is Michael Keough and I am a New Jersey Registered Voter who has voted in every applicable election opportunity since I after I reached the age of eighteen years old. I take my voting rights very seriously – and I am Adamant for Justice!

It clearly appears to me that there has been a huge degree of Undervotes (an intended vote which did not properly process as such and therefore is not counted and the intended voter likely has gotten the “shafteroozy” of injustice!). I will use the Passaic County on-line web site(referred to as “unofficial” results until all provisional votes are not yet fully in) 11/5/2008 reported election results for an example: Totowa Borough Council reports a Whopping 3,555 Undervotes vs 6,978 which counted as properly processed votes; North Haledon Borough Council reports a Whopping 3,628 Undervotes vs 5,847 which counted as properly processed votes; Pompton Lakes Borough Council reports a sad 1,112 Undervotes vs 9,834 properly processed and counted votes; Passaic City Council-at large reports a hugely inappropriate 5,143 Undervotes vs 14,250 properly processed votes which count towards electing the candidates; (and here is the real kicker of injustice) pertaining to Public Question #1 an enormous 105,329 Undervotes are reported vs only 78,882 which actually were properly counted; and pertaining to Public Question #2 106,881 Udervotes are reported vs only 77,256 which were properly processed and counted as votes. The Voters of the United States of America Need to WAKE UP AND SMELL THE UNDERVOTES BECAUSE IT CLEARLY APPEARS THAT THE CURRENTLY USED AND RECENT PAST UTILIZED ELECTRONIC VOTING BOOTHS REALLY STINK! There can be no true democracy in the absence of a Bona-Fide and reasonably effective voting booth system. All the campaigning in the world will and votes intended to be casted will not truly matter until if and when the currently utilized electronic voting booths are replaced with ones that honestly and competently register our votes!

Michael A. Keough, SCRREA, IFA, CTA
MICHAEL A. KEOUGH APPRAISALS
Pompton Lakes, N.J. 07442

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...