Want To Know Just How Bad Security Is For E-Voting Machines?
from the read-this dept
You may recall earlier this month that a judge in New Jersey barred some researchers from releasing their report into the security vulnerabilities found in e-voting machines from Sequoia that were being used in the state. Sequoia had fought hard to stop the research from even being done in the first place, let alone released, even threatening the researchers with lawsuits. Now, one of the researchers who did the research, Andrew Appel, has released a long report detailing a ridiculous number of security problems with Sequoia's machines. To be honest, it's not clear from the blog post about the report if this is the same one that's being suppressed or not, but it's pretty damning. Because this is an important issue that doesn't necessarily get enough attention, I'm reposting Appel's executive summary of just how screwed up these machines are:Happy voting!Executive Summary
I. The AVC Advantage 9.00 is easily "hacked" by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this "hack" takes just 7 minutes to perform.
The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.
II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County's Board of Elections uses to add up votes from all the different precincts.)
III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.
IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.
V. Sequoia's sloppy software practices can lead to error and insecurity. Wyle's Independent Testing Authority (ITA) reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.
VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.
VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.
VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: e-voting, new jersey, security, vulnerabilities
Companies: sequoia
Reader Comments
Subscribe: RSS
View by: Time | Thread
Our elections are a joke, and the entire rest of the world is laughing at our ineptness.
[ link to this | view in thread ]
E-voting is E-retarded
That would set a good example for the next "private" venture into electronic voting territory.
Better yet why not have a public non-profit develop the hardware and software with an open source model. I for one would rather be aware of a weakness than be in the dark about where a vote is going.
This is serious stuff, but no-one is addressing it. To me that means there is a real reason to keep the existing machines going and that reason is more than likely voter fraud.
[ link to this | view in thread ]
I'm from Canada, and I like nothing more than to laugh at American ineptness. It's our favorite activity up here. Check out Rick Mercer's movie "Talking to Americans." Classic.
I don't think we do e-voting up here. I vote behind a cardboard wall, with a little half Ikea/golf pencil, and then I put my ballet into a cardboard box. Very secure. Don't worry, the cardboard box is locked.
Of course, we have like 5 different major parties, so nobody ever "wins" anyways.
[ link to this | view in thread ]
Tech hacks of Voting Machines
[ link to this | view in thread ]
Queen rescinding the declaration of independence
Did you see that bit that went around after the last election? The one where the queen was rescinding the declaration of independence because the U.S. was unable to elect a leader?
That was beauty eh
[ link to this | view in thread ]
Re: Tech hacks of Voting Machines
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
just kidding...
[ link to this | view in thread ]
So much crap that was resolved ages ago
Casino devices require at least two keys, the main logic boards require a different key than the one used to empty the coin buckets or change paper in the printer. So unauthorized access is much more difficult.
All doors on the machines have access detectors that are extremely difficult to cheat. They're even battery backed up so they can detect accesses while the machine is turned off.
The machine can be challenged to checksum its its ROM with a seed provided by a host computer. That checksum cannot be calculated without having an actual bit-by-bit copy of the code that it was registered with and since the host selects the seed the values must have the correct data to produce the right answer. In the case of small embedded systems like a Z80 that means the only way to fake it is with a hardware hack that contains both the new/hacked firmware and a complete copy of the original firmware. That's relatively easy to detect when someone has added memory or replaced the CPU.
There are no "big heists" involving Megabucks and Nevada Nickels and such because it's a fairly bulletproof system even though it involves multiple manufacturers devices, many of which are still simple micro-controller based systems. If a couple of dozen manufacturers can all hit those levels of security why can't the vote machine manufacturers?
I've designed and built software for such systems, it's not that difficult to do and it's not expensive. They run 24x7 for months on end without requiring reset or reboot. All it takes is a commitment to quality and use of external labs to review and test.
A lot of fuss over nothing except corporate sleaze/greed. They want to produce cheap devices and keep costs down by hiring script kiddies to hack code into place. Typical government supplier tactics.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: So much crap that was resolved ages ago
[ link to this | view in thread ]
so
can u c?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Tech hacks of Voting Machines
Let's just put the election into the hands of millions of people whose computers are fully owned by whoever had the cash in hand to lease them that day, and let the botnet
operators decide the outcome.
I can't wait.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
But there's another reason why building such machines is MUCH more difficult than building gambling systems: the attacker's budget. No sane person would spend $10M to hack a casino system that pays off a maximum of $100K. But (and see Bruce Schneier's analysis on this) we must presume that the minimum budget available to an attacker seeking to subvert the US electoral process is $100M. (And Bruce's estimate, made in the last cycle, seems to me to now be
too low. I'd say $250M, minimum.)
That kind of budget will buy you insiders, custom chip fabrication, and all kinds of things that are way outside the reach and budget of those attacking casino systems.
So while the technological measures suggested upthread are all plausibly good ideas, they're not even CLOSE to what's required to secure a voting system.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Tech hacks of Voting Machines
I think my irony-meter just broke.
[ link to this | view in thread ]
Re: Re:
First, the reason I cited Megabucks in particular is the size of the jackpots. The last payout on Megabucks was over $21M. These are progressive jackpots, some are limited to certain groups of machines, others are city-wide and state-wide jackpots and the are very significant chunks of money.
Second, the more people involved in the fraud, the higher the odds of it being detected. If someone was spreading $100M around - or even $250M - someone at some point would either make a mistake or intentionally blab because the book and movie rights to the story would be easily worth $100M.
To hack a national or state-wide election would require action on many, many machines in many locations. If only a few machines were hacked the votes would have to be hacked by such a significant amount that simple statistical analysis would show probable cause for an investigation.
$100M to $250M would buy the hijacking and/or stuffing of paper ballot boxes.
re: internet voting - I think an internet based system would be good. Maybe not for placing the votes but definitely for monitoring the voting process. The red flags like the ones in Florida where impossible/unexpected percentages of people were voting for fringe candidates would be very visible if the eyes of the internet were on the voting times/patterns.
Have the poll workers update a counter on a website every time someone entered the polling place and another counter every time someone left. Have the machines do real-time updates of the number of votes they've recorded. If the numbers don't closely match then something has gone wrong or been hacked.
Definitely not foolproof but it's about impossible to make a foolproof system, they're always inventing better fools. Perfection is impossible regardless of how votes are counted, all you can aim for with either a paper or electronic system is a high probability of correctness. So aim to maximize correctness and make sure multiple checks are in place to try and detect any problems.
There are lots of clever math and stats types out there who could come up with a lot of ways to check and cross-check the voting stats and it'd be pretty easy to implement those algorithms in software. If the raw numbers are published for post-analysis I can't imagine a significant bit of hacking going completely undetected.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
FYI, the carboard box is not let out of sight and is counted right after closing by scrutineers of at least two parties who also match against ballot count.
We vote in minority governments, so one party always gets scrutinized by the other. Keeps 'em hopping, but not much gets done.
[ link to this | view in thread ]
Re: Re:
Remember, we are Americans too, North Americans that is. We are also the biggest country in North America and we are on top.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: E-voting is E-retarded
[ link to this | view in thread ]
Like paper voting is any better
Officials said the seals can sometime be broken off in transit so thats why they have to attach new ones. When asked why even use the seals they said to keep the ballets secure.
Here in WA 2 years ago there was basically a tie for the governors race, it went though 2 re-counts and both times the same person came out ahead by like 100 votes. Then about 3 weeks after the election, King County (the states largest, Seattle is in King) came out and said it found several boxes of uncounted ballets. They had been put away and stored in a unsecured room by mistake. After a short court fight (with some saying these ballets could not be verified and could have been filled out by anyone at anytime) the courts let the new ballets be counted and it changed the totals and the winner of the first 2 recounts lost.
[ link to this | view in thread ]
Re: Like paper voting is any better
[ link to this | view in thread ]
Keep the machines!
[ link to this | view in thread ]
Re: Like paper voting is any better
The point, however, is that paper voting IS better. Clearly better. There WAS A RECOUNT, which would have been utterly impossible with electronic voting machines.
[ link to this | view in thread ]
Re: So much crap that was resolved ages ago
--poopdog
[ link to this | view in thread ]
Seems like Democrats are afraid
Lots of banks an casinos have been online for years.
Wake up. You're being laughed at!
There is just no low that those that want power won't stoop to.
[ link to this | view in thread ]
WHAT ABOUT HARD HACKS?
These things are electronic without (I assume) battery
backups that will run for the required 12 hours of voting
(give or take).
What about - a building power outage caused by a car wreck,
popped circuit breaker, thunderstorm?
What about black spray paint on the screens?
What about JB Weld put in the power plugs?
What about an electrician's wire cutter?
What about a short circuit device plugged in some other
outlet in the room with the machines?
Seems to me it would be easy to take out an entire polling
place with just a couple of items.
And this is secure? Yeah, right.
[ link to this | view in thread ]
Hahah!
No wonder Aussies prefer Canadians....
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Hahah!
[ link to this | view in thread ]
Re: WHAT ABOUT HARD HACKS?
If polling stations get hacked, it could be that nobody ever finds out it happened.
[ link to this | view in thread ]
I am getting sick and tired
Reporting like this is an Outrage, outrage I say. Trying to be fair and honest. THIS iS JERSEY DAMMIT.
[ link to this | view in thread ]
Re: Re:
;0)
[ link to this | view in thread ]
Re: "our elections are a joke."
[ link to this | view in thread ]
Re: So much crap that was resolved ages ago
Does government itself have such "strong" need to make sure votes are counted correctly? Or does it rest on "protecting the principles", looked after by averagely paid government worker? What about government contractors that stand to gain profit by cutting corners on quality and testing (moral and ethics issues aside)? How do companies like Sequoia even get picked to supply the machines in the first place? Who looks over their shoulders?
My point is, you bring up a great example of how it's absolutely possible to make these systems secure - IF there is enough motivation (economical or otherwise). Technology is there.
[ link to this | view in thread ]
Recount does not make sense
What you need for e-voting is transparency: open-source everything, inspectable by every programmer and mathematician in the world to confirm the answer collecting and counting algorithms and the algorithms that prevent/detect tampering with results or any intermediate stored/transmitted forms of the answers.
[ link to this | view in thread ]
Re: Hahah!
[ link to this | view in thread ]
Re: Recount does not make sense
Not true. The only way to guarantee that a machine counts your vote correctly is to throw away privacy and publish a list, that everyone can check, of who voted for what. You must trust the machine's designers.
OTOH, with a paper ballot, you must trust the rest of the election process: the ballot takers, counters, etc.
The difference is the magnitude of possible fraudulent behaviour. A villainous ballot taker, for example, can at affect at most the ballots that they take, and at considerable risk, too, considering that physical paper must be smuggled into and/or out of the box. The designers of a vote counting machine can affect multiple precincts from the safety of their cubicals...
[ link to this | view in thread ]
Re: Tech hacks of Voting Machines
works worst than the last, you revert, you do NOT move up in the ladder
of technology till the next level works better than the one you use now
works phenomenally better than the one you are leaving to go use it. No
matter what they promised it *would* do, if it doesn't do that, you take
it back if it doesn't do what they promised. You do that for buying
anything else you buy. Cars, Electronic stereos, TV's. Hold your
Technology up to the same standards. I know the Government would be
PISSED if they found out the missles they bought from their SCUD
provider actually let the enemy in to deprogram the trajectories. They
would not stand for that. They would be DEMANDING them fix it or take em
back with extreme prejudice. So the questions you should be asking is.
Why aren't they doing that with these machines?
-Magdalene
I like the box. its a nice cardboard box... nice pencil too... now if we
could just get people out to vote.
[ link to this | view in thread ]
previous post
it works, if it works don't fix it.
what we do need to fix, is getting lame couch potatoes off their asses and out to vote.
If you don't vote,
you can't bitch.
-m
[ link to this | view in thread ]
voting machines that work
When i pressed Finish, the machine whirred and a piece of paper like a cash-register receipt came out of the cash register style printer. Turns out it was a top copy and a carbon. The top copy curled up and i took it and the lower copy (which i couldn't touch) went into the box below. The lower copy was under a window so i could see that it was the same as the upper copy.
So, i had a receipt of my vote, and i saw a copy go into a box. I'm also certain that there was an electronic record that was sent in electronically when the election was finished.
Let's have more machines like this.. It ain't perfect but it answers most of my security and recount questions, which none of the other machines do.
[ link to this | view in thread ]
Undervotes Gone Wild with Electronic Machine Voting Results!!!!
It clearly appears to me that there has been a huge degree of Undervotes (an intended vote which did not properly process as such and therefore is not counted and the intended voter likely has gotten the "shafteroozy" of injustice!). I will use the Passaic County on-line web site(referred to as "unofficial" results until all provisional votes are not yet fully in) 11/5/2008 reported election results for an example: Totowa Borough Council reports a Whopping 3,555 Undervotes vs 6,978 which counted as properly processed votes; North Haledon Borough Council reports a Whopping 3,628 Undervotes vs 5,847 which counted as properly processed votes; Pompton Lakes Borough Council reports a sad 1,112 Undervotes vs 9,834 properly processed and counted votes; Passaic City Council-at large reports a hugely inappropriate 5,143 Undervotes vs 14,250 properly processed votes which count towards electing the candidates; (and here is the real kicker of injustice) pertaining to Public Question #1 an enormous 105,329 Undervotes are reported vs only 78,882 which actually were properly counted; and pertaining to Public Question #2 106,881 Udervotes are reported vs only 77,256 which were properly processed and counted as votes. The Voters of the United States of America Need to WAKE UP AND SMELL THE UNDERVOTES BECAUSE IT CLEARLY APPEARS THAT THE CURRENTLY USED AND RECENT PAST UTILIZED ELECTRONIC VOTING BOOTHS REALLY STINK! There can be no true democracy in the absence of a Bona-Fide and reasonably effective voting booth system. All the campaigning in the world will and votes intended to be casted will not truly matter until if and when the currently utilized electronic voting booths are replaced with ones that honestly and competently register our votes!
Michael A. Keough, SCRREA, IFA, CTA
My name is Michael Keough and I am a New Jersey Registered Voter who has voted in every applicable election opportunity since I after I reached the age of eighteen years old. I take my voting rights very seriously - and I am Adamant for Justice!
It clearly appears to me that there has been a huge degree of Undervotes (an intended vote which did not properly process as such and therefore is not counted and the intended voter likely has gotten the "shafteroozy" of injustice!). I will use the Passaic County on-line web site(referred to as "unofficial" results until all provisional votes are not yet fully in) 11/5/2008 reported election results for an example: Totowa Borough Council reports a Whopping 3,555 Undervotes vs 6,978 which counted as properly processed votes; North Haledon Borough Council reports a Whopping 3,628 Undervotes vs 5,847 which counted as properly processed votes; Pompton Lakes Borough Council reports a sad 1,112 Undervotes vs 9,834 properly processed and counted votes; Passaic City Council-at large reports a hugely inappropriate 5,143 Undervotes vs 14,250 properly processed votes which count towards electing the candidates; (and here is the real kicker of injustice) pertaining to Public Question #1 an enormous 105,329 Undervotes are reported vs only 78,882 which actually were properly counted; and pertaining to Public Question #2 106,881 Udervotes are reported vs only 77,256 which were properly processed and counted as votes. The Voters of the United States of America Need to WAKE UP AND SMELL THE UNDERVOTES BECAUSE IT CLEARLY APPEARS THAT THE CURRENTLY USED AND RECENT PAST UTILIZED ELECTRONIC VOTING BOOTHS REALLY STINK! There can be no true democracy in the absence of a Bona-Fide and reasonably effective voting booth system. All the campaigning in the world will and votes intended to be casted will not truly matter until if and when the currently utilized electronic voting booths are replaced with ones that honestly and competently register our votes!
Michael A. Keough, SCRREA, IFA, CTA
MICHAEL A. KEOUGH APPRAISALS
Pompton Lakes, N.J. 07442
[ link to this | view in thread ]