Security (2007)

Note: I stopped collecting these reports in 2007, because there were already way more than enough reports to make the case that these election systems are not secure. Hundreds more have appeared since then.

Note: Many of the links on this page are broken.

Security (2007)

While banking systems and slot machines are heavily tested and audited, the security testing for voting machines is a sham, and the auditing is sloppy, and in many places, nonexistent.

Please keep in mind that :

• California Elections Code 19205(c) requires that voting systems be “shall be safe from fraud or manipulation”
• but just one or two talented, well prepared programmers can change the course of a major election in a few seconds
• convicted embezzlers have programmed some of the machines
• company owners have include convicted crooks (Global Election Systems), gambling interests (Inkavote), foreigners (Sequoia, Inkavote) and partisan party hacks (Diebold, ES&S)
• former Monterey county registrar Tony Anchundo was convicted for being a crook
• two Ohio election officials were convicted and sent to jail in 07 for rigging a recount
• here’s a Black Box Voting report on corrupt election officials (11/07)
• voting systems require a vast conspiracy of 1 or 2 people to steal votes by the thousands in seconds, with no trace
• almost all the vote counting tabulators in the US run on very complex software from one very large company with thousands of programmers, Microsoft. Counties download Microsoft “fixes”, sight unseen, onto those tabulators on a regular basis
• the US Government is now worried that chips, motherboards and computers we use in the US come from China; some federal agencies are taking steps to close these holes in American security, but not elections officials
• voting machine companies’ claims about “world class” security are false (see the reports below)
• Clint Curtis was hired by Congressman Tom Feeney to write a program to rig elections in Florida:
  • summary,
  • affidavit,
  • video,
  • timeline
• counties cut corners, including on training underpaid pollworkers about enforcing security procedures. This results in lost memory cards, “sleepovers” of hackable machines in peoples’ homes, and critical mistakes
• recent American history reminds us that if corrupt forces can steal votes, they will
• these systems are mission critical to deciding who runs our government

Nobody, and no machine, should be counting American votes in secret.

Known Security Holes

Among the obvious and serious security holes that the federal testers (ITAs) have overlooked are :
• the back panel of the Diebold TSx touchscreen voting machine can be removed with a simple phillips head screwdriver, allowing undetected access to the entire machine.
• the Diebold TSx can be completely reprogrammed by putting an unencrypted memory card in it when starting the machine up.
• 13 of 16 bugs in the Diebold interpreter. This, after they had been told to inspect the code a second time over the winter of 2006.
• Diebold’s source code includes a unchanged secret encryption code, 8f2654hd4.
• Diebold’s used a hard-coded secret password for administration cards, 1111.
• You can open Diebold’s TS touchscreen machines with a screwdriver, or a common office cabinet key.

See also: Six ways to attack a Touch Screen Computer

Central Tabulator (Vote Counting System)

A central tabulator’s databases can be quickly hacked by a motivated insider:
• demo,
• 831 KB powerpoint file,
• info, 15 min
• Google video, 2 1/2 min
• YouTube video

They can also be attacked by a virus planted on just one of thousands memory cards coming from the polling stations to the tabulator’s computer. The leaky procedures surrounding these machines rely on thousands of poorly trained and paid poll workers working 12 hour days. It only takes 1 person just minutes with 1 card to decide who’s governs, and who does not.

By the way, you can download (ZIP, 28MB) Diebold’s secret GEMS 1.18.17 tabulator source code from the internet.

Wireless Devices

Few states ban wireless devices in voting systems. It means that a talented hacker can sit outside in a car all day with a laptop, and have a very good chance of breaking into the leaky systems currently in use. It also means that a well prepared crook can stand near a machine with a modern cell phone or many other handheld devices and reprogram an entire election. Allowing wireless devices is like saying that it’s OK for banks to use plastic safes. All wireless devices must be removed or physically disabled (remove the jumper) immediately.

A Debate by Computer Scientists

“Paper v. Electronic Records : An Assessment”
by Michael Shamos:

http://euro.ecom.cmu.edu/people/faculty/mshamos/paper.htm

“A Deeper Look: Rebutting Shamos on e-Voting”
by Arthur Keller et al, 7/07:

www-db.stanford.edu/pub/keller/2007/shamos-rebuttal-vocomp2007.pdf

Security Reports

The following extensive reports describe these and other security holes :

Ohio “Everest” Review, 12/07

• 
  Full academic review

• Other reports
• Everest home page


Colorado Certification Reviews, 12/07


California Top To Bottom Review, 7/07

Red team reports, source code reviews, and more

“The red teams demonstrated that the security mechanisms provided for all systems
analyzed were inadequate to ensure accuracy and integrity of the election results and of
the systems that provide those results.”

Florida State Report, 7/07, 35 pgs

“… the [Diebold] Optical Scan and Touch Screen software … retain significant flaws … As an example … flaws in the Optical Scan software … can be used to essentially swap the electronically tabulated votes for two candidates, reroute all of a candidate’s to a different candidate, or tabulate votes for several candidates of choice toward another chosen candidate.” (pg 3)


U Conn Report, 7/07

“… demonstrates that during a sleepover VVPAT records can be set to misrepresent how votes will be tallied…”

“This report presents certain integrity vulnerabilities in the Diebold AV-TSx Voting Terminal1. We present two attacks based on these vulnerabilities: one attack swaps the votes of two candidates and another erases the name of one candidate from the slate. These attacks do not require the modification of the operating system of the voting terminal (as it was the case in a number of previous attacks). These attacks against the voting terminal can be launched in a matter of minutes…”

NIST Report, 11/06

The NIST comes out against paperless touchscreen machines.

Princeton Report, Security Analysis of the Diebold AccuVote-TS Voting Machine, 9/06

“Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities — a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures.”

You can see video demonstrations of this virus at work here.

Brennan Report, 6/06

This report provides a very good analysis of 112 ways to attack voting systems.

“All three voting systems have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections.”

“There is a substantial likelihood that the election procedures and countermeasures currently in place in the vast majority of states would not detect a cleverly designed software attack program…”

National Research Council Report, 7/06

Black Box Voting, 7/06

This is a good synopsis of the grave risks in the Diebold TSx touchscreen machines.

The Hursti II report, 5/06 [PDF] [Supplement PDF]

This report reveals how one can easily reprogram an entire Diebold touchscreen machine.

Berkeley Report Security Analysis of the Diebold AccuBasic Interpreter, U Calif, 2/06 (PDF, 269 KB)

University experts hired by the California Secretary of State found 16 security bugs just in the illegal Diebold interpreter. On pages 36 to 37 of this report, the authors state that the Diebold systems should not be used in statewide elections:

“In the longer term, or for statewide elections, the risks of not fixing the vulnerabilities in the AccuBasic interpreter become more pronounced. Larger elections, such as a statewide election, provide a greater incentive to hack the election and heighten the stakes. Also, the longer these vulnerabilities are left unfixed, the more opportunity it gives potential attackers to learn how to exploit these vulnerabilities. For statewide elections, or looking farther into the future, it would be far preferable to fix the vulnerabilities discussed in this report.”

The Hursti I Report, 5/05 (PDF)

Computer expert Harri Hursti gained control over Leon County memory cards, which handle the vote-reporting from the precincts. Three memory card tests demonstrated successful manipulation of election results, and showed that 1990 and 2002 FEC-required safeguards are being violated in the Diebold version 1.94 opti-scan system.

“With this design, there is no way to verify that the certified or even standard functionality is maintained from one voting machine to the next.” (pg 7)

“The Accu-Vote Precinct Count Optical Scan system inherits numerous attack vectors from flexibility to modify over security design.
Operational procedures required to secure the system would put un-sustainable burden in perimeter defense, training of the personnel and supervision among the other layers of security.” (pg 21)

Dr. Herbert Thompson, a security expert, took control of the Leon County central tabulator by implanting a trojan horse-like script.

RABA Trusted Agent Report : Diebold AccuVote-TS Voting System, 1/04

Compuware Corporation Direct Recording Electronic (DRE) Technical Security Assessment Report, 11/03

SAIC Report, 9/03

“[t]he system, as implemented in policy, procedure, and technology, is at high risk of compromise.”

The official report disappeared from the state of Maryland website. You can download the unredacted report at the bottom from this page and read further commentary here.

Johns Hopkins Report, 7/03

Computer scientists found at least 11 ways to attack a Diebold touchscreen system. (pg 6).

“We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and janitors is even greater.” (pg 21)

Effective use of Computing Technology in Vote-Tallying, Saltman, 3/78 (7.3 MB, 139 pgs)

This is an early ground breaking paper.