The state of Ohio has released a comprehensive study of voting machine security and the report will have you longing for paper.
A 334-page PDF report from the Ohio Secretary of State reveals insufficient security, poor implementation of security technology, lax auditing and shoddy software maintenance. The report, which covers voting systems from Election Systems and Software (ES&S), Hart InterCivic and Premier Election Solutions formerly known as Diebold, was conducted by Ohio's EVEREST (Evaluation and Validation of Election-Related Equipment, Standards and Testing) initiative in conjunction with research teams from Penn State, University of Pennsylvania and WebWise Security.
The EVEREST report was released Dec. 7 and I found it via Slashdot. Overall, the report really raises questions about election systems. Buffer overflows, leaky encryption, audit problems and firmware issues abound. One machine, the M100, from ES&S accepts counterfeit ballots. The Premier AV-TSX allows an unauthenticated user to read or tamper with its memory. The Hart EMS has audit logs that can be erased.
In fact, the first 17 pages of the report--essentially the table of contents--is an indictment of these systems. To make matters worse, these machines don't run constantly. That means malicious software could be planted and not turn up until election time. These machines aren't patched regularly either.
The report is too massive to detail completely here, but at a high level here are the takeaways from the EVEREST report:
- Systems uniformly stunk at security and "failed to adequately address important threats against election data and processes."
- A root cause of these security failures was "pervasive mis-application of security technology." Standard practices for cryptography, key and password management and security hardware go ignored.
- Auditing capabilities are a no show. "In all systems, the logs of election practices were commonly forgeable or erasable by the principals who they were intended to be monitoring." Translation: If there's an attack the lack of auditing means you can't isolate or recover from the problem.
- Software maintenance practices "of the studied systems are deeply flawed." The EVEREST report calls the election software "fragile."
Why would these machines be so enticing as a target? You could swing an entire election, produce incorrect results, block groups of voters, cast doubt on an election or delay results. And it may not take a brain surgeon to alter these systems. The EVEREST teams reported that they were able to subvert every voting system and not be detected "within a few weeks." Meanwhile, the EVEREST teams found the issues with only limited access since vendors weren't exactly cooperative (Section 2.4 of the PDF has the details).
The researchers say:
Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact.
As for the attackers, EVEREST ranks the following folks in ascending order of capabilities:
- Outsiders have no special access to voting equipment, but could affect equipment to an extent that it is connected to the Internet. All of the systems reviewed run Microsoft Windows and occasionally connect to the Internet. In addition, an attacker could create a counterfeit upgrade disk and mail it to install malware.
- Voters have limited and partially supervised access to voting systems while casting a vote.
- Poll workers have extensive access to polling place equipment, management terminals before, during and after voting. They can authorize who votes and who doesn't and opportunities to tamper with equipment abound.
- Election officials have extensive access to back-end election systems and voting equipment. Access is only loosely supervised if at all. One possibility: Bad software prompts election officials to "correct" results.
- Vendor employees have access to the hardware and source code of system during development. Employees may also be on site to assist workers and election officials. "Some vendors use third-party maintenance and election day support whose employees are not tightly regulated," according to EVEREST.
Add it up and any hack the vote opportunities will most likely be an inside job of some sort. The attacks may or may not be detectable.