Schneier on Security
A blog covering security and security technology.
« PGP and the 5th Amendment |
| Santa and the TSA »
December 24, 2007
More Voting Machine News
Ohio just completed a major study of voting machines. (Here's the report, a gigantic pdf.) And, like the California study earlier this year, they found all sorts of problems:
While some tests to compromise voting systems took higher levels of sophistication, fairly simple techniques were often successfully deployed.
"To put it in every-day terms, the tools needed to compromise an accurate vote count could be as simple as tampering with the paper audit trail connector or using a magnet and a personal digital assistant," Brunner said.
The New York Times writes:
"It was worse than I anticipated," the official, Secretary of State Jennifer Brunner, said of the report. "I had hoped that perhaps one system would test superior to the others."
At polling stations, teams working on the study were able to pick locks to access memory cards and use hand-held devices to plug false vote counts into machines. At boards of election, they were able to introduce malignant software into servers.
Note the lame defense from one voting machine manufacturer:
Chris Riggall, a Premier spokesman, said hardware and software problems had been corrected in his company's new products, which will be available for installation in 2008.
"It is important to note," he said, "that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States."
I guess he didn't read the part of the report that talked about how these attacks would be undetectable. Like this one:
They found that the ES&S tabulation system and the voting machine firmware were rife with basic buffer overflow vulnerabilities that would allow an attacker to easily take control of the systems and "exercise complete control over the results reported by the entire county election system."
They also found serious security vulnerabilities involving the magnetically switched bidirectional infrared (IrDA) port on the front of the machines and the memory devices that are used to communicate with the machine through the port. With nothing more than a magnet and an infrared-enabled Palm Pilot or cell phone they could easily read and alter a memory device that is used to perform important functions on the ES&S iVotronic touch-screen machine -- such as loading the ballot definition file and programming the machine to allow a voter to cast a ballot. They could also use a Palm Pilot to emulate the memory device and hack a voting machine through the infrared port (see the picture above right).
They found that a voter or poll worker with a Palm Pilot and no more than a minute's access to a voting machine could surreptitiously re-calibrate the touch-screen so that it would prevent voters from voting for specific candidates or cause the machine to secretly record a voter's vote for a different candidate than the one the voter chose. Access to the screen calibration function requires no password, and the attacker's actions, the researchers say, would be indistinguishable from the normal behavior of a voter in front of a machine or of a pollworker starting up a machine in the morning.
Elsewhere in the country, Colorado has decertified most of its electronic voting machines:
The decertification decision, which cited problems with accuracy and security, affects electronic voting machines in Denver and five other counties. A number of electronic scanners used to count ballots were also decertified.
Coffman would not comment Monday on what his findings mean for past elections, despite his conclusion that some equipment had accuracy issues.
"I can only report," he said. "The voters in those respective counties are going to have to interpret" the results.
Coffman announced in March that he had adopted new rules for testing electronic voting machines. He required the four systems used in Colorado to apply for recertification.
The systems are manufactured by Premier Election Solutions, formerly known as Diebold Election Systems; Hart InterCivic; Sequoia Voting Systems; and Election Systems and Software. Only Premier had all its equipment pass the recertification.
California is about to give up on electronic voting machines, too. This probably didn't help:
More than a hundred computer chips containing voting machine software were lost or stolen during transit in California this week.
EDITED TO ADD (1/2): More news.
Posted on December 24, 2007 at 1:02 PM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
One positive development is that at least some state election officials no longer seem to be in denial.
It's quite a change from even a year ago, when officials in, yes, Ohio and California, would parrot the manufacturers security claims, asserting that problems identified by computer security researchers were "theoretical only", and that the people complaining about them knew nothing about the conduct of "real" elections. At the time, they seemed to feel that a knowledge of election procedure was all that was necessary to assess the security of electronic voting systems, whereas an elementary understanding of computer security was entirely superfluous. It's good to see that the cluebat pounding they sustained had a salutory effect on their outlook.
It seems at last like the tide might be turning. Of course, this is after two major elections were conducted with the flawed machines, and in some cases many more local or municipal elections. But somehow, the wall of silence surrounding electronic voting systems seems to be coming down.
Of course, this still leaves the most obvious question: why did we go down this road in the first place? It's not as though the flaws in electronic-voting systems are new; lots of people have been screaming about these things for years. And yet states and counties continued to implement them.
I think we need to be careful that in the apparent growing victory over flawed paperless-voting systems, that we don't allow the people who foisted them on the public to whitewash the past and make it look like they just discovered how bad the systems are. They were broken from the beginning, everyone knew or should have known it, and now the U.S. taxpayers are going to foot the bill.
That a Premier spokesperson should offer such a clueless defense is not surprising, since 'Premier Election Systems' was formerly Diebold, and they routinely denied even the possibility that there were people who would be interested in tampering with elections.
And, from a conspiracy-theory standpoint, it's convenient their new and improved systems are due out for installation in 2008 ...
"... none dare call it vote fraud, for if vote fraud succeeds ..."
Maybe they should call the system "VotesForSure". Rigged to work in the way wanted by those who bought the voting machines in the first place.
Like DRM for Democracy...
> "It is important to note," he said, "that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States."
Hilarious. This guy reminds me of the Weisert quote: "As far as we know, our computer has never had an undetected error." Stupid then. Stupider now, since Rigall's company wants to oversee democracy for us.
Not in Maryland! Our Diebold machines are perfectly safe. Nothing could ever go wrone err wrogn err wrong. We don't even have to wait for "we'll get it right next time" Diebold/Premier to fix 'em..
Just ask Linda Lamone; she keeps telling us how wisely she spent the $65,564,674 of taxpayers money on them....
Ok, why don't you design one, or prove it can't be done. And please let me know the result, so when I go to the polls my favorite doofus doesn't get elected, we all have grounds for a lawsuit.
I agree with kadin. People in the IT and Security businesses have been asking for open source open standard hardware for ages, and neither suppliers of voting machines, or government procurement agencies have listened.
Now, after years of possibly illegitimately elected officials as well as substantial investment in faulty voting systems, it seems like people are starting to listen - at least, from my far away point of view (I am living in China so i receive no american mainstream media, just the media i look for... I have no fox, no abc and no nbc ).
Clearly, the only way for electronic voting systems to work is for them to be open source and leave paper trails. Why we contract the job of designing and manufacturing these systems out, however, is beyond me. It seems that the people doing the contracting have a conflict of interest - it is in their best interest to buy/sell systems that serve them. That is to say, for politicians, to buy machines from people who will make them easily hackable (possibly telling them how to hack the machines), and for manufacturers, to make machines that keep their customers in power.
"Of course, this still leaves the most obvious question: why did we go down this road in the first place?"
In the first place, few of the systems replaced by the touch screen machines were trustworthy, either. The lever machines were probably the most difficult to cheat, but they're getting very old, and aren't well-suited to modern demands such as bilingual ballots (not that I agree that American elections should ever be conducted in any language but English), and handicapped accessibility. The punch-card systems always misread at least two percent of the ballots, and never could come up with the same count twice - and that appears to have been acceptable until the inherent limitations of the system met bad ballot design, poor election-day implementation, and an election that was a statistical toss-up in 2000 in FL. Mark-and-optical-scan systems work quite well in small precincts where the workers have time to deal with confused voters, to scan each ballot in front of the voter, and to replace ballots that don't scan - but would have been a disaster in Miami Beach, considering that workers there neither bothered to simply explain the butterfly ballot to voters waiting in line nor to replace punch cards for voters that knew they had mis-punched. Hand-counting often leads to accusations of cheating on the counts.
And that was the real reason for the rush to purchase electronic machines - like the old lever machines, these leave you with nothing to hand-count, nothing to do on a re-count but go around and read the machine tabulations again, and little room for accusations of cheating by the officials (other than letting unqualified people vote or excluding qualified people). They had too little experience with computer systems to realize that switching to computers, especially ones based on Windows, just open the possibilities for cheating up to everyone...
"Of course, this still leaves the most obvious question: why did we go down this road in the first place?"
This is called corruption - politicos spending taxpayers money in order to benefit their pals in big business. These same politicans will end up sitting on the boards and bullshit posts after they leave the guvirnmint employ.
It's the same reason why we have wars. And it is the very nature of the State. I'm not sure why people are so surprised when it shows through.
How appropriate that the report should be dated 7 December. Hopefully the e-voting machines suffer the same fate as the battleships in Pearl Harbor.
@averros: Never attribute to malice that which is adequately explained by incompetence.
@markm: "Hand-counting often leads to accusations of cheating on the counts."
You just need scrutineers—candidates' representatives watching the counting to ensure their candidate isn't illegitimately disadvantaged. It works well—the last attempt at cheating the count in Australia I've heard of was in 1996 for one seat in a state legislature.
Anonymous: It depends on how much distrust there is in the officials to begin with.
1) In the Miami Beach 2000 fiasco, a hand recount was aborted by a near riot staged by Republicans who claimed they'd been blocked from scrutinizing the recount process. I've no idea where the truth lies.
2) In San Francisco that same year, shortly after the election a number of ballot box lids were found floating in the Bay. Obviously, if ballots are on the bottom of the Bay, no fair count is possible. Election officials claim that after the count was complete they were washing the (emptied) ballot boxes on the docks and the lids just blew away, but not everyone accepts that. (I think SF is so heavily Democrat that it's hard to come up with enough scrutineers from any other party, even if the officials are playing fair...)
OTOH, why bother fiddling the count when you can have the dead and illegal aliens vote your way?
"OTOH, why bother fiddling the count when you can have the dead and illegal aliens vote your way?"
FUD alert. The Bush DoJ has been trying for years to find evidence of this occurring in order to buttress calls for poll taxes... I mean, voter identification cards. It simply doesn't happen in any widespread systemic way.
Far more effective to fiddle with the vote count by removing registered voters from the rolls and undersupplying the polling places in districts likely to vote against your party.
Has anyone discussed an internet-based vote monitoring approach? As you cast your ballot at your precinct, you get a random 5 digit number. Go home, log on, and look up your vote.
Clearly, there will still be errors, and voters will have the opportunity to report errors (but not change their ballot). The patterns of reported errors will provide the opportunity to track foul play.
If you get the number on a piece of paper then it can be used to prove how you voted (look up vote buying).
If you don't get it on a piece of paper then everybody will forget it or get it wrong and then there will be too many false positives.
If I want to fix the vote, I just a) give a number of people the same number or b) fix the web page program so that it lies about the votes.
In other words; yes people have thought about similar schemes and almost all systems found so far are a bad idea.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..