Schneier on Security
A blog covering security and security technology.
« Dilbert on Security Standards |
| Friday Squid Blogging: Hundreds of Squid Wash Up on Southern California Beaches »
October 7, 2011
Security Seals on Voting Machines
Related to this blog post from Wednesday, here's a paper that looks at security seals on voting machines.
Andrew W. Appel, "Security Seals on Voting Machines: A Case Study," ACM Transactions on Information and System Security, 14 (2011): 1–29.
Abstract: Tamper-evident seals are used by many states' election officials on voting machines and ballot boxes, either to protect the computer and software from fraudulent modification or to protect paper ballots from fraudulent substitution or stuffing. Physical tamper-indicating seals can usually be easily defeated, given they way they are typically made and used; and the effectiveness of seals depends on the protocol for their application and inspection. The legitimacy of our elections may therefore depend on whether a particular state's use of seals is effective to prevent, deter, or detect election fraud. This paper is a case study of the use of seals on voting machines by the State of New Jersey. I conclude that New Jersey;s protocols for the use of tamper-evident seals have been not at all effective. I conclude with a discussion of the more general problem of seals in democratic elections.
Posted on October 7, 2011 at 1:11 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Excellent paper! I don't think I've seen so many seal types examined all at once before.
New Jersey appears to be working with laws specifying procedures that assume mechanical voting machines (not that this is unusual in the US). E.g. here: "Such representatives shall certify ... that all of the counters are set at zero (000) ... Every voting machine shall be furnished with a lantern, or an electric light fixture, which shall give sufficient light to enable voters while voting to read the ballots and be suitable for use by the district board in examining the counters."
I am assuming that, given enough resources, tamper-evident seals can be pierced in a non-evident manner.
Is it usually a social-engineering task, or a mechanical-task, or a combination of the two?
The election systems I took part in usually required some form of documentation, and two individuals from distinct political parties, in both breaking and putting seals in place. The number of the seal in question is recorded for both the breaking and the settings.
However, one of the types of seals we saw was a zip-tie-style mechanism. I assume that mechanical adeptness and proper tools could defeat that. Another was a metal-band-mechanism that is functionally similar to a zip-tie. Again, proper tooling may allow seal to be removed.
Most of the security actually came from controlling access to the sealed object. The City Clerk in question set up a 2-person-rule. The machines that handled the counting, the voted ballots, etc., were always handled by pairs of people. Usually pairs of people who had declared themselves as members of distinct political parties.
While this doesn't make things perfect, it does make it much harder for a solo operator to tamper with any single piece of election-data. Also, any solo operator would typically only be able to affect one precinct's returns.
Again, not perfect, but the seals, the procedures, and the two-person rule act as a sort of defense in depth. Not just a defense against malice, but also a defense against some varieties of innocent mistakes...
The main problem in creating modern seals is that they must fulfill two diametrically opposed criteria:
1. They must be robust enough to be understood and applied by untrained amateurs under suboptimal (for the election officials) conditions.
2. They must be fragile enough to break or otherwise provide evidence of failure under attack by professionals in ideal (for the attackers) conditions.
Not ONE of the seals described in the paper fulfilled these two conditions. Given the availability of attack tools today, it is unlikely that any seals can be created that fulfill these two conditions.
And that in turn means that any sealing that must be done will need to be done by the manufacturer (or a suitably trained election seal applicator) under controlled conditions. Which then leads to the manufacturer or applicator controlling the election process by default.
Broken seals mean voting machines can't be used? Or that voting machine results are invalid?
What an excellent opportunity for a Denial-Of-Service attack, especially when only machines in political districts heavily favored by your opponent are targeted.
Even a perfect voting machine seal won't protect from the worst and most likely kind of insider attack: from precinct workers, county officials, state employees, even the vendors. The very people who are charged with counting the ballots and securing the election could be - and arguably have already been - the ones who subvert it.
Now, let us imagine that the vendor has placed a perfectly tamperproof seal over the critical components of the machine, and all end-user maintenance is performed under two-person control. How do we know that the developers haven't inserted their own prank features?
Like this one:
Andrew Appel is now officially my hero.
Silly me. Whenever I've come across a tamper evident seal, I just remove the seal and carefully clean off the "void" residue that's left behind. This leaves a clean surface that upon inspection seems to have had no seal at any time.
Andrew Appel is now officially my big hero.
The seals aren't particularly critical on the grand scheme of election security, if they are then the whole election setup is seriously flawed to being with.
I think the UK and Scotland operate different safeguards to the US. For example, here each ballot paper is numbered and can theoretically be linked back to the voter, although this is highly unlikely and there are strict regulations surrounding this.
In any instance, the ballots are numbered so if there is a dispute it is possible to tell whether there are duplicates or ballots that shouldn't be there. So "stuffing" wouldn't work, you'd have to *replace* ballots.
It also is not the parties but the state (electoral commission?) that runs the elections and to the best of my knowledge, party representatives aren't allowed to canvas in the voting stations either. So there really isn't any window for party employees to do any tampering. Then there is the consideration that there are always a fair number of staff at voting stations, so the opportunity is further diminished.
Anyway, to put tamper proof seals into perspective, just look at the 2007 Scottish elections: a mere "redesign" of the ballot papers managed to confuse matters so much that the margin in many constituencies was dwarfed by the number of spoilt ballots. Now *that* was a seriously dodgy election, but no physical tampering involved - it was all agreed in Parliament well before the election.
@ Mostly Harmless
"What an excellent opportunity for a Denial-Of-Service attack, especially when only machines in political districts heavily favored by your opponent are targeted."
Not really. Tampering will only be succesfull when it goes undetected. In any other case - and in a normal democracy - it will lead to invalidation of the result in that district and a repitition of the process.
Andrew Appel is a computer scientist, and he did some amateur seal-defeating demonstrations in court to show that any basement handyman type could break a lot of the voting machine security. But he references the reports produced for the court by Roger Johnston, who is a professional seals (and other neat stuff) guy at Argonne National Laboratory, and whose redacted report is available at http://www.cs.princeton.edu/~appel/voting/... . In many ways the Johnston report makes for more interesting reading, though they each reference the other, and are complementary (and complimentary).
Then there's the meta attack.
Get amongst the machines and damage the seals of enough of them and you invalidate the election.
Do it once and you create a nuisance, do it twice and you create a serious problem.
What happens if you do it three times?
"What happens if you do it three times?"
Security seals become considered an invalid form of protection and therefore, by political logic, the vote must continue without them.
We must do something. This is something, therefore we must do it...
Appel has reported previously on the physical security for the voting machines in question. Not terribly good unless you consider a hallway in a building that is mostly unoccupied at night and on weekends to be "good".
Didn't some machines include WiFi and usb ports. The seals stop those interfaces, right?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.