Security Vulnerability in ESS ExpressVote Touchscreen Voting Computer

Of course the ESS ExpressVote voting computer will have lots of security vulnerabilities. It's a computer, and computers have lots of vulnerabilities. This particular vulnerability is particularly interesting because it's the result of a security mistake in the design process. Someone didn't think the security through, and the result is a voter-verifiable paper audit trail that doesn't provide the security it promises.

Here are the details:

Now there's an even worse option than "DRE with paper trail"; I call it "press this button if it's OK for the machine to cheat" option. The country's biggest vendor of voting machines, ES&S, has a line of voting machines called ExpressVote. Some of these are optical scanners (which are fine), and others are "combination" machines, basically a ballot-marking device and an optical scanner all rolled into one.

This video shows a demonstration of ExpressVote all-in-one touchscreens purchased by Johnson County, Kansas. The voter brings a blank ballot to the machine, inserts it into a slot, chooses candidates. Then the machine prints those choices onto the blank ballot and spits it out for the voter to inspect. If the voter is satisfied, she inserts it back into the slot, where it is counted (and dropped into a sealed ballot box for possible recount or audit).

So far this seems OK, except that the process is a bit cumbersome and not completely intuitive (watch the video for yourself). It still suffers from the problems I describe above: voter may not carefully review all the choices, especially in down-ballot races; counties need to buy a lot more voting machines, because voters occupy the machine for a long time (in contrast to op-scan ballots, where they occupy a cheap cardboard privacy screen).

But here's the amazingly bad feature: "The version that we have has an option for both ways," [Johnson County Election Commissioner Ronnie] Metsker said. "We instruct the voters to print their ballots so that they can review their paper ballots, but they're not required to do so. If they want to press the button 'cast ballot,' it will cast the ballot, but if they do so they are doing so with full knowledge that they will not see their ballot card, it will instead be cast, scanned, tabulated and dropped in the secure ballot container at the backside of the machine." [TYT Investigates, article by Jennifer Cohn, September 6, 2018]

Now it's easy for a hacked machine to cheat undetectably! All the fraudulent vote-counting program has to do is wait until the voter chooses between "cast ballot without inspecting" and "inspect ballot before casting." If the latter, then don't cheat on this ballot. If the former, then change votes how it likes, and print those fraudulent votes on the paper ballot, knowing that the voter has already given up the right to look at it.

A voter-verifiable paper audit trail does not require every voter to verify the paper ballot. But it does require that every voter be able to verify the paper ballot. I am continuously amazed by how bad electronic voting machines are. Yes, they're computers. But they also seem to be designed by people who don't understand computer (or any) security.

Posted on September 20, 2018 at 6:45 AM • 25 Comments

Comments

AlbertWeinsteinSeptember 20, 2018 7:19 AM

An NYT article today explains that Putin's Russia wanted to show the US and perhaps the rest of the world too that the US is ultimately just as screwed up a place as Russia is. Which is narcissism at the international level, but whatever.

The US' DRE debacle makes Russia's efforts seem redundant. The DRE debacle makes all other debacles seem trite. Except maybe the debacle that no one from Wall Street went to jail after the last financial meltdown - that's a pretty big debacle too.

meSeptember 20, 2018 7:46 AM

even without this bug is a shit idea, if to be secure a paper copy must be printed and manually verified
What is the point of e-voting machines?
To replace a pen and human action of making a cross X on the selected vote?

also as eff pointed out, even when paper copy exists it is almost never checked so again what is the point????

this is pure madness

the touchscreen producer can cheat the vote alone!
it is both the input ("mouse") and output (screen) of the system it can do whatever he want.

voting by paper might be longer and cost more but this is the correct way to design voting!
it cost more also to be hacked, and a succesfully "hack", like currupting everyone in the room, doesn't scale well and doesn't influence the vote too much.
while a computer hack spread to the whole election system.
so its enough to corrupt one or two people in the touchscreen production line to hack the whole election

meSeptember 20, 2018 7:59 AM

Also, in the comment section of that site, first comment:
Jill M says:
Election officials ... conduct significant testing before and after elections to make sure the results are accurate.

This is useless!
computers have a clock, they jnow the date and time
and they can be programmed to cheat only in the election day, not before, not after.

we saw this happening so many times:
-vlc media player logo has a Christmas hat if it's Christmas
-applications for mobile phone that behave differently if location was apple office, so that while under review everything seems legit and app gets approved.

CallMeLateForSupperSeptember 20, 2018 8:57 AM

It seems like we have conversations about voter roll irregularities and epic fail voting machine designs every.two.years, and always just weeks before the "drop dead" date. Immediately after that date, all of the issues are forgotten and little, if anything, gets fixed.

I could really go for a paper ballot with check boxes about now.

Impossibly StupidSeptember 20, 2018 9:54 AM

Yes, they're computers. But they also seem to be designed by people who don't understand computer (or any) security.

Get back down in the trenches, Bruce, and you'll see that vast segments of the computer industry are populated by incompetents because they're cheap and obedient. Even IBM hires this way (I can say from personal experience). Nothing is going to change about that until the management responsible for those practices changes.

MikeASeptember 20, 2018 10:35 AM

Assuming that the designers and purchasers of voting equipment "don't understand computer (or any) security" is leaning pretty hard on Hanlon's Razor. You might want to check in with William of Occam once in a while.

AndySeptember 20, 2018 2:05 PM

I work in cybersecurity and specifically in government. The issues with voting machines is completely and utterly overblown and I'm certainly no apologist for government failures. I agree that a paper trail is needed and many government entities are moving away from systems that don't generate paper. That being said, most of the vulnerabilities found require many things to be in-place before they can be exploited. First off, most voting systems are completely segmented and have no direct internet access. If there are any government entities that have deployed machines which are open to the internet directly that is an insane practice and I haven't seen it personally but it may exist someplace. Most vulnerabilities can only be exploited if many other things fall into place... an attacker has to first breach the network someplace, then they have to move laterally, then find the segmented network for the elections, then breach that, then gain access to the device and then know what vulnerabilities it has and hope they have the permission necessary to perform an exploit.... often Admin privileges are needed. I'm not saying that attacks don't happen or can't happen but we have to understand the issues at hand. We have media outlets and some government officials claiming government networks are "attacked" millions of times per day. This is a lie because they are including all network scans as attacks. Sure, some scans are for gathering intel and then to later perform attacks but the majority of scans have nothing to do with this. Some scans are simply indexing the web, other scans may be security vendors looking for information so they can pitch executives products (we have seen this many times), and the list goes on and on. Yes, there are security concerns and weaknesses but a stand-alone vulnerable system isn't necessarily anything to be that worked up about. Many large organizations have many legacy systems that can't be patched and have tons of vulnerabilities but they have other security controls implemented to mitigate the risk and protect these systems, such as network segmentation. Let's put some perspective on things and let's actually talk about the entire issue and not just one small piece that happens to be some obscure vulnerability on a system that may even be on a completely stand-alone network in some cases.

WeatherSeptember 20, 2018 2:38 PM

If the program prints to paper and then checked and inserted, won't the program that scan's it only expected (accept) a small range.
It is like qr codes a BMP file with the first 20bytes removed can turn into a exe

Clive RobinsonSeptember 20, 2018 2:40 PM

@ Hmm,

Kind of a 1/2 start... ?

A journey of a thousand miles, begins with a single step.

-- Lao Tzu.

Thus the question is not just how will the journey progress, but who will follow the path so far laid down.

The manufacturers will only take note when a large enough segment of their market is denied them because of their behaviour.

Whilst not quite the same as smacking the dog with a rolled up newspaper when it craps on the carpet, opportunist idiots that pretend to be style whilst offering no substance need to find there is no profit to be made.

As with rats, such people need a food supply, if there is not one they go looking elsewhere.

Billy BobSeptember 20, 2018 3:17 PM

"seem to be designed by people who don't understand computer (or any) security."

In all the decades I've been paid writing software for dozens of different companies.. I've never designed it for a real professional like that. It's always for a manager. The manager always gets whatever pet thing he wants or I don't get paid. Even if I argue with him and specifically tell him what he wants is a bad idea (risking my pay for the benefit of mankind), that manager still always makes the final call.

The only way to have a conscience and always write pure benevolent code is to quit working in the software industry. Which means don't get paid, starve, and die... or be independently wealthy from something else, and just donate your time to open source or something... (you could do both to some degree: get paid to write terrible code by day, and write good code for free by night, without a lot of sleep or social)

Clive RobinsonSeptember 20, 2018 3:56 PM

@ Andy,

I'm not saying that attacks don't happen or can't happen but we have to understand the issues at hand.

You forgot to evaluate malware on the service techs computer / thumb drive.

It kind of waltzes past all your stop points with ease...

It's why "stand alone" systems are vulnerable and will remain so for the foreseeable future.

Quite a few years ago I looked into this with regards how to cross air gaps in both directions. But also how to get the malware onto the service techs computer / thumb drive in the first place, without having any kind of contact with them. You can find my over view of how to get the malware to the target on this blog a year or so befor stuxnet became a major proof of concept of the idea.

The part I did not share was how to get data off an air gapped computer and back securely, anonymously and virtually untracably via a random and changing server on the internet which is unknown to the malware thus does not require a control server that can be traced and taken over as bot nets etc do.

So far there has been no report of the method I devised being used or anything close to it, which is odd.

The point is with modern commodity systems you can not make them secure with standard techniques against a an above state level attacker. And there are more than a few of those around as GS does not give much in the way of rewards either materially or ego wise. It's why GS has trouble recruiting and retaining even basic IT staff, and to be honest would you realy want to employ the sort of person "Who signs on for the pension?".

Once upon a time people used to become Government Issue to get an education and marketable skills in "civvy street" but to many wars and lack of fresh cannon fodder has killed that of for all but those from the more deprived no hope areas, or with no real abilities. Those lucky enough to get an IT trade in security will discover the skill set required is mainly "pull down menu" navigation. It's probably why those GS Cracking tools got left on a server to be found and published (unless you subscribe to the disgruntled insider theory for the Shadow-Brokers).

All in all from what has been leaked about the TAO and others, they are realy not "elite" when it comes to Computer Security, just run of the mill, in all likely hood living of others work.

The "Tic-Toc" Government Issue millitary life style is not conducive to the "living inside your own head" thoughtful introspection needed to find and exploit vulnerabilities. Nor for that matter is nine to five GS count down to retirment day.

JanSeptember 20, 2018 8:38 PM

@Billy Bob

Start with a good code of ethics. Look at the codes from the IEEE and the ACM.

Robert Half once said you cannot do a job that requires judgement unless you are prepared to quit.

If one always caves in to the boss, the code of ethics means nothing.

Perhaps the professional societies need to stand up better for those who adhere to the codes of ethics.

But, too many managers and too many software designers and programmers have no idea there even is a code of ethics that applies to their work.

Billy BobSeptember 20, 2018 9:32 PM

@Jan

I knew a guy once who always had to do everything his way. He could not take direction from a boss... nor could he hold onto a job anywhere.

If you want a job, you need to do what you were hired for. There aren't many out there who will hire people to tell the person doing the hiring what to do, most people hire people in order to tell the person they hired what to do. That's just how jobs work.

I'm not talking about doing outright illegal things... Here's an example in software: You can do it right, and spend a few times more money and the company goes bankrupt, or you can cut corners and write a little bit sloppy code and spend a lot less money in less time... it mostly works but there are a few edge cases where it doesn't... Nobody will pay many times more for products they can't perceive as better or more secure (even though they are much better and more secure). This is simply how the world works.

For a more concrete example, would you like that cheap laptop computer to cost $10,000 or $100,000 instead of $1000? But it's more secure... Oh yes, it does all the same things. No, there's no real visible difference. Look, you'll take your chances with the less secure one, because you simply can't afford the secure one anyway, no matter how much better it is.

This is why Bruce keeps saying that we need government to mandate it, the open market won't support security, only a race to the bottom... Government must coerce businesses to make all products at once 2-3x as expensive to produce, or maybe 10-100x in more complicated cases... Note the government will also need to ban the import and sale of overseas cheaper "mostly-working" products... and no, you won't earn more money to pay for those much more expensive "secure" products! And no, this is not a democracy that can accomplish this, only a dictatorship! (of course, dictatorships always become cruel, so...)

WeatherSeptember 20, 2018 10:50 PM

Billy Bob
Good point, I'm one of those people were in the type of industry (still had qual) got paid to sweep the floor, I got paid,but part-time four times as much to fix computer, ...I really don't have a replied,but I enjoyed sweeping the floor

JPASeptember 20, 2018 11:11 PM

@me
"even without this bug is a shit idea, if to be secure a paper copy must be printed and manually verified
What is the point of e-voting machines?
To replace a pen and human action of making a cross X on the selected vote?"

I think you are forgetting this is the United States where the state religion worships the Almighty $$$. You clearly are a heathen and do not understand the need to acquire $$$ at all costs.

These machines are wonderful servants of the most high $$$. They do for $$$ what can be done for pennies. Thus they are a truly wondrous and divine invention.

Clive RobinsonSeptember 21, 2018 5:28 AM

@ Billy Bob,

This is why Bruce keeps saying that we need government to mandate it, the open market won't support security, only a race to the bottom...

However do not fall into the trap of assuming the price will rise because of "Govetnment Interference" as some "free market" types call it.

Evidence suggests that when the right sort of regulation is applied engineers will have a different set of points to work with thus will find a "different sweet spot" that could end up costing less.

We saw this with safety in cars, where the regulation and testing were appropriate. However where the regulated testing was made as cheap as possible under "industry influence" as it was for fuel emmissions, some engineers found an altogether different "sweet spot", that managment just loved. As a result a large chunk of the industry also did likewise as their managment loved the solution[0]

Which is why a German[1] is likely to spend a long time in a US jail (he's a foreigner so just hang him as high as the rope allows in a show trial like that of engineer James Liang[2]).

[0] https://en.m.wikipedia.org/wiki/Volkswagen_emissions_scandal

[1] https://www.bbc.co.uk/news/business-42256870

[2] https://www.bbc.co.uk/news/business-41053740

JanSeptember 21, 2018 9:53 AM

@Billy Bob

I don't think we disagree. Until it's regulated, software professionals will be in a difficult situation. If doctors, lawyers and engineers ignore their codes of ethics, they will lose their licences. Public safety depends as much on software as on those fields. Managers who hire lawyers, accountants, engineers and doctors understand that they can't just tell them to do whatever in whatever way.

JanSeptember 21, 2018 10:04 AM

Oops, I misattributed the quote a few posting above. It was Richard Irish who said one cannot do a judgement job unless one is prepared to quit in his book, "If things don't improve I may ask you to fire me."

ScottSeptember 21, 2018 10:08 AM

@Billy Bob,
Don't forget Marketing. Every commercial product I've worked on had to be approved by the team member from Marketing. I've had so many "features" forced on my code because the person form Marketing thought it was a good idea, and they don't want to change. Even if it's a safety issue and you show them how their new "feature" could harm someone, they would only reluctantly back down. Usually they first want to add more "features" to make their pet feature "safe".

For security to be considered an important part of the product, the product team needs someone at the same level as their advocate. Someone who can prevent the product's release if they're not satisfied with the security, just like Marketing, Manufacturing, Test, and Safety can stop release.

MikeASeptember 21, 2018 10:20 AM

@Scott -- Many companies have high-level (on the org chart) Security Directors (or some such title). What matters is that they still report (ultimately) to the CEO or CFO. When working for a Fortune 500 technology company I happened to run into the person in that position, and asked about a particularly obsolete/dangerous aspect of corp security. Their response: "I know, but it's not my call".

echoSeptember 21, 2018 1:32 PM

@Jan

In the UK doctors have negotiated various protections in law so they have a built in "benefit of the doubt" and "get out of jail free" card. Auhtorities arealso likely to let doctors off the hook because doctors are "too big too fail". The excuse being that to thorw a doctor out of the profession removes a valuable and enxpensive skillset which places the community at risk. The police have historically been very slow to prosecute doctors often claiming allegations area "civil case" or the jurisdiction of the GMC. (A small note is, like the General Synod of the Church of England, that the GMC is technically part of parliament.)

While it is rare now it used to be the case that a doctor accused of murdering or sexually assaulting patients wasn't prosecuted by the police who waited on the GMC. The doctor in question would resign before disciplinary proceedings with the GMC claiming they could no longer act as the doctors was no longer a member. By this mechanism the doctor got off Scott free and collected their pension. The police were also known to use this escape mechanism too by taking early retirement prior to disciplinary proceedings. Police disciplinary bodies are widely know to be "slap on the wrist" prosecuters and "get off" police officers. The GMC's reputation is so bad that, canteen culture aside, police officers themselves routinely laugh at the GMC when the subject of doctors being disciplined comes up.

None of this has been helped by doctors fiercely opposing increased training places to maintain their exclusivity and the high status and high pay they have negotiated. As for theissue of ethics it is widely known that within the UK state NHS monopoly and NICE that "gold standard" medical interventions are in too many cases dated or built on spanish practices to maintain empires or because they are cheap. Doctors also regularly flout directions from the GMC especially with respect to discrimination issues and have flouted both European and UK court judgments to the point where the judges lost their temper and the Royal College of Surgeons after two years of sitting on their hands had to go through the motions of saying that doctors needed to revise their practices. While the back of the Police Federation has been broken police "no criming" and corruption and misuse of law continues as has been hinted of in recent national media coverage. While things have moved on from one police officers word is worth the word of two citizens doctros still retain this favoured status.

Oh, where to begin with lawyers sense of ethics. I'm not sure how to write this up without a big think but there are definately areas of law where lawyers are broadly recognised as being incompetent, especially for mentally ill people without capacity many of whom arethe most vulnerable, and have been guilty of prioritising cases which can be used for politically driven marketing rather than proper evaluation of a case on its merits. Legal representation is almost always tactical with very little in the way of strategic legal action. I could add more but it is more a list of nitpicks from personal experience than a coherent narrative exposing major failure points of professionalism and ethics.

@Scott @MikeA

In theory a companies equalityofficer is supposed to sanity check policy and decisions for a company. In practice they are often no more than a fig leaf with no authority to prevent discriminatory action. Given the rise of cutting corners to get to market and meet price points which has become increasingly fashionable overthe past few decades How effective are quality control officers if they exist at all? Companies may have policies but if thereis nothign behidn a policy it's often just a positions tatement and discussion document with no follow through until they get caught out isn't it?

Billy BobSeptember 21, 2018 3:40 PM

@Clive Robinson well that's good point regarding different sweet spots...

thanks for the interesting remarks from the rest of you too...

John PanzerSeptember 22, 2018 10:50 PM

@ Andy -- You've basically just described the exact operation of the Stuxnet worm. And we now know for certain that state level actors are actively trying to penetrate our election systems with exactly the methods you'd expect as step 1 (phishing people on vulnerable systems peripherally connected to voting systems).

John BeattieSeptember 24, 2018 1:47 PM

Designing secure voting requires an understanding that the threat comes from within and from within at every level. All(*) the people involved in designing, building, testing, installing, administering, managing the vote process are themselves voters and members of civil society. Some of them are immediately affected by the consequences of elections.

Every single one of them is motivated to some degree or other to subvert the voting process. That is why the best mechanisms are the simplest and the plainest. This lesson is available from the analysis of any voting system: if it works, it is simple and plain and checked by multiple independent people. If it doesn't, then it wasn't simple or plain or checked or some combination.

At the other end of the spectrum, the non-plain, non-simple, non-checked end, that is why secure voting machines are so difficult to build.

As a working principle, honest voting machines are impossible to build.

(*) My argument applies to the exceptions as well: they are likewise motivated, perhaps by other things but motivated nonetheless.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.