Glass Box Voting

Here’s a good paper analyzing the Nedap/Groenendaal ES3B machine used in The Netherlands. My favorite bit is when they hacked the machine to play chess.

It started with what we thought was a very obvious statement. We claimed on our website that the Nedap was just another computer, and that as such it could just as easily be programmed to play chess or to lie about the election results. We didn’t think more of it until Jan Groenendaal, placed a document on the Nedap/Groenendaal website to talk about our website “Wij vertrouwen stemcomputers niet”. In it, he says: “[…] And with regard to the claim that our machine can play chess: I’d like to see that demonstrated”.

So obviously, one of our first goals now that we had access to the device was to make it play chess. Apart from proving our point, programming it to do this would also confirm that we knew everything we needed to know about the hardware before getting into the election fraud business. After having learned roughly how the hardware worked we used a gcc 68000 crosscompiler to create a Nedap IO-library containing functions to initialize the system, write data to the display, read the keyboard, and write debug messages to the UART. Together with newlib, a small clib implementation, we then managed to compile and run Tom Kerrigan’s Simple Chess Program (TSCP). This was non-trivial only because we had to squeeze out quite a few tables to make it run using only the available 16 kBytes of RAM. Getting the chess pieces to magnetically attach (the keyboard is mounted at an angle) was also not that easy since the foil switches are stuck to a plastic base. We ended up using using 2 and 5 Eurocent coins underneath the paper, taped such that we could press the underlying foil switches with the edge of the coin.

It knows all the rules and every now and then it can be surprisingly clever for what it is. But in all honesty we have to admit that it does not play chess all that well.

In more serious research they also developed malicious software that would manipulate the vote totals.

A good article on recent history and where things stand today with voting machines. A quote:

The earliest critiques of digital voting booths came from the fringe — disgruntled citizens and scared-senseless computer geeks — but the fears have now risen to the highest levels of government. One by one, states are renouncing the use of touch-screen voting machines. California and Florida decided to get rid of their electronic voting machines last spring, and last month, Colorado decertified about half of its touch-screen devices. Also last month, Jennifer Brunner, the Ohio secretary of state, released a report in the wake of the Cuyahoga crashes arguing that touch-screens “may jeopardize the integrity of the voting process.” She was so worried she is now forcing Cuyahoga to scrap its touch-screen machines and go back to paper-based voting — before the Ohio primary, scheduled for March 4. Senator Bill Nelson, a Democrat of Florida, and Senator Sheldon Whitehouse, Democrat of Rhode Island, have even sponsored a bill that would ban the use of touch-screen machines across the country by 2012.

Generally a good article, although it tends to oversimplify - touch-screen does not have to mean paperless, for example. There’s a bit in the last page that points out that optical scan ballots are not a panacea:

Still, optical scanning is hardly a flawless system. If someone doesn’t mark a ballot clearly, a recount can wind up back in the morass of arguing over “voter intent.” The machines also need to be carefully calibrated so they don’t miscount ballots. Blind people may need an extra device installed to help them vote. Poorly trained poll workers could simply lose ballots. And the machines do, in fact, run software that can be hacked: Sancho himself has used computer scientists to hack his machines.

A DRE+VVPAT system can offer accessibility features that a sheet of paper alone cannot do, and can also simplify complex ballots. I spoke to an election judge from Half Moon Bay who described just how complex the paper balloting procedure is during a primary election. They must have ballots on hand for each of twelve registered political parties, with instructions written in any language spoken by more than 5% of the local population, which in his case is English, Chinese and Spanish. The resulting thirty-six ballots are difficult to handle.

Funny.

I just voted on a Diebold AccuVote-TS (I will call them Diebold machines as long as they have Diebold branding all over them). Everything went very smoothly - I was greeted by friendly and knowledgeable elections workers, the touchscreen was calibrated, my vote was presented to me for review, I mashed on the “Cast Vote” button on the screen, and then… poof. Nothing. I had no tangible evidence that my vote was recorded according to my wishes.

VVPAT is voter verified paper audit trail. It means a piece of paper records your vote choice in parallel with the electronic record. Many experts recommend mandatory VVPAT in conjunction with audits that reconcile the paper with the electronic counts for a statistically meaningful sample of available data. I don’t know about the Maryland audit procedures, but since there’s no VVPAT, there’s nothing to audit.

In an earlier post I discuss security requirements for a voting system. Let’s just review how well they were met today.

(more…)

The Problem With Voting Machines

Bruce Schneier is a vital information source to keep track of news in the area of cryptography and security. In 2004 he published an article on his blog entitled The Problem With Voting Machines. At the start of that article he summarizes the four required characteristics of a voting system: accuracy, anonymity, scalability and speed.

Accuracy means both correctly capturing voter intent in a cast vote record of some form and then protecting it from modification, loss or forgery. Anonymity is the same as ballot secrecy or voter privacy - the principle that a voter’s identity can in no way be determined from the cast vote record. Scalability refers to the ability for the systems to handle the large surges of usage that come on election day, as well as the complexity of overlapping jurisdictions. Speed means the ability for the system to produce official results rapidly.

Schneier’s recommendation is twofold - first that all DREs must use VVPAT and second that software must be open to public scrutiny.

Why Johnny Can’t Vote

Barbara Simons is a past president of the Association for Computing Machinery and expert on voting systems. In March 2005 she wrote a valuable editorial in the APS News. I highly recommend reading the whole thing, but her conclusion is worth quoting in its entirety:

The issue of e-voting should have been primarily a technological issue—one involving computer security, human factors, reliability, and efficiency. Instead, because of the vast sums of money involved, e-voting has been heavily politicized.

Election officials were told that DREs in the long run would be cheaper than alternative voting systems. They were told that DREs had been extensively tested and that the certification process guaranteed that the machines were reliable and secure. No mention was made of the significant costs of testing and of secure storage of DREs; no mention was made of the inadequacy of the testing and certification processes, to say nothing of the difficulty of creating bug-free software.

Technologists are attempting to educate election officials, policy makers, and the public about the risks of paperless DREs. It is critical for the continued existence of democracy throughout the world that we succeed.

Here’s a quick survey of some of the recent studies of voting system security.

California Secretary of State’s Top to Bottom Review

This study took place from March to August of 2007, and consisted of three efforts in parallel - documentation review, source code review, and red-team testing. It covered machines from four major vendors, Diebold Elections Systems (now Premier Elections Systems), Hart InterCivic, Sequoia Voting Systems, and Elections Systems and Software (ES&S).

Bruce Schneier summarized the results thus:

The state of California conducted a security review of their electronic voting machines earlier this year. This was a serious review, with real security researchers getting access to the source code. The report was issued last week, and the researchers were able to compromise all three machines — by Diebold Election Systems, Hart Intercivic, and Sequoia Voting Systems — multiple ways. (They said they could probably find more ways, if they had more time.)

Brennan Center Report

In 2005 the Brennan Center for Justice published a report with input from numerous voting system and security experts. They surveyed DRE, DRE+VVPAT and OpScan systems, and found problems common to all types and produced recommendations for how to mitigate those problems. The most serious common problem is that all systems are subject to code substitution attacks in which a device’s firmware is replaced with a malicious firmware image that can manipulate the stored vote according to the attacker’s wishes.

The recommendations were aimed at elections administrators, providing guidance on how jurisdictions could attempt to mitigate vulnerabilities procedurally, rather than offering technical recommendations.

GAO Report

The Government Accountability Office produced a report on electronic voting in 2005. Top concerns in their document include the lack of protection of audit records from tampering, the ability to modify the electronic ballot definition so that the voter is presented with an incorrect ballot, and vendors distributing uncertified software images.

UPDATE Thanks for Rick for jogging my memory.

An Analysis of an Electronic Voting System

This paper was published in 2003 highlighting numerous attack vectors against the Diebold Accuvote-TS. It was criticized by the vendor for not taking into account procedural controls to mitigate problems. The back and forth on this topic can be found at Avi Rubin’s site.

SAIC Report

After the above was published, the State of Maryland commissioned a report from SAIC on the Diebold Accuvote-TS. It supported many of the findings in the above paper, and had a long list of recommended changes to be applied to the Accuvote-TS. If anyone is aware of an official response from Diebold please post a link in the comments.

Questions for Vendors

While tracking down the links above, I stumbled across Dr. Rubin’s list of questions to ask your voting machine vendor.

There are many types of devices that can be described as voting machines, here are some common terms and jargon used in the field.

DRE: Direct Recording Electronic. A device that gathers votes through a user interface, stores them internally, and then produces a tabulation of the votes at the end of the voting period.

OpScan: Optical Scanner. This device tabulates the vote result by scanning paper ballots that might be bubble sheets filled in by the voters, or might be produced from a ballot printer.

VVPAT: Voter verified paper audit trail. This is the capability for a voting machine to produce a lasting paper record which is reviewed by the voter prior to casting the final vote.

In short, a “soft prototype” is one that I can develop using minimal financial resources, i.e. a bootstrap to lift up the enterprise. I envision a CD or downloadable ISO image that can boot an ordinary PC into a mock voting machine. The soft prototype will be made available to researchers, elections officials and activists to put it through its paces, primarily as a promotional device (quality assurance will be achieved by in house testing rather than relying on the public).

Since the soft prototype must run on various arbitrary hardware platforms, not all of the hardware components in the final product can be assumed to exist.  In particular it will not use a hardware security module for cryptographic algorithms or key storage.  Any security analysis of the prototype should understand that the final version will use a FIPS 140-2 certified cryptographic module in accordance with the requirements in VVSG08.

Voting is one of the most vexing security arenas to be found, and beware of those that try to simplify the problem. A number of core issues make voting much more challenging than more traditional security domains such as the financial industry and the military. Predominant among these issues are the principles of ballot secrecy, vote integrity, and mutual suspicion.

Ballot Secrecy

The secret ballot is a cornerstone of democracy. Voting in secret prevents manipulation of elections by means of vote buying or voter coercion. In technology terms, it means that no information shall link the voter to the record of their ballot.

Vote Integrity

As a security term, integrity simply means the assurance that a data item is unchanged, and thus that it has not been tampered with or modified. If a vote is recorded without integrity protections, the final tally is suspect since it could have been changed along the way.

Mutual Suspicion

In many security domains there are trusted agents who are assumed not to attempt to subvert the system, in Common Criteria protection profiles you often find an assumption labeled “NO_EVIL_ADMIN” that simply means that to satisfy the security claims for the product you must assume that the administrators of the product are trusted - and if they are not trusted you cannot satisfy those security claims in most cases. This approach is not satisfactory in the voting arena.

After the jump, a comparison to the security requirements in the financial industry, particularly ATMs.

(more…)

trans·par·ent, [trans-pair-uh nt] adj.

1. transmitting light, able to be seen through with clarity;
2. open, frank, candid;
3. guileless.

In optics context, transparency connotes the unhindered transmission of light. In a broader context, the term implies openness, communication and accountability. When applied to voting technology, Verified Voting describes the term as

election procedures should promote openness along with security; election laws should make it easy for candidates and/or voters to get reliable, manual recounts in close elections or when there is initial evidence of a problem in the election; and most importantly, citizens must be able to freely participate in observing elections.

For a manufacturer of voting equipment, transparency refers to availability of information about the design and testing of the equipment. This can include availability of source code, design documentation, information about test methodology and results, vulnerability analyses, bug databases, and more. Making this information available for public analysis and scrutiny in promoting public acceptance of and trust in the equipment. It can be argued that the major manufacturers currently practice transparency only when it cannot be avoided, and then to the minimum extent possible, and this promotes the current distrust of manufacturers among the voting integrity community.

In The Transparent Society, David Brin points out that “It is hard for recent cave dwellers to transform themselves into smart, honest, and truly independent creatures of light.”