Guest Blogged by Dan Wallach of Rice University…
Ed Note: We recently ran an article covering vote-rigging software whistleblower Clint Curtis’ testimony last week during a hearing before the Texas Legislature’s House Committee on Elections. Curtis detailed for legislators how easy it is to flip an election electronically, without detection. Here is another perspective from that same hearing…
Last week, I testified before the Texas House Committee on Elections (you can read my testimony). I’ve done this many times before, but I figured this time would be different. This time, I was armed with the research from the California “Top to Bottom†reports and the Ohio EVEREST reports. I was part of the Hart InterCivic source code team for California’s analysis. I knew the problems. I was prepared to discuss them at length.
Wow, was I disappointed. Here’s a quote from Peter Lichtenheld, speaking on behalf of Hart InterCivic:
You can find the whole hearing online (via RealAudio streaming), where you will hear the Diebold/Premier representative, as well as David Beirne, the director of their trade organization, saying essentially the same thing. Since this seems to be the voting system vendors’ party line, let’s spend some time analyzing it.
Did our work cast light on questions of security? Our work found a wide variety of flaws, most notably the possibility of “viral†attacks, where a single corrupted voting machine could spread that corruption, as part of regular processes and procedures, to every other voting system. In effect, one attacker, corrupting one machine, could arrange for every voting system in the county to be corrupt in the subsequent election. That’s a big deal.
At this point, the scientific evidence is in, it’s overwhelming, and it’s indisputable. The current generation of DRE voting systems have a wide variety of dangerous security flaws. There’s simply no justification for the vendors to be making excuses or otherwise downplaying the clear scientific consensus on the quality of their products.
Were we given unfettered access? The big difference between what we had and what an attacker might have is that we had some (but not nearly all) source code to the system. An attacker who arranged for some equipment to “fall off the back of a truck†would be able to extract all of the software, in binary form, and then would need to go through a tedious process of reverse engineering before reaching parity with the access we had. The lack of source code has demonstrably failed to do much to slow down attackers who find holes in other commercial software products. Debugging and decompilation tools are really quite sophisticated these days. All this means is that an attacker would need additional time to do the same work that we did.
Did we have a threat model? Absolutely! See chapter three of our report, conveniently titled “Threat Model.†The different teams working on the top to bottom report collaborated together to draft this chapter. It talks about attackers’ goals, levels of access, and different variations on how sophisticated an attacker might be. It is hard to accept that the vendors can get away with claiming that the reports did not have a threat model, when a simple check of the table of contents of the reports disproves their claim.
Was our work a “realistic approximation†of what happens in a real election? When the vendors call our work “unrealisticâ€, they usually mean one of two things:
1. Real attackers couldn’t discover these vulnerabilities
2. The attackers can’t be exploited in the real world.
Both of these arguments are wrong. In real elections, individual voting machines are not terribly well safeguarded. In a studio where I take swing dance lessons, I found a rack of eSlates two weeks after the election in which they were used. They were in their normal cases. There were no security seals. (I didn’t touch them, but I did have a very good look around.) That’s more than sufficient access for an attacker wanting to tamper with a voting machine. Likewise, Ed Felten has a series of Tinker posts about unguarded voting machines in Princeton.
Can an attacker learn enough about these machines to construct the attacks we described in our report? This sort of thing would need to be done in private, where a team of smart attackers could carefully reverse engineer the machine and piece together the attack. I’ll estimate that it would take a group of four talented people, working full time, two to three months of effort to do it. Once. After that, you’ve got your evil attack software, ready to go, with only minutes of effort to boot a single eSlate, install the malicious software patch, and then it’s off to the races. The attack would only need to be installed on a single eSlate per county in order to spread to every other eSlate. The election professionals and procedures would be helpless to prevent it. (Hart has a “hash code testing†mechanism that’s meant to determine if an eSlate is running authentic software, but it’s trivial to defeat. See issues 9 through 12 in our report.)
What about auditing, reconciliation, “logic and accuracy†testing, and other related procedures? Again, all easily defeated by a sophisticated attacker. Generally speaking, there are several different kinds of tests that DRE systems support. “Self-tests†are trivial for malicious software to detect, allowing the malicious software to either disable and fake the test results, or simply behave correctly. Most “logic and accuracy†tests boil down to casting a handful of votes for each candidate and then doing a tally. Malicious software might simply behave correctly until more than a handful of votes have been received. Likewise, malicious software might just look at the clock and behave correctly unless it’s the proper election day. Parallel testing is about pulling machines out of service and casting what appears to be completely normal votes on them while the real election is ongoing. This may or may not detect malicious software, but nobody in Texas does parallel testing. Auditing and reconciliation are all about comparing different records of the same event. If you’ve got a voter-verified paper audit trail (VVPAT) attachment to a DRE, then you could compare it with the electronic records. Texas has not yet certified any VVPAT printers, so those won’t help here. (The VVPAT printers sold by current DRE vendors have other problems, but that’s a topic for another day.) The “redundant†memories in the DREs are all that you’ve got left to audit or reconcile. Our work shows how this redundancy is unhelpful against security threats; malicious code will simply modify all of the copies in synchrony.
Later, the Hart representative remarked:
This line of argument depends on the fact that most of Hart’s customers will never bother to read our actual report. As it turns out, this was largely true in the initial rules from the CA Secretary of State, but you need to read the current rules, which were released several months later. The new rules, in light of the viral threat against Hart systems, requires the back-end system (â€SERVOâ€) to be rebooted after each and every eSlate is connected to it. That’s hardly “as-isâ€. If you have thousands of eSlates, properly managing an election with them will be exceptionally painful. If you only have one eSlate per precinct, as California required for the other vendors, with most votes cast on optical-scanned paper ballots, you would have a much more manageable election.
What’s it all mean? Unsurprisingly, the vendors and their trade organization are spinning the results of these studies, as best they can, in an attempt to downplay their significance. Hopefully, legislators and election administrators are smart enough to grasp the vendors’ behavior for what it actually is and take appropriate steps to bolster our election integrity.
Until then, the bottom line is that many jurisdictions in Texas and elsewhere in the country will be using e-voting equipment this November with known security vulnerabilities, and the procedures and controls they are using will not be sufficient to either prevent or detect sophisticated attacks on their e-voting equipment. While there are procedures with the capability to detect many of these attacks (e.g., post-election auditing of voter-verified paper records), Texas has not certified such equipment for use in the state. Texas’s DREs are simply vulnerable to and undefended against attacks.
CORRECTION: In comments at Freedom-to-Tinker, one commentor, Tom, points out that Travis County (Austin) does perform parallel tests. Other Texas counties don’t. This means that some classes of malicious machine behavior could potentially be discovered in Travis County.
Republished from Freedom-to-Tinker…
I know this is off topic and totally shameless, but Utah’s largest circulation newspaper did a story about my Impeach Bush efforts and I wanted some of the old standbys here at my old stomping grounds to see it.
Sorry, but I just never got enough attention as a kid.
Hooray, Larry! 😛
It is not just that the current generation of electronic voting machines that pose an unacceptable risk to election integrity because of poor design. Using computer controlled machines will always pose a risk. The greatest risk will come from good design that builds hidden vote stealing facilities into the hardware.
Wherever there are elections there are people who see the benefit of rigging them in favour of a candidate they prefer and willing to do so. When voting is based on physical paper ballots written on with ink or pencil, the rigging of an election presents a huge logistical problem and it is difficult to do so without leaving some evidence. However if the counting is performed by machines that are architypical black boxes, supposed to do a certain function in a certain way, but where an observer has no means of inspecting the insides of the black box to verify that it in fact does function as intended, then election rigging becomes trivially easy, especially if the party in power and controlling the electoral authorities who oversee the black boxes is the one who wants to do the rigging, as is the case in Robert Mugabe’s Zimbabwe or George W Bushes’ United States.
Even if you verify that the code in each machine before the election starts is that that has been inspected and validated there is no way to know that the code is still in control machine one second later.
The most obvious way to facilitate vote rigging is not to muck around with viral code, but to control the company that manufactures the hardware and to design special hardware features that can be activated selectively as required to switch vote stealing software into place after any validation tests have been completed. If use of electronic voting becomes normal, then the development of machines with built in facilities is inevitable.
In the early years of home microcomputers the maximum address range allowed by the microprocessors then used was only 64K. Some manufactures expanded the physical memory to 256K or larger by using bank switching. Different banks of say 16k of memory would be switched into a certain address range of the same size by storing address selection information into register on the main board. Imagine using this same technique on the ROM BIOS so that according to the setting of some switch on the motherboard an alternate BIOS with features to facilitate a switch from vote counting software to vote stealing software could be activated. The switch could be something simple such as a jumper or DIP switch on the mainboard, or it could be something more complicated such as a radio activated switch that responds to a pulse of a particular frequency to switch banks. Only a thorough analysis of the hardware at the circuit level by independent engineers could detect such built in facilities. If such features were implemented by arrangements of standard components soldered into the motherboard then analysis would be possible though tedious. However if they could be implemented inside large scale integration integrated circuit modules then detecting them by analysing the hardware would be almost impossible. For example, imagine designing a plug compatible replacement for one of the Intel processors used in such machines, that has a trapdoor allowing external control when certain conditions occur. Analysing large scale integrated circuits at the circuit level would be extremely expensive and involve destroying the component, and if the circuit was something that could be replaced in the normal course of main board repair by pulling one out of its Zero Insertion Force socket and pushing a replacement one in, then there would be no way to guarantee that a machine is not gimmicked imeddiately after its last inspection.
Using machines to record votes can never be guaranteed to be safe, not today, not after another hundred years. In facts every improvement in the underlying technolgy will make incorporation of hidden vote stealing features easier and the detection of such facilities more difficult.
Thanks for the tribute on Blue Bear’s site. There is one glaring error in the article. I am definitely NOT retired. That’s why I haven’t been around as much. I am working 6 days a week and have very little time.
You spelled my name wrong, darnit!
Sorry! That was a typo. I know how to spell yer name. I was just too punchy….
Slow down, girl!