Security flaws of existing electronic voting
systems
by Slavik Krassovsky
Introduction
In the “Help America Vote Act” which was passed in 2002 US Congress appropriated
$3.9 billion to establish a program to help individual states replace punch card voting
systems with a modern age technology.
In many states, the natural choice for the replacement was Direct Recording Electronic or
DRE, a type electronic voting system that already existed on the market and was
produced by several vendors: ES&S, MicroVote, WINvote, Sequoia, Hart InterCivic,
Diebold and such.
Federal act mandates that machines are only allowed to be used for elections, when
certified by independent testing authorities, which should, at least on paper, make sure
that they are secure.
Today millions of people vote on DRE systems every year thus entrusting the democratic
process to these machines. Nevertheless numerous security experts raise concerns about
DREs. In this paper we’ll discuss how these machines are built, overview the problems
encountered so far with these machines as well as review security attacks on such
machines.
Architecture of a typical DRE machine
Typical DRE machines have flat panel display screen with touch-screen input, smart card
reader that allows distinguishing one voter from another (voters receive a smart card
when they come to the polling station and return it once they’ve done voting) and a hard
drive that contains ballot definition and votes audit log. Ballot definitions could be
downloaded either from a floppy/flash memory or from a network. After the voting day is
over the results could be uploaded to a central server for final tabulation.
Network
Touch Screen
Voter
Smart Card Reader
HardDrive
Typical cost of such a system is estimated to be around $8000 per voting station.
Certification process
Machines are tested and certified by three private companies - Ciber, Wyle, and SysTest
– which are referred to as Independent Testing Authorities (ITAs). The ITAs are certified
by the National Association of State Election Directors, but are not subjected to any
government oversight. Individual states may have additional requirements that are
certified by the ITAs. Vendors that produce the machines, pay for all testing.
The first Federal Election Commission (FEC) standard for electronic voting machines,
issued in 1990, was replaced with a newer standard of 2002, however many voting
systems in use today were certified to the 1990 standards.
In any case off-the-shelf hardware and software (i.e. common motherboards or Windows
OS) are exempt from the certification process.
The certification results are not being made public presumably due to intellectual
property concerns.
Reported problems
Although there is no central authority that keeps track of voting equipment problems,
evidence of security, software or hardware problems were reported in the media, here are
some examples:
January 2004, Broward County, Florida:
134 out of 10,844 votes cast on a ballots with a single contest were missing. It was
particularly disturbing, since the winning candidate won by only 12 votes and there was
no way of telling if some had been lost by the ES&S DRE system that was employed.
November 2005.Alameda County CA. Touch screen voting machines switched votes on
statewide propositions.
November 2003, Boone County, Indiana:
over 144,000 votes were cast even though Boone County contains fewer than 19,000
registered voters. Of those, only 5,532 actually voted. The county clerk stated that the
problem was caused by a “glitch in the software.”
November 2003, Hinds County, Mississippi:
in, voters arrived to find the WINvote DREs at the polls were down and stayed down for
the rest of the day.
Numerous other machine malfunction problems are listed here:
http://www.votersunite.org/electionproblems.asp?sort=date&selectstate=ALL&selectpro
blemtype=Machine+malfunction
Perhaps the most illustrious example of the problems was the discovery of Diebold
voting machine software on an open FTP website. Tadayoshi Kohno at al subsequently
analyzed that software and published a security analysis in a paper. Numerous problems
were reported in the analysis, such as single hardcoded DES key to encrypt all of the data
on a storage device, usage of DES itself, absence of secure smart card authentication.
Further reports of the system found even more vulnerabilities such as hard coded pin of
election official’s smart card.
All in all there is reasonable evidence that would fortify an assertion that certification
process is not capable of detecting all software flaws.
Attacks
Various components of the system could be subjected by an attack from a number of
parties: malicious voters, members of the polling station staff, outside hackers.
Here we’ll list some of more important attacks and give examples of what could be done:
1. Attacks on a smart card, smart card <-> voting station interface protocol
If properly designed, smart cards are powerful security instruments. In some cases (Diebold is the
prime example), smart cards could be an entry point of an attack. Because of a lack of
cryptography, there was no secure authentication of the smartcard to the voting station employed.
i.e. there is no mechanism to prevent a user to use his/her own smartcards to vote multiple times.
2. Attack on the harddrives capabilities
Machine’s hard drives could be subjected to tampering by someone who have access to the
physical machines prior or after the elections. In case of Diebold the data on the harddrive was
encrypted but by a single well-known company wide key.
3. Attack on the network capabilities of the system
Variety of avenues here – one being producing a malicious voting station that would report the
result to the tabulating authority after the vote day is over.
4. Insert backdoors into code attacks
This could be done by someone from the poll crew or even someone who works for the company
that produces DREs. Although certification process allows code reviews it’s still conceivably
possible to hide a piece of malicious code that is difficult to spot.
5. Insert backdoors into OS/hardware, compiler/linker/loader – other development software.
Since these pieces are not even analyzed by ITAs, this constitutes a conceivable vector of attack.
Table 1: lists attacks summarized by researches who analyzed the Diebold system:
Conclusion
There are a great number of concerns regarding the DREs such as:
- Voters have no way to verify that their votes were recorded correctly.
- There is no way to publicly count the votes.
- Meaningful recounts are impossible.
- Certification process does not work, as we see on the example of Diebold.
- Other vendors do not expose their machines for public scrunity.
- DREs are vulnerable to undetectable rigging.
Some of these concerns could be alleviated by more strict certification process, but some,
for example public recounts are not even allowed by the design or cost-effective to
implement (for example it is inconceivable to review the source code Windows OS by an
ITA at a reasonable cost). That suggests that DREs are inherently unsecure and it’s
prudent to employ other alternatives.
References
[1] A. Keller, D. Mertz, J. Hall, and A.Urkin. Privacy issues in an electronic voting
machine.
http://gnosis.cx/publish/voting/privacy-electronic-voting.pdf
[2] Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S.Wallach. Analysis
of an electronic voting system. In IEEE Symposium on Security and Privacy, pages
27–40, May 2004.
http://avirubin.com/vote.pdf
[3] Diebold Inc, Checks and balances in elections equipment and procedures
prevent alleged fraud scenarios, July 30, 2003
http://www2.diebold.com/checksandbalances.pdf
[4] Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S.Wallach. Response
to Diebold's Technical Analysis, 2003. http://avirubin.com/vote/response.html
[5] Paul Kocker and Bruce Schneier. Insider risks in elections.
http://www.ece.cmu.edu/~adrian/630-f05/readings/insiderRisks-kocher-schneier.pdf
[6] David Jefferson, Aviel D. Rubin, Barbara Simons, David Wagner. A Security
Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)
http://www.servesecurityreport.org/paper.pdf
[7] J. Schwartz. Defense Dept. Cancels Use of Internet Voting Project (NYT article)
http://www.nytimes.com/2004/02/05/politics/campaign/05CNDVOTE.html?ex=1141794000&en=479a1c9f9e1ee134&ei=5070
[8] Brad Arkin. Securing the eSlate Electronic Voting System
http://www.hartic.com/files/HART_SYMANTEC_SECURITY_REPORT_White_Paper.
pdf
[9] Francis Petruziello. Ney says HAVA solves election problems (newspaper article)
http://www.csuohio.edu/clevelandstater/glance/glance1.html
[10] Rebecca Mercuri, Critique of "Analysis of an Electronic Voting System" document.
http://www.notablesoftware.com/Papers/critique.html
[11] Private communication with Josh Benaloh, 2006.
[12] Aviel D. Rubin. Testimony, U.S. Election Assistance Commission. 2004
http://avirubin.com/eac.pdf
[13] Aviel D. Rubin. Testimony, U.S. Election Assistance Commission. 2005
http://avirubin.com/eac2.pdf
[14] CBS show 60 Minutes. October 27, 2004
http://avirubin.com/vote/60minutes.mov
[15] Avi Rubin. Can a Voting Machine that is Rigged for a Particular Candidate Pass
Certification?
http://avirubin.com/vote/ita.challenge.pdf
[16] Help America Vote Act of 2002, Public Law 107-252
http://www.fec.gov/hava/hava.htm