Computer Science 654
Lecture 7: Electronic Voting
Security Issues
Wayne Patterson
Professor of Computer Science
Howard University
Spring 2009
Automated and e-Voting



Automated voting systems have been in
existence for over a century
Only came into public use in the 1980s
An electronic voting (or e-voting) system is a
voting system in which the election data is
recorded, stored and processed primarily as
digital information.
Hanging Chads and Funny Ballots

In the United States, interest in electronic voting rose
after the fiasco of the 2000 presidential election in
Florida with confusing ballots and “hanging chads”
Other Country Examples of
Electronic Voting

Australia


Belgium


remote Internet voting for the first time in 2003 when French citizens living in the
United States elected their representatives to the Assembly of the French Citizens
Abroad.
Germany


first country to have legally binding general elections using the Internet – 2005
France


used since at least the 1990s at the municipal level in many cities
Estonia


Since 2000, all Brazilian elections have been fully electronic.
Canada


started in 1991. It is widely used since 1999.
Brazil


In October of 2001 electronic voting was used for the first time in an Australian
parliamentary election (8.3%).
About 2000 machines have been used in the 2005 Bundestag elections covering
approximately 2 million voters
Nedap
India

Electronic voting in India was first introduced in 1989 and used on experimental basis.
Other Country Examples of
Electronic Voting

Ireland


Italy


first implemented electronic voting systems in 2003, on a limited basis, to extend
voting capabilities to soldiers
Switzerland


carried out pilots in three municipalities at local elections in 2003 on voting machines
in the polling stations using touch screens.
Romania


Since the late nineties, voting machines are used extensively during elections.
Norway


experimented in the 2006 elections with electronic voting machines from Nedap
Netherlands


Nedap machines were used on a 'pilot' basis in some constituencies in two elections in
2002. Due to campaigning, the machines have not been used since.
Several cantons (Geneva, Neuchâtel and Zürich) have developed Internet voting test
projects to allow citizens to vote via the Internet or by SMS.
United Kingdom

Voting pilots have taken place since 2000 in Englamd, and in Scotland,
scanners will be used to electronically count paper ballots in the Scottish
Parliament general election in 2007.
Machine Manufacturers















AccuPoll/Unisys
Advanced Voting Solutions
Avante
Diebold (US)
Danaher Corporation (Guardian Voing Systems)
Election Systems and Software (ES&S) (US)
Hart Intercivic (US)
Inkavote (EDS)
Liberty/NEDAP
Powervote
Microvote
Populex
Sequoia/Smartmatic
Unilect
VoteHere (Dategrity)Vote-PAD
ES&S iVotronic
Sequoia
The Rubin/Johns Hopkins Attack on
Diebold



May 2004 IEEE Symposium on Privacy and Security
Analysis of the source code
“Far below even the most minimal security standards
applicable in other contexts.”







Unauthorized privilege escalation
Incorrect use of cryptography
Vulnerabilities to network threats
Poor software development processes
No “voter-verified audit trail”
KEY MANAGEMENT. All of the data on a storage device is
encrypted using a single, hardcoded DES key:
#define DESKEY ((des_key*)"F2654hD4")
The Princeton Hack of Diebold







September 2006
Fully independent security study of a Diebold AccuVote-TS
Voting Machine
“Vulnerable to extremely serious attacks”
Physical access to a machine or its removable memory card
for one minute could allow installation of malicious code
Which could steal votes undetectably, modifying all records,
logs, and counters
Malicious code could also spread silently from machine to
machine
See http://www.youtube.com/watch?v=5WMG34cv0zM
Sequoia Gets Hacked

Sequoia Makes Like Diebold And Gets Hacked By Princeton

By John Gideon,
VotersUnite.org
February 11, 2007
A New Jersey Attorney Will Ask A Judge To Decertify Sequoia AVC Advantage
Machines A Princeton Professor Paid $86 For What A NJ County Paid $40,000 For
In a report in Sunday's The Star-Ledger [NJ] it was revealed that Sequoia AVC Advantage
Direct Recording Electronic (DRE) voting machines used in 18 of New Jersey's 21 counties
were improperly certified for use by the state.
[Attorney Penny]Venetis filed legal papers Friday claiming the state never certified some
10,000 Sequoia AVC Advantage machines as secure or reliable as required by law. "There
is zero documentation --- no proof whatsoever --- that any state official has ever reviewed
Sequoia machines," Venetis, co-director of the Rutgers Constitutional Litigation Clinic, said
in an interview. "This means you cannot use them. ... These machines are being used to
count most of the votes in the state without being tested in any way, shape or form."





Sequoia Still Being Hacked

At the same time Princeton Computer Science Professor Andrew Appel revealed that he
bought 5 of the Advantage voting machines from an on-line government equipment
clearinghouse for a total of $86. Virtually identical machines were bought in 2005 by Essex
County New Jersey for $8,000 apiece. Professor Appel and his team put the 5 machines to
good use according to the article. A Princeton student picked one machine's lock "in seven
seconds" to access the removable chips containing Sequoia's vote-recording software, Appel
said. "We can take a version of Sequoia's software program and modify it to do something
different --- like appear to count votes, but really move them from one candidate to
another.”

And what does Sequoia have to say for itself? Citing more than a century in the election
business, Sequoia Voting Systems asserts on its Web site that "our tamperproof products,
including ... the AVC Advantage, are sought after from coast to coast for their accuracy and
reliability." While promising to look into Appel's claims, Sequoia's Michelle Shafer asserted
that hacking scenarios are unlikely.

Appel counters:But Appel said voting machines often are left unattended at polling places
prior to elections. He is confident his students and other recent buyers of 136 Sequoia
machines sold on GovDeals.com --- where bidders also can find surplus coffins,
locomotives and World War I cannons --- will crack Sequoia's code. Then, he said, it will be
fairly simple for anyone with bad intentions and a screwdriver to swap Sequoia's memory
chips for reprogrammed ones.
State-by-State






California
10 out of 58 counties

Diebold AccuVote-TS, Sequoia AVC Edge, ES&S iVotronic, Hart Intercivic eSlate

No voter-verifiable paper with DRE in this election but voters must be given paper ballot alternative to using DRE.
Florida
15 out of 67 counties

ES&S iVotronic, Sequoia AVC Edge

No voter-verifiable paper with DRE, recounts on touchscreens will not be possible, in violation of state law
mandating them in close elections.
Maryland
Statewide

Diebold AccuVote-TS

No voter-verifiable paper with DRE
Nevada
Statewide

Sequoia AVC Edge

Has voter-verifiable paper trail; state chose Sequoia partly because paper trail was offered.
Ohio
7 of 88 counties use DRE

ES&S iVotronic, Sequoia AVC Advantage, Danaher, MicroVote MV 464

Ohio has mandated a paper audit trail for DRE machines by 2006. No system currently in use has voter-verifiable
paper trail, though some older systems, like the MV-464 have internal printers that record ballot information for
each machine.
South Carolina
36 of 46 counties use DRE -- 85 percent of registered voters.

ES&S iVotronic, Danaher ELECTronic 1242, Microvote 464, Microvote Infinity, Unilect

No voter-verifiable paper with DRE. iVotronic has three different memory locations where vote data is stored.
Brennan Center Report



In December 2006, the Brennan Center for Social Justice at New York
University released a comprehensive report,
“The Machinery of Democracy: Voting System Security, Accessibility,
Usability, and Cost”
Recommendations regarding security:







Conduct automatic routine audits comparing voter-verified paper records to
the electronic record following every election.
Perform “parallel testing” (selection of voting machines at random and
testing them as realistically as possible) on Election Day.
Ban use of voting machines with wireless components.
Use a transparent and random selection process for all auditing procedures.
Ensure decentralized programming and voting system administration.
Institute clear and effective procedures for addressing evidence of fraud or
error.
Unfortunately, very few jurisdictions have implemented any of the security
measures that the Task Force’s analysis shows are necessary to make
voting systems substantially more secure.
The Role of HAVA, Election
Assistance Commission, NIST

HAVA (Help America Vote Act of 2002)


Election Assistance Commission


Requires voting system standards, permanent paper record, disabled
accessibility, alternative language accessibility, provisional voting,
registration by mail
to assist in the administration of Federal elections and to otherwise
provide assistance with the administration of certain Federal election
laws and programs, to establish minimum election administration
standards for States and units of local government with responsibility
for the administration of Federal elections
National Institute of Standards and Technology



Agency mandated to carry out work of EAC
“software-independent voting systems”
Independent audit
NIST: Security Aspects Of Electronic
Voting

The Help America Vote Act (HAVA) of 2002 was passed by Congress to
encourage the upgrade of voting equipment across the United States. HAVA
established the Election Assistance Commission (EAC) and the Technical
Guidelines Development Committee (TGDC), chaired by the Director of NIST,
was well as a Board of Advisors and Standard Board. HAVA calls on NIST to
provide technical support to the EAC and TGDC in efforts related to human
factors, security, and laboratory accreditation. To explore and research issues
related to the security and transparency of voting systems, the TGDC established
the Security and Transparency Subcommittee (STS).
The Security Technology Group of the Information Technology Laboratory’s
Computer Security Division supports the activities of the EAC, TGDC, and STS
related to voting equipment security. The Security Technology Group supports the
TGDC’s development effort for the next generation of the Voluntary Voting
System Guidelines (VVSG), focusing on developing a security architecture that
addresses significant threats to voting systems and enhancing voting system
auditability.
For more information on NIST’s efforts related to HAVA see http://vote.nist.gov/
NIST and the Help America Vote
Act (HAVA)







The 2002 Help America Vote Act has given NIST a key role in helping to realize
nationwide improvements in voting systems. To assist the Election Assistance
Commission with the development of voluntary voting system guidelines, HAVA
established the Technical Guidelines Development Committee (TGDC) and
directs NIST to chair the TGDC. NIST research activities include:
security of computers, computer networks, and computer data storage used in
voting systems;
methods to detect and prevent fraud;
protection of voter privacy; and
the role of human factors in the design and application of voting systems,
including assistive technologies for individuals with disabilities (including
blindness) and varying levels of literacy
the recommendation of testing laboratories to the U.S. Election Assistance
Commission (EAC). The EAC, not NIST, certifies voting systems for use in
elections.
More details of NIST's role in HAVA are available here.
NIST HAVA Efforts



Technical Guidelines Development Committee (TGDC)
The TGDC is charged by the U.S. Election Assistance Commission (EAC) to provide
technical guidance on implementing election-related technologies and to foster the
development of voluntary, consensus guidelines. The NIST Director chairs the TGDC and
NIST staff conduct the committee's technical work in accordance with HAVA. The TGDC
page provides access to full details.
National Voluntary Laboratory Accreditation Program (NVLAP)
NIST's NVLAP has established an accreditation program for laboratories that perform
testing of voting systems, including hardware and software components. This program will
provide for the accreditation of laboratories that test voting systems using standards
determined by the Election Assistance Commission (EAC). The EAC, not NIST, certifies
voting systems for use in elections.
National Software Reference Library (NSRL)
NIST's National Software Reference Library collects software from various sources and
incorporates file profiles computed from this software into a Reference Data Set of
information. This concept can assist in addressing voting systems needs in several areas.
Officials could determine that the software used during elections is the expected software.
Verification that the software remains the same during distribution, installation, setup, or use
is possible, supporting a “chain of custody.” Full details are available on the NSRL voting
page.
High-Interest Events and Items

A Threat Analysis on UOCAVA Voting Systems

NVLAP Suspends Accreditation of SysTest Labs, Incorporated

NIST VVSG Test Development

Next Version Voluntary Voting System Guidelines (VVSG)

How NIST Works With the TGDC (video)

VVSG Recommendations Companion Document and Video Tutorials

June 12, 2008, Letter from NIST to EAC Regarding Ciber, Inc. (html)

Federal Register Notice: Voting Equipment Evaluations Phase II
(Extension) (html)
Federal Register Notice: Voting Equipment Evaluations Phase II (html)

Princeton Warning on E-Voting Machine Hack
Shows Human Touch Can Be a Good Thing







By Brian Prince, 2008-10-27, eweek.com
A report released by Princeton University claims an electronic voting machine used in
New Jersey can be hacked in 7 minutes. Sequoia, the company that makes the
machines, denies the report's conclusions. Still, the Princeton report is a reminder that,
sometimes, it's nice to have a set of human eyes go over data.
Sometimes it’s better to do things the old-fashioned way—at least partly.
Perhaps that’s the lesson to be learned from a report released by Princeton University that
outlines security concerns surrounding an electronic voting machine used in New Jersey.
With the U.S. presidential election looming, the report states it is possible to hack the
Sequoia AVC Advantage 9.00H DRE (direct-recording electronic) voting machine in 7
minutes by loading fraudulent firmware.
By replacing the Z80 processor chip in the machine or removing one ROM chip from its
socket and putting in a new one, a hacker can potentially siphon votes from one candidate
and give them to another.
“The fraudulent firmware can steal votes during an election, just as its criminal designer
programs it to do,” the report states. “The fraud cannot practically be detected. There is no
paper audit trail on this machine; all electronic records of the votes are under control of the
firmware, which can manipulate them all simultaneously.”
The subject of the voting machines entered the legal arena in 2004, when the Coalition for
Peace Action, a Princeton-based civic group, sued the state over its use of the machines. The
case was dismissed by the trial court in January 2005 and then reinstated in 2006 by the
Appellate Court. While the appeal was pending in the summer of 2005, a bill was passed
requiring that any voting system in New Jersey produce a voter-verified paper ballot as of
Jan. 1, 2008. The state was given a six-month extension to comply on two occasions.
Some Valuable Readings

http://itpolicy.princeton.edu/voting/videos.html


http://www.cs.ucsb.edu/%7Eseclab/projects/v
oting/#video


Article from 1997 by Lorrie Cranor outlining some e-voting issues
http://avirubin.com/vote/


Article about Appel’s purchase of Sequoia machines for $16
http://www.acm.org/crossroads/xrds2-4/voting.html


Demonstration at UC Santa Barbara on YouTube
http://www.wired.com/news/technology/0,72742-0.html


Demonstrations at Princeton on video
Rubin’s website at Johns Hopkins about e-voting
http://www.internetnews.com/bus-news/article.php/3646231

Article about NIST’s recommendations
Valuable Readings (More)









http://www.diebold.com/dieboldes/demos_tsx.asp

Diebold’s home page
http://www.sequoiavote.com/demo.php?lang=en#overflash

Sequoia’s demo
http://www.essvote.com/HTML/products/electronic_voting.html

ES&S website
http://www.hartic.com/innerpage.php?pageid=98#

Hart Intercivic eSlate demo
http://electionline.org/Default.aspx?tabid=1099

State-by-State data 9/06
http://www.scpronet.com/helpscvote.html

South Carolina Progressive Network information
http://www.votetrustusa.org/index.php?option=com_frontpage&Itemid=1

VoteTrust, a national organization advocating fair elections
http://www.epic.org/privacy/surveillance/spotlight/0906/

Electronic Privacy Information Center
http://www.brennancenter.org/

Brennan Center at NYU