The right of voting for representatives is the primary right by which other rights are protected.
– Thomas Paine, Rights of Man, 1791
I just finished Avi Rubin’s book Brave New Ballot. I’ve been keeping up with the issues surrounding electronic voting since I read RiSC’s 2004 Red Team report (167KB pdf) on the serious, practical security vulnerabilities uncovered in Diebold’s Direct Recording Electronic (DRE) voting machines.
The State of Maryland commissioned RiSC’s review (as well as an analysis by the SAIC – 1227KB pdf) to certify the machines were credible and secure, in response to a non-commissioned paper co-published by Dr. Avi Rubin. This paper concluded that the Diebold machines were fundamentally insecure, based on analysis of source code that Diebold had inadvertently made public. The SAIC and RiSC reports went on to uncover additional, serious flaws.
In addition, just this month, Princeton researchers published yet another study (with video) that, among other problems, demonstrates that Diebold machines can be infected with a vote-altering virus, spread via the machines’ memory cards.
I find these reports fascinating reading. Some of my gentle readers may not, so I will highlight some of their findings below. Bear in mind that Diebold typically rebuts the results of unauthorized analyses of their machines by stating something to the effect that the code/machines analyzed were several generations old, no longer used by any voting precincts in the country, identify purely theoretical attacks, and so on.
I simply ask you to consider that a) the authorized reviews conducted using up-to-date machines/code confirmed that many of these flaws were still present; b) outdated or no, these flaws were at one time present in actual machines in actual, recent elections; and c) at present, we basically have to take Diebold’s word for it.
Now, the highlights:
- The smart cards used to ensure that an individual can vote only once are easily cloned or reinitialized to allow multiple votes.
- Supervisor PINs and passwords are either hard-coded, stored in plain text, or have defaults such as 1111. With Supervisor access, an individual could tell a machine that the election was over, clear the results, vote multiple times, or change passwords (thus locking out precinct judges).
- The locks used to secure the machines are identically keyed, easily picked, and common. The same model of lock is used to secure jukeboxes, desk drawers and hotel minibars.
- The algorithm used to randomize the order of the voting records (to preserve voter anonymity) is inappropriate to the task. What’s more, the programmers put the following comment in the code:
// LCG – Linear Conguential Generator – used to generate ballot serial numbers
// A psuedo-random-sequence generator
// (per Applied Cryptography, by Bruce Schneier, Wiley, 1996)
What is painful is that Schneier explicitly states in Applied Cryptography:
Unfortunately, linear congruential generators cannot be used for cryptography; they are predictable.
- Both the voting machine software and the Global Election Management System (GEMS) server (central tabulation server) sit atop Windows operating systems consisting of millions of lines of code and, ahem, praised by one and all for their flawless security.
- Analysis of the GEMS server determined that it was 15 Windows patches out of date. At least one of these was a critical security patch (made available the previous year) whose exploitation gave the attacker complete control of the machine.
- The GEMS database was written in Microsoft Access – a tinkertoy.
- Votes can be transmitted from the precinct to the GEMS server via dialup modem. The phone number, user name, password and IP address of the server are stored in plain text in the Windows registry. With this information, an attacker could impersonate a voting machine and/or intercept and alter election results in real time.
The most significant problem with these machines is not a security flaw per se, though it greatly magnifies the impact of all other vulnerabilities. No independent, valid audit trail exists to prove that a given machine produced accurate counts. Incidentally, the same can be said for gear and lever voting machines, which went into service in 1913.
Moving to optical scanners that could read and tabulate counts of paper ballots was a huge improvement, but the mechanism by which voters applied their intent to the ballot was flawed (butterfly ballots, chads in various states of repose, and so on). Could the optical scanners be hacked? Certainly, but I haven’t read up on it. For all I know there could be a little man inside who takes the ballot, then presses a button that corresponds to the candidate. Perhaps the little man could be blackmailed. If elections are done right, however, the little man doesn’t matter, and here’s why:
- In order to sway a national election, you have to get dirt on a bunch of little men.
- If a precinct, county or state produced suspicious election results, election officials have paper ballots to recount manually, under the bi-partisan scrutiny of people of average or greater height.
Rubin makes this fundamental distinction in Brave New Ballot – the difference between retail and wholesale fraud. Stuffing or “disappearing” ballot boxes is retail fraud. Surreptitiously altering software subsequently placed on tens of thousands of voting machines is wholesale fraud. Another example is hacking the central server to which election results are uploaded.
And remember, with these machines, meaningful recounts are impossible.
Per the Princeton report, in the 2006 general election Diebold machines will be used in 357 counties, responsible for capturing and counting the intent of nearly 10 percent of registered voters. That’s just the Diebold machines. Overall, 34 percent of counties will use touch-screen voting systems in 2006. However, only seven states will employ machines that produce a voter verified paper audit trail (VVPAT).
Hacking voting machines (or a central server) requires intent. However, merely introducing the complexity of electronic hardware and software causes problems of its own. For example, in the 2004 presidential election, over 4,500 votes were lost in Carteret County, North Carolina due to a memory card storage problem in a machine manufactured by Unilect. In a Columbus, Ohio suburban precinct of 800 registered voters, a machine manufactured by Danaher Controls recorded 4,258 votes for one candidate.
Setting aside whether or not these issues would sway a given election, what matters is that voters’ intent was lost. Voters whose confidence in these machines is low are that much less likely to vote. And casting absentee ballots as an alternative to using the machines is a problematic solution.
Bruce Schneier enumerates four fundamental requirements of a robust voting system: Accuracy, Anonymity, Scalability and Speed. I assert that only the first two are fundamental, while the last two are gravy.
- Accuracy – Each voter’s intent is captured. Every legitimate vote and only legitimate votes are counted.
- Anonymity – It is not possible to couple a voter with hus vote.
Avi Rubin’s “dream voting machine” would accomplish all four of Schneier’s requirements. Rubin describes this machine as follows:
My dream voting machine would have a user interface much like a DRE, but in reality it wouldn’t be a voting machine at all. I call it a “ballot marking machine.” Voters would navigate through touch screens, just as with a DRE, and make their choices for candidates and for ballot resolutions. However, instead of clicking on Cast Vote at the end, they would select a Print Ballot option, and the machine would produce a filled-in paper ballot that the voter would be able to check for accuracy. The layout and typography of the ballots would be standardized, and the count would proceed completely independently from the the ballot-marking process, in some cases even by hand. One possible variation would use optical scanners to count the ballots, provided that the manufacturer of the scanners had no ties of any kind to the manufacturer of the ballot-marking machine. Similarly, scanners outfitted with audio output could assist blind voters, who would feed their marked ballot into the machine for verification. The marked paper ballots could be retained by election officials and used for recounts, either in cases of actual dispute or as part of a random spot-checking system…The ideal machine would have all the useful features of a DRE but would improve upon it in several key ways. It would allow for meaningful recounts of voter intent and would make it incredibly difficult for a vendor to rig an election. Most significantly, the system would provide citizens with the confidence that their votes were recorded and transmitted accurately and could not be altered after the fact.
Our voting system is hugely important. It should be a point of national pride, trusted and understood by all citizens, and used as the gold standard worldwide. It is far too precious a thing to entrust to proprietary machines produced by companies whose interests are primarily financial.
If we’re going to use DREs, these criteria must be met:
- The software of every DRE and tabulation server put into service must be subjected to transparent, independent peer review. A method must exist to verify that the code on a given machine matches what was reviewed.
- DREs must produce a paper ballot that each voter can use to verify hus intent was recorded accurately. The ballots comprise the official count, not the machine totals.
- Machines fail and require power. In the event of a catastrophic failure, every voting precinct must have an adequate backup supply of paper ballots and a printout of registered voters.