Gonggrijp, Rop, and Willem-Jan Hengeveld.
Studying the Nedap/Groenendaal ES3B Voting Computer: A Computer Security Perspective.
Presented August 6, 2007 at the USENIX/ACCURATE Electronic Voting Technology Workshop, Boston, USA. (Marketed as Liberty DRE in the U.S.) Accessed December 11, 2007.
Ninety percent of the votes in The Netherlands are cast on the Nedap/Groenendaal ES3B voting computer. With very minor modifications, the same computer is also being used in parts of Germany and France.
The Nedap ES3B electronic voting computer is a touch screen system that only records votes in memory. The system requires ultimate trust, since it produces an election outcome that cannot be independently verified.
Anyone with brief access to the device at any time before an election can gain complete and virtually undetectable control over election results.
Radio emanations from an unmodified Nedap can be received at several meters distance and be used to tell who votes what.
The over-all security design relies almost solely on the near-universally deprecated concept of ‘security by obscurity.’ Since the problems we found stem from the very design, we see no quick fixes that could make this device sufficiently secure.
We conclude that the Nedap ES3B is unsuitable for use in elections, that the Dutch regulatory framework surrounding electronic voting insufficiently addresses security, and we pose that not enough thought has been given to the trust relationships and verifiability issues inherent in DRE class voting systems.
Given the fact that technical specifications and source code to most electronic voting systems are not publicly available, we see grave danger to our democracy by the use of secret voting technology.
Password stored in the code and quickly found, allowing attacks to read and modify election results.
Software code could be inserted, and in response to Nedap’s challenge, this team programmed the machine to play chess. (Emphasis added. ~RA)
Software could be manipulated to steal a certain percentage of votes, for a given party. In this way, elections could be predetermined without knowing candidate names.
Parallel testing is ineffective, and only tests for outside threats - not insider attacks. The Brennan Center (2006) reached the same conclusion:
Even under the best of circumstances, Parallel Testing is an imperfect security measure. The testing creates an ‘arms race’ between the testers and the attacker, but the race is one in which the testers can never be certain that they have prevailed.
In the case of voting systems, the only meaningful security against insider attacks is to have a voting mechanism of which all the details are published and that a substantial portion of the general public is capable of comprehending in-depth.
By adding extra security measures against the over-emphasized threat posed by outsiders, one can actually increase the risk posed by insiders.
For example, today’s mobile phones often combine a processor, execution memory and tamper-resistant key storage to make sure only the manufacturer (who has the cryptographic signing keys) can update the software. These mechanisms can sometimes still be circumvented, but at least they offer a layer of security that is completely absent in the Nedap ES3B. But by adding ‘security’ in this way, the device could also resist any attempts to independent inspectors to see what code it is actually running.