University researchers have demonstrated multiple ways of compromising all three of the electronic voting machine systems certified for use in California. The hacks could result in hijacking machines and altering election results, they claim. Although the system vendors have issued a detailed rebuttal of the study, critics are calling for an investigation into the e-voting certification process.
A test of three electronic voting systems certified for use in California has uncovered serious security flaws. Researchers at the University of California conducted the tests at the behest of Secretary of State Debra Bowen under a US$1.8 million contract.
Their mission was to try to compromise the integrity of the voting systems provided by Diebold Elections Systems, Hart Intercivic and Sequoia Voting Systems. They not only succeeded in breaching all of the systems, but also concluded there were likely more security problems that they did not have time to explore during the limited time frame of the study.
What they did find was worrisome enough.
For instance, the testers analyzing the Sequoia e-voting machine were able to gain physical access to the system by removing screws to bypass locks. The testers also discovered numerous ways to overwrite the firmware of the Sequoia Edge system -- for example, using malformed font files or doctored update cartridges.
Testers were also able to exploit vulnerabilities in Diebold's Windows operating system and take security-related actions that the server did not record in its audit logs. Thus, testers were able to manipulate several components networked to the server, including loading wireless drivers onto the server that could then be used to access a wireless device plugged surreptitiously into the back of the server.
Diebold's physical security was also lacking, the researchers found. Testers were able to bypass the physical controls on the optical scanner, for example.
The testers also found numerous ways to overwrite Diebold's firmware. Attacks could change vote totals, among other things. For instance, the testers were able to escalate privileges from those of a voter to those of a poll worker or central count administrator, enabling them to reset an election, issue unauthorized voter cards and close polls.
The testers did not test the Windows systems on which the Hart election management software was installed because Hart does not configure the operating system or provide a default configuration, notes the report.
Rather, Hart software security settings provide a restricted, Hart-defined environment that the testers were able to bypass, which allowed them to run the Hart software in a standard Windows environment.
They also found an undisclosed account on the Hart software that an attacker who penetrated the host operating system could exploit to gain unauthorized access to the Hart election management database.
The testers were able to overwrite the firmware and access menus that should have been locked with passwords. Other attacks allowed the team to alter vote totals; these attacks used ordinary objects. The team was also able to develop a device that caused Hart's system to authorize access codes without poll worker intervention.
Among the points in Sequoia's detailed rebuttal is the argument that the attacks did not simulate a real world scenario. The researchers hacking into the systems -- called the "Red Team" -- did so in the absence of a "Blue Team" counterpart emulating security practices, Sequoia said.
"In short, the Red Team was able to, using a financial institution as an example, take away the locked front door of the bank branch, remove the security guard, remove the bank tellers, remove the panic alarm that notifies law enforcement, and have only slightly limited resources (particularly time and knowledge) to pick the lock on the bank vault. Such a scenario is implausible."
Even taking such objections into account, the results were worse than even the e-voting skeptics had expected.
"I had expected them to find problems -- but to be able to replace firmware in all three systems is nothing short of an utter takeover of machines, and that shouldn't be possible," Avi Rubin, professor of computer science and technical director of the Information Security Institute at Johns Hopkins University, told TechNewsWorld.
"I was shocked by how severe the problems were," he continued. "What's even scarier is that the researchers were looking at certified systems that have been already used in an election."
Furthermore, the report does not discuss the greatest vulnerability in e-voting, said Brad Friedman, publisher of The Brad Blog, which follows e-voting and electoral issues.
"The real threat to these voting systems comes from election insiders," he told TechNewsWorld. "This has been known for years, but election officials and voting machine companies ignore this point."
That said, he continued, the report -- even if it is lacking in some aspects -- is years overdue. "There has been an astounding lack of seriousness given to this issue by both the Feds and the previous administration in California. Both have rubber-stamped everything and did no real testing on systems until now."
Indeed, this is not the first time the integrity of e-voting machines has been questioned. The nonprofit group Black Box Voting issued a report last year, for instance, that outlined severe security flaws in Diebold machines. A separate study of the Diebold touch-screen voting system, conducted by Princeton University, also found serious security flaws. Diebold has repeatedly said its systems were safe.
This latest study should prompt a serious review of both e-voting in general, and the certification process specifically, in Congress and state legislatures, suggested Black Box director Beverly Harris.
"All of these machines were certified for use," she emphasized.
"It is time for us to launch an active -- perhaps criminal -- investigation into the certification process," she told TechNewsWorld. "Every single time a study is conducted, security flaws are found. Yet these machines continue to be certified."