For years, Texas has been embroiled in a controversy over electronic voting systems, with the partisans generally dividing into three camps:
- Electronic voting technologies are from the pit of hell and we need to return to hand-counted paper ballots for all elections;
- Electronic voting technologies create risks of tampering with elections and invading voters' privacy; and
- "What are those other two groups complaining about?"
California Secretary of State Debra Bowen conducted an
exhaustive review of voting machine security this summer, including systems used in many Texas counties. As
Houston Chronicle political writer Kristen Mack points out in a
column today, that makes the review relevant to Texas. Mack summarizes the review, conducted by researchers at the University of California system, well:
"[A]bsent tighter [security] procedures, hackers could alter vote totals, violate the privacy of individual voters and delete audit trails" on even the most sophisticated systems.The key phrase, obviously, is "absent tighter security procedures." The federal
Election Assistance Commission and the
Elections Division of the Texas Secretary of State's office have issued guidelines for how to improve voting system security. Although many counties -- notably
Travis -- have well-established election security protocols, most counties do not.
During the last legislative session,
Senator Royce West and
Representative Rafael Anchia introduced bills to mandate basic voting system security procedures in each county. Neither bill got anywhere, even with the support of county elections administrators and clean voting advocates. But, as the California study shows, standardized security procedures are necessary to protect the integrity of elections, no matter how well designed the voting systems may be.
Bowen began the "top-to-bottom" review of election systems in May, saying "California voters are entitled to have their votes counted exactly as they were cast." University of California researchers divided into teams to review documents and studies associated with each voting system, examine the computer source code each machine relies on, and even a "penetration attack" to see if the system’s security could be compromised. Their reports are available
here, but here's the highlight reel:
Diebold systems, used in two of Texas' largest counties (#6 El
Paso and #8 Collin) are plagues by "serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes. These vulnerabilities include:
• Vulnerability to malicious software. The Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines or on the election management system. Malicious software could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results. It could also prevent voting machines from accepting votes, potentially causing long lines or disenfranchising voters.
• Susceptibility to viruses. The Diebold system is susceptible to computer viruses that propagate from voting machine to voting machine and between voting machines and the election management system. A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county’s voting machines. Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines.
• Failure to protect ballot secrecy. Both the electronic and paper records of the Diebold AV-TSX contain enough information to compromise the secrecy of the ballot. The AV-TSX records votes in the order in which they are cast, and it records the time that each vote is cast. As a result, it is possible for election workers who have access to the electronic or paper records and who have observed the order in which individuals have cast their ballots to discover how those individuals voted. Moreover, even if this vulnerability is never exploited, the fact that the AV-TSX makes it possible for officials to determine how individuals voted may be detrimental to voter confidence and participation.
• Vulnerability to malicious insiders. The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority. Anyone with access to a county’s GEMS server could tamper with ballot definitions or election results and could also introduce malicious software into the GEMS server itself or into the county’s voting machines.
The
Hart Intercivic systems, including the
eSlate machines used in five of Texas' biggest counties (#1 Harris, #3
Tarrant, #5 Travis, #9
Denton and #10 Fort Bend) are also vulnerable to attack. Their biggest problem is that the machines are all linked together under the assumption that every individual machine is secure. This can cause problems:
Unsecured network interfaces. Network interfaces in the Hart system are not secured against direct attack. Voters can connect to unsecured network links in a polling place to subvert eSlates, as well as to eavesdrop on cast votes and to inject new votes. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more eSlates in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.
Vulnerability to malicious inputs. Because networked devices may be connected to other, potentially malicious devices, they must be prepared to accept robustly any input provided by such devices. The Hart software routinely fails to check the correctness of inputs from other components, and then proceeds to use those inputs in unsafe ways. The most damaging example of this is that SERVO, which is used to back up and verify the correctness of polling place devices can itself be compromised from those same devices. This implies that an attacker could subvert a single polling place device, through it subvert SERVO, and then use SERVO to reprogram every polling place device in the county. Although we have tested some individual components of this attack, we did not have time to confirm it in an end-to-end test.
No or insecure use of cryptography. The standard method for securing network communication of the type in use in the Hart system is to use a cryptographic security protocol. However, we found a notable lack of such techniques in Hart’s system. Instead, communications between devices generally happen in the clear, making attack far easier. Cryptography is used for MBBs, but the key management involves a single county-wide symmetric key that, if revealed, would allow an attacker to forge ballot information and election results. This key is stored insecurely in vulnerable polling-place devices, with the result that compromise of a single polling place device enables an attacker to forge election MBBs carrying election results for any device in the county.
Failure to protect ballot secrecy. Hart’s system fails to adequately protect ballot secrecy. A poll worker or election official with access to the raw ballot records can reconstruct the order in which those votes were cast. Combined with information about the order in which voters cast their votes, this can be used to reconstruct how each voter voted. In the case of the DRE, it is also possible to reconstruct, for each vote, the order in which the votes were authorized. Combined with information about the order in which voters were authorized, this can likewise be used to reconstruct how each voter voted. Furthermore, a voter who has temporary access to an eSlate device can extract and reconstruct all the votes cast on that device up to that point in time. He may be able to similarly reconstruct all votes cast on any other eSlate connected to the same JBC.
ES&S, which manufactures the systems used in three of Texas' largest counties (#2 Dallas, #4
Bexar and #7
Hidalgo)
refused to participate in the review, denying the Secretary of State access to its source codes. In response, Bowen
moved to gather
escrowed copies (as required by ES&S's certification) of the source codes for review.
The study also examined the accessibility of each of the voting systems. Such accessibility is required by the Help America Vote Act (
HAVA) and by state laws. The
study concluded that "[a]
lthough each of the tested voting systems included some accessibility accommodations, none met the accessibility requirements of current law and none performed satisfactorily in test voting by persons with a range of disabilities and alternate language needs."