A new study (PDF) on the security of voting machines was released in Ohio on Friday. The report, one of the most comprehensive and informative that I've seen yet, contains some pretty astounding information about the security of voting machines that hasn't been revealed before. Unfortunately, the report isn't receiving the kind of attention it deserves.It's the first independent study to examine machines made by Election Systems & Software, the largest voting machine company in the country -- the company's machines are used in 43 states. (A similar study of voting systems done in California earlier this year did not examine ES&S machines.)
What the researchers discovered is pretty significant.
They found that the ES&S tabulation system and the voting machine firmware were rife with basic buffer overflow vulnerabilities that would allow an attacker to easily take control of the systems and "exercise complete control over the results reported by the entire county election system."
They also found serious security vulnerabilities involving the magnetically switched bidirectional infrared (IrDA) port on the front of the machines and the memory devices that are used to communicate with the machine through the port. With nothing more than a magnet and an infrared-enabled Palm Pilot or cell phone they could easily read and alter a memory device that is used to perform important functions on the ES&S iVotronic touch-screen machine -- such as loading the ballot definition file and programming the machine to allow a voter to cast a ballot. They could also use a Palm Pilot to emulate the memory device and hack a voting machine through the infrared port (see the picture above right).
They found that a voter or poll worker with a Palm Pilot and no more than a minute's access to a voting machine could surreptitiously re-calibrate the touch-screen so that it would prevent voters from voting for specific candidates or cause the machine to secretly record a voter's vote for a different candidate than the one the voter chose. Access to the screen calibration function requires no password, and the attacker's actions, the researchers say, would be indistinguishable from the normal behavior of a voter in front of a machine or of a pollworker starting up a machine in the morning.
The attack they describe is significant because the researchers' description of how an intentionally miscalibrated machine would function -- that is, prevent a voter from voting for a certain candidate -- is precisely how some voters described the ES&S machines were acting in a controversial Florida election last year.
In November 2006 in Sarasota, Florida, more than 18,000 ballots recorded no votes cast in the 13th congressional race between Democrat Christine Jennings and Republican Vern Buchanan. Election officials say that voters intentionally left the race blank or failed to see the race on the ballot. But hundreds of voters complained during the election and afterward that the machines had been malfunctioning. Some said the machines simply failed to respond to their touch in that race -- the rest of the ballot, they reported, was fine. Others said that the machines appeared to initially respond to their selection of Christine Jennings, but then showed no vote cast in that race when they reached the review screen at the end of the ballot. Jennings lost to Buchanan by fewer than 400 votes. The race is under investigation by Congress and the Government Accountability Office.
[Earlier this year I did a FOIA request for records documenting the complaints that voters made about the machines on election day in Sarasota and put together a spreadsheet that you can view here. The third column from the left, marked "Problem," describes the nature of each complaint that came in.]
The Ohio researchers' findings raise new and interesting questions about that race. Indeed, the researchers themselves note that their description of how an intentionally miscalibrated ES&S machine might function, or malfunction, is consistent with how iVotronics have apparently acted in some elections (they don't mention the Florida race by name, but they likely had Sarasota in mind when they wrote this).
ES&S isn't singled out in the report. The researchers, among them computer scientist Matt Blaze, examined source code and hardware of touch-screen and optical scan machines from two other vendors as well -- Premier (formerly known as Diebold) and Hart InterCivic. They found vulnerabilities in the various systems that would allow voters and pollworkers to place multiple votes on machines, to infect machines with a virus and to corrupt already cast votes.
But one of the most worrisome flaws in my mind involves that infrared port on the front of ES&S touch-screen machines because it doesn't require anyone to open a machine to hack it. (The Premier/Diebold machine also has an infrared port on it, but the report doesn't discuss it, and the Ohio researchers weren't available to answer my questions.)
The researchers found that access to the PEB memory itself is not protected by encryption or passwords, although some of the data stored on the PEB is encrypted (using Bruce Schneier's Blowfish cipher -- note to Bruce to add the ES&S machine to your Blowfish products page). Nonetheless, the researchers were able to read and alter the contents of a PEB using a Palm Pilot as well as substitute the Pilot for the PEB. It's worth reading the section about this from page 51 of the report:
Anyone with physical access to polling station PEBs can easily extract or alter their memory. This requires only a small magnet and a conventional IrDA-based palmtop computer (exactly the same kind of readily- available hardware that can be used to emulate a PEB to an iVotronic terminal). Because PEBs themselves enforce no passwords or access control features, physical contact with a PEB (or sufficient proximity to activate its magnetic switch and IR window) is sufficient to allow reading or writing of its memory.
The ease of reading and altering PEB memory facilitates a number of powerful attacks against a precinct’s results and even against county-wide results. An attacker who extracts the correct EQC, cryptographic key, and ballot definition can perform any election function on a corresponding iVotronic terminal, including enabling voting, closing the terminal, loading firmware, and so on. An attacker who has access to a precinct’s main PEB when the polls are being closed can alter the precinct’s reported vote tallies, and, as noted in Section 6.3, can inject code that takes control over the county-wide back-end system (and that thus affects the results reported for all of a county’s precincts).