Tags

, , , , , , , , , , , , , , , , , , , , , ,

September 9, 2008

A new report, and video, have been released by the Computer Security Group at the University of California, Santa Barbara. “All voting systems recently analyzed by independent security testers have been found to contain fatal security flaws. There is need for drastic change. The very core of our democracy is in danger.”

This group contributed to voting system reviews conducted by Ohio and California last year.  The 11-page paper was presented in July at the Proceedings of the International Symposium on Software Testing and Analysis held in Seattle.  Much of it is comprehensible to most voters.  The Group also prepared a 17-minute video, presented in two parts that illustrates several attacks, and shows how security seals are ineffective. 

The paper clarifies that security is lacking in both Sequoia and ES&S voting systems: “the electronic voting systems that we have reviewed are neither secure nor well-designed.”  It spends time discussing the certification process which does not and cannot adequately secure a software driven voting system:

“While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny. A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed and that their quality does not match the importance of the task that they are supposed to carry out.”  (emphasis added) 

This conclusion corroborates many prior statements made by security experts.  Twelve such quotes are reproduced here.  The paper states: 

“All voting systems recently analyzed by independent security testers have been found to contain fatal security flaws that could compromise the confidentiality, integrity, and availability of the voting process….

“Our experience suggests that there is a need for a drastic change in the way in which electronic systems are designed, developed, and tested….

“Unless electronic voting systems are held up to standards that are commensurate with the criticality of the tasks they have to perform, the very core of our democracy is in danger.”  (emphasis added) 

While detailing many of the vulnerabilities in touchscreen (DRE) voting systems, which more than half the states have outlawed1, the paper specifically discusses optical scan systems: 

“Evaluations of the various optical scanners offered by both vendors followed much the same pattern of the previous voting system components. A patent disregard for cryptographic authentication and integrity checks allows attackers to overwrite a system’s firmware with malicious versions and modify or construct election data to be processed by an EMS.

“Physical security measures were also lacking. In particular, the ES&S scanner lock was easily picked with a paper clip during our tests, while the “unpickable” lock on the Sequoia scanner was bypassed by removing a few screws and pulling out the lock cylinder from the scanner’s chassis by hand. In both cases, this allows an attacker to access machine internals to potentially execute arbitrary code.”

The Computer Security Group at UCSB issued a statement introducing this information, reposted with permission: 

Evaluating the Security of Electronic Voting Systems: Are your votes really counted?

Electronic voting systems have been introduced to improve the voting process. Since their inception, they have been controversial, because both the technologists and the general public realized that they were losing direct control over an important part of the voting process: counting the votes.

A quote attributed to Stalin says: “Those who cast the votes decide nothing. Those who count the votes decide everything.” It is clear that voting systems represent a critical component of a democracy.

Although the consequences of a malfunctioning electronic voting system are not as readily apparent as those for air traffic control or nuclear power plant control systems, they are just as important, because the well-being of a society depends on them. While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny.

A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed, and that their quality does not match the importance of the task that they are supposed to carry out. 

In the Summer of 2007, the Security Group of UCSB participated in the Top-To-Bottom Review (TTBR) of the electronic voting systems used in California.

The Report 

Our team focused on the security analysis of the Sequoia voting system. Our public report can be found here (a local copy can be found here). We found a number of major flaws that can be exploited to compromise the integrity, confidentiality, and availability of the voting process.  In particular, we developed a virus-like software that can spread across the voting system, modifying the firmware of the voting machines. The modified firmware is able to steal votes even in the presence of a Voter-Verified Paper Audit Trail (VVPAT). 

The Paper 

We wrote a paper that describes our methodology and our findings: Are Your Votes Really Counted? Testing the Security of Real-world Electronic Voting Systems, D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, R. Kemmerer, W. Robertson, F. Valeur, and G. Vigna, in Proceedings of the International Symposium on Software Testing and Analysis, Seattle, WA July 2008.[PDF

The Movie 

We also prepared a movie that shows how the virus-like attack would be carried out, and exemplifies the different scenarios that our malicious firmware would exploit. The video shows how one can use a simple USB key to infect the laptop used to prepare the cards that initialize the various voting devices. As a result, the cards are loaded with a malicious software component. 

When a card is inserted in a voting terminal, the malicious software exploits a vulnerability in the terminal loading procedure and installs a modified firmware, effectively “brainwashing” the terminal. Later, when the terminal is used by the voters to cast their votes, the firmware uses a number of different techniques to modify the contents of the ballots being cast. 

The movie also shows that the physical security measures being used to limit access to essential parts of the voting systems are ineffective. 

Part 1

Part 2

####

In the end, voters will decide whether to continue voting on systems that over 50 scientific studies, comments and testimony have warned are not securable.  That decision will be made by whether they participate in a system that leaves no rational basis for confidence. Or, elections will be decided by computer hackers.

Much thanks to John Gideon of VotersUnite.org for his Daily Voting News feed.


1 Election Data Services President Kimball Brace said touch screens would be used statewide this fall in Maryland, Delaware, New Jersey, Nevada, Utah, Louisiana, Georgia and South Carolina, and in significant parts of or pockets of a dozen other states, according to an August 15, 2008 McClatchy article.

Advertisements