February 18, 2008
No voting machine vendor unscathed in CA
ES&S is the target of the latest T2B report
California SOS Debra Bowen has issued the latest in her studies of voting systems used in California. This time round it is ES&S in the dock and found guilty of general incompetence in designing the software and security for its voting equipment.
More disturbing is the fact that the machines in this latest part of the Top to Bottom Review (T2B) are widely used optical scan machines that count paper ballots. So even jurisdictions which have paper ballots and use these scanners should consider putting additional safeguards in place and instituting post-election audits. Especially since these are the same machines that were recently decertified by the SOS in Colorado.
The M-100 and M-650 scanners are widely used throughout the country. The M-100 is designed for use in precinct-based counting situations while the M-650 is used in large urban central count settings. Both of them use the components of the Unity Election Managment System (EMS) software to tabulate the votes so criticisms about the Unity EMS would apply to both models. A key difference between the two systems is the method of adding the Ballot Definition Files (BDFs) to the system: the smaller M-100 scanner uses a PCMIA memory card while the M-650 uses a specially encoded chip that is inserted into the machine before each election. The BDFs are the election-specific directions telling the scanner how to tally the various races on the ballot– these change with every election and are never subject to Federal certification review.
Here are some of the highlights (or perhaps lowlights) from SOS Bowen’s latest report:
“The developers generally assumed that input data will be supplied in the correct expected format. There is little validation checking of the data, leading to potentially exploitable vulnerabilities when those assumptions turn out to be incorrect, for example, due to malicious manipulation of the election definition leading to execution of attacker-supplied code.”
“The security of the Unity System depends on its secure use, which assumes that all
parties involved in developing, maintaining, distributing, deploying and using the Unity
system must be trustworthy.”
Wait a minute! Those wasn’t even from the RED TEAM report! Here’s some stuff from there about the scanners, and the Unity EMS as well as the AutoMark Ballot Marking Device (BMD) :
3.1 Ballot Box Stuffing (M100 Tabulator)
PCMCIA cards used by M100 Tabulators may be exchanged at the precinct during an election to implement ballot box stuffing attacks in favor of particular candidates. This exploit isdifficult to detect without examining the audit logs.
3.2 PCMCIA Card Modification (M100 Tabulator)
All data on the PCMCIA card is unencrypted and can be viewed using commonly available programs. This enables a potential attacker to analyze the data on the card and develop strategies to defeat the embedded security mechanisms.
3.3 Ballot Box Stuffing (Election Reporting Manager)
Election results may be modified by a attacker with unauthorized access to the Election
Reporting Manager (ERM). The Red Team identified an exploit that enables the unauthorized access. Upon gaining access to the ERM, attacker can manually add or remove votes from the official vote totals. Note that the ability to manually edit vote totals is necessary to correct errors, but only authorized individuals should have access to this feature. The attack would take a few seconds and, if executed properly, could only be detected by analyzing audit logs.
3.4 Election Result Modification (M650 Tabulator)
The Zip disk containing the Model 650 tabulation results may be modified while it is
transported to the Election Reporting Manager, which would process the modified vote totalswithout questioning their validity.
3.5 Database Access (Audit Manager)
An attacker with unauthorized access can gain complete access to the Audit Manager
database by cracking the password. Once access to the database is gained, the attacker can change records, create or remove login credentials for the Audit Manager, EDM, or ESSIM and delete audit log entries to cover his/her tracks.
3.6 Login Name and Password Enumeration (Audit Manager, Election Data Manager and Ballot Image Manager)
Login names and passwords for the Audit Manager, Election Data Manager and Ballot Image Manager, may be obtained by executing the exploit described in Section 3.5 (Database Access (Audit Manager)).
3.7 Malicious Database Modification (AutoMARK InformationManagement System)
An attacker with unauthorized access could modify stored procedures in the Microsoft SQL Server database used by the AutoMARK Information Management System AIMS). The exploit gives the attacker the ability to write modified ballot definition files data to the Compact Flash cards used by the Voter Assist Terminals. This attack would mainly be used to modify the audio/visual information of the ballot so that candidates are misrepresented when a voter is using the audio ballot so that a vote for one candidate actually goes to another candidate. This exploit would be most effective if the attacker had ample knowledge of how a district would vote and if the marked ballots were not evaluated for discrepancies.
3.8 Audio/Visual Ballot Layout Tampering (Voter Assist Terminal)
An attacker with unauthorized access could configure a Voter Assist Terminal (VAT) so that the audio information is inconsistent with the visual information. For example, a voter might hear Candidate A while the screen reads Candidate B, resulting in a vote for the wrong candidate (Candidate A). The exploit will not be detected unless the voter verifies his/her printed ballot.
There’s a LOT more though, and it’s pretty much in layperson’s language. I highly recommend it. Take a look at the material in the links below for more detail:
The lesson here is that robust mandatory post-election audits are essential for all jurisdictions. Using optical scan machines without post-election audits is like installing a burglar alarm but failing to turn it on.
What kind of security is that!?!