December 16, 2017

VW = Voting Wulnerability

On Friday, the US Environmental Protection Agency (EPA) “accused the German automaker of using software to detect when the car is undergoing its periodic state emissions testing. Only during such tests are the cars’ full emissions control systems turned on. During normal driving situations, the controls are turned off, allowing the cars to spew as much as 40 times as much pollution as allowed under the Clean Air Act, the E.P.A. said.”  (NY Times coverage) The motivation for the “defeat device” was improved performance, although I haven’t seen whether “performance” in this case means faster acceleration or better fuel mileage.

So what does this have to do with voting?

For as long as I’ve been involved in voting (about a decade), technologists have expressed concerns about “logic and accuracy” (L&A) testing, which is the technique used by election officials to ensure that voting machines are working properly prior to election day.  In some states, such tests are written into law; in others, they are common practice.  But as is well understood by computer scientists (and doubtless scientists in other fields), testing can prove presence of flaws, but not their absence.

In particular, computer scientists have noted that clever (that is, malicious) software in a voting machine could behave “correctly” when it detects that L&A testing is occurring, and revert to its improper behavior when L&A testing is complete.  Such software could be introduced anywhere along the supply chain – by the vendor of the voting system, by someone in an elections office, or by an intruder who installs malware in voting systems without the knowledge of the vendor or elections office.  It really doesn’t matter who installs it – just that the capability is possible.

It’s not all that hard to write software that detects whether a given use is for L&A or a real election.  L&A testing frequently follows patterns, such as its use on dates other than the first Tuesday in November, or by patterns such as three Democratic votes, followed by two Republican votes, followed by one write-in vote, followed by closing the election.  And the malicious software doesn’t need to decide a priori if a given series of votes is L&A or a real election – it can make the decision when the election is closed down, and erase any evidence of the real votes.

Such concerns have generally been dismissed in the debate about voting system security.  But with all-electronic voting systems, especially Digital Recording Electronic (DRE) machines (such as the touch-screen machines common in many states), this threat has always been present.

And now, we have evidence “in the wild” that the threat can occur.  In this case, the vendor (Volkswagen) deliberately introduced software that detected whether it was in test mode or operational mode, and adjusted behavior accordingly.  Since the VW software had to prospectively make the decision whether to behave in test mode as the car engine is operating, this is far more difficult than a voting system, where the decision can be made retrospectively when the election is closed.

In the case of voting, the best solution today is optical scanned paper ballots.  That way, we have “ground truth” (the paper ballots) to compare to the reported totals.

The bottom line: it’s far too easy for software to detect its own usage, and change behavior accordingly.  When the result is increased pollution or a tampered election, we can’t take the risk.

Postscript: A colleague pointed out that malware has for years behaved differently when it “senses” that it’s being monitored, which is largely a similar behavior. In the VW and voting cases, though, the software isn’t trying to prevent being detected directly; it’s changing the behavior of the systems when it detects that it’s being monitored.

Comments

  1. Neal McBurnett says:

    Thank you Jeremy – great points.

    Many of us are very glad to see the trend away from paperless voting machines and towards voter-verifiable paper ballots, and hope it gets stronger, for reasons like these.

    You didn’t mention Internet voting, but as we continue to see a variety of people tout them for a variety of reasons, we need to remember that exactly the same problem exists with them. An online voting site has access to a huge variety of information about each voter via the browser they’re using, the internet connection, etc, and could of course also detect testing or auditing behavior in a variety of ways, and and could easily change its behavior in a malicious way.

  2. Luther Weeks says:

    Also the people who test a voting machine also have motive and opportunity to fudge test results or the election. More so than emissions testers.

  3. Thanks for making this connection. The VW case has wide-spread implications in a variety of scenarios, including voting (also in the application of DRM on vehicle control systems, preventing third-parties from verifying or maintaining those systems and mechanical components controlled by them).

    I agree with the conclusion, that we _must_ have some kind of physical trail. Scanned paper ballots that can be hand-counted if necessary, or a paper log of the electronically-entered votes, verified by the voter before the vote is accepted (I prefer scanned ballots, because it’s impossible for the voter to carelessly approve a ballot other than the one they voted, but an electronic-entry system is more convenient at polling places and may in fact be important in terms of other voting priorities, such as getting voters through efficiently and minimizing/eliminating ballot-marking mistakes).

    That said, I’d like to point out that in the case of the VW fraud, as far as I know it has not been publicized exactly how the software determined emissions testing was in progress, and so we can’t say for sure that doing so “is far more difficult than a voting system”. Many (all?) states that do emissions testing begin the test by plugging into the vehicles ODBII system; it may be that detecting an emissions test is as simple as noting that the vehicle has in fact been notified by the emissions test operator that the test is commencing.

  4. For voting, the solution of optically scanned voter verifiable paper ballots is pretty reasonable.

    I wonder what the verifiable equivalent would be for the VWs.