Earlier this month I testified in Gusciora v. Corzine, the trial in which the plaintiffs argue that New Jersey’s voting machines (Sequoia AVC Advantage) can’t be trusted to count the votes, because they’re so easily hacked to make them cheat.
I’ve previously written about the conclusions of my expert report: in 7 minutes you can replace the ROM and make the machine cheat in every future election, and there’s no practical way for the State to detect cheating machines (in part because there’s no voter-verified paper ballot).
The trial started on January 27, 2009 and I testified for four and a half days. I testified that the AVC Advantage can be hacked by replacing its ROM, or by replacing its Z80 processor chip, so that it steals votes undetectably. I testified that fraudulent firmware can also be installed into the audio-voting daughterboard by a virus carried through audio-ballot cartridges. I testified about many other things as well.
Finally, I testified about the accuracy of the Sequoia AVC Advantage. I believe that the most significant source of inaccuracy is its vulnerability to hacking. There’s no practical means of testing whether the machine has been hacked, and certainly the State of New Jersey does not even attempt to test. If we could somehow know that the machine has not been hacked, then (as I testified) I believe the most significant _other_ inaccuracy of the AVC Advantage is that it does not give adequate feedback to voters and pollworkers about whether a vote has been recorded. This can lead to a voter’s ballot not being counted at all; or a voter’s ballot counting two or three times (without fraudulent intent). I believe that this error may be on the order of 1% or more, but I was not able to measure it in my study because it involves user-interface interaction with real people.
In the hypothetical case that the AVC Advantage has not been hacked, I believe this user-interface source of perhaps 1% inaccuracy would be very troubling, but (in my opinion) is not the main reason to disqualify it from use in elections. The AVC Advantage should be disqualified for the simple reason that it can be easily hacked to cheat, and there’s no practical method that will be sure of catching this hack.
Security seals. When I examined the State’s Sequoia AVC Advantage voting machines in July 2008, they had no security seals preventing ROM replacement. I demonstrated on video (which we played in Court in Jan/Feb 2009) that in 7 minutes I could pick the lock, unscrew some screws, replace the ROM with one that cheats, replace the screws, and lock the door.
In September 2008, after the State read my expert report, they installed four kinds of physical security seals on the AVC Advantage. These seals were present during the November 2008 election. On December 1, I sent to the Court (and to the State) a supplemental expert report (with video) showing how I could defeat all of these seals.
In November/December the State informed the Court that they were changing to four new seals. On December 30, 2008 the State Director of Elections, Mr. Robert Giles, demonstrated to me the installation of these seals onto the AVC Advantage voting machine and gave me samples. He installed quite a few seals (of these four different kinds, but some of them in multiple places) on the machine.
On January 27, 2009 I sent to the Court (and to the State) a supplemental expert report showing how I could defeat all those new seals. On February 5th, as part of my trial testimony I demonstrated for the Court the principles and methods by which each of those seals could be defeated.
On cross-examination, the State defendants invited me to demonstrate, on an actual Sequoia AVC Advantage voting machine in the courtroom, the removal of all the seals, replacement of the ROM, and replacement of all the seals leaving no evidence of tampering. I then did so, carefully and slowly; it took 47 minutes. As I testified, someone with more practice (and without a judge and 7 lawyers watching) would do it much faster.
Utter bollocks.
“According to court records, it took you 48 minutes to “hack” the system when the court compelled (ordered) you to do so. Not the 7 minutes you have consistently claimed.”
48 minutes with some unfamiliarity with the latest security changes to the machines.
Still peanuts; he found he could easily get that much time unsupervised near machines shortly pre-election.
“In addition you testified that many other things would need to be present or certain conditions exist to successfully attack the system.”
Conditions that usually do exist.
“You also cited that 500 machines would need to be attacked and changed to change the results of a state-wide election”
He’s found clusters of several unattended machines at a time. Even assuming he needed a full hour per machine, not 7 or even 48 minutes, given five hours with a group of five of those, he could compromise them all. If he did so at 100 polling places in a swing state over the course of a couple of months in the run-up to the election, he could do 500 spending about as much time per day as a normal full-time job. With a few accomplices, this becomes faster and easier.
Of course, he’s also found that many of these machines are vulnerable to viral attacks. Then he may only need to spend one hour with one unattended machine to compromise 500 or more.
“all this would need to be done years’ prior to the election”
Baloney.
“What I see with “computer scientists” is a cabal attempting to interject fear into the system for their own personal gain.”
This is especially low, questioning his motives. Not to mention especially stupid. What would “a cabal of computer scientists” possibly have to gain by recommending that voting be done on paper, exactly? Certainly not increased employment or anything like that.
According to court records, it took you 48 minutes to “hack” the system when the court compelled (ordered) you to do so. Not the 7 minutes you have consistently claimed. In addition you testified that many other things would need to be present or certain conditions exist to successfully attack the system. You also cited that 500 machines would need to be attacked and changed to change the results of a state-wide election – all this would need to be done years’ prior to the election – of course, years’ before the election no one knows who the candidates would be or what position on the ballot they would be listed. Another challenge to be sure.
What I see with “computer scientists” is a cabal attempting to interject fear into the system for their own personal gain. Let me ask this question: Did President Obama win New Jersey fair-and-square or did someone steal the election for him? I believe he did win fair-and-square but it is an interesting question to ponder.
Researching the legitimate security issues surrounding voting techology is needed and demanded; however, it should be done in accordance with proven scientific methodology and not pre-ordained outcomes under phony conditions.
The use of a Z80 running code from a storage device to which it cannot write is a huge improvement over systems which run code from writable storage. Although there are physical vulnerabilities, such vulnerabilities are going to exist in any system including paper ballots. While the present implementations have not yet adequately addressed physical vulnerabilities, there shouldn’t be anything fundamentally difficult about doing so.
I would suggest the following protocol for dealing with physical vulnerabilities:
-1- Construct the machine’s case from two parts that will slide together, with a number of 5/16″ holes in the areas where they overlap. It should be impossible to open the case except by sliding the two parts relative to each other, and it should be impossible to slide the two parts relative to each other while a padlock is installed in any of the holes. One or more padlock will be supplied and installed by a member of each party; provided a party doesn’t give copies of its keys to anyone, it will be impossible for the machine to be opened without either (1) having representatives of all parties cooperate, or (2) destroying the locks (which would give access to the machine, but leave clear evidence of tampering).
-2- Code and ballot data should be stored on flash cartridges equipped with two access ports. One port would provide read-only access and one would provide read-write access. The carts would provide a means of sealing the read-write port. Padlocks would probably be too bulky, but numbered seal-ties would probably work. There would be two sets of holes; one would allow access to the read-write port but protect the cart from being opened (or substituted); the other would protect the read-write port.
-3- Members of all parties would have equipment that could plug into the read-only port of a cartridge and read out everything. Such equipment could be constructed quite cheaply; even in low volumes the per-unit cost including hand assembly would be under $50.
-4- Before polls open, an official copy of the code/setup cartridge contents as well as the initial setup for the ballot cartridge would be made available to all interested parties. Immediately prior to the start of voting, all interested parties would confirm (using the read-only port) that all cartridges contained the proper contents. Each party would add its own seal-tie to the code cartridge immediately upon verification, and put two seal-ties on the ballot cartridge. Once all parties had confirmed the cartridges, all parties would be allowed to inspect the seal ties and the read/write port seal ties would be cut and the cartridges inserted into the machine. The machine would then be sealed shut, and each party would apply its own padlock.
-5- At the end of the election, all parties would inspect the padlocks and release them, and then all parties would inspect the seal-ties on the cartridges. The ballot cartridge would then be sealed for read-only access and all parties would read out the contents of both cartridges. The parties could then compare the contents they’d read out and, if they agree, digitally sign them for each other.
Under such a system, assuming that some systems were randomly inspected via means such as X-ray to ensure there’s no funny business, I would think security should be as good or better than paper ballots. With paper ballots, there’s a huge window of vulnerability from the time of the election until the end of the last recount during which tampering may take place. With a system like this one, once both parties have signed each others’ read-outs, tampering would be impossible.
To be sure, the party representatives would have to be attentive to ensure that their seal ties weren’t broken when they shouldn’t be, and to ensure there’s no sleight of hand (e.g. swapping in phony cartridges just before the machine is sealed, and swapping back the originals when it’s opened) but I wouldn’t think such issues would be any worse than they would with paper ballots.
Maybe they weren’t NJ machines so it wouldn’t have been relevant to enter them as evidence in this case but I’m pretty sure photos of unattended and tucked away machines have been posted on this very blog and pictures taken far longer than 47 minutes in advance of being used. Or maybe NJ actually does have good physical security of the machines prior to use?
I testified at the trial, as a fact witness, about all the times I have seen unattended New Jersey election machines. Some of the photos I published on this site were put into evidence.
Your conclusions are clearly founded, however, is an electronic voting machine more prone to falling prey to corrupt elections than paper ballots are? It seems to me that similar points could easily be made about the paper ballot system.
The main difference is that while yes, it is just as easy if not easier to cheat on paper ballots, there are two major factors in paper’s favour:
The security requirements for counting paper ballots are fairly well understood, having been in use for many decades. Boxes get sealed and bonded, and most steps are done with representatives of all interested parties present. Computer voting machines have been shown to have security problems outside of the way the people running elections normally think.
Tampering with a single box of paper ballots is easy; tampering with much more than that requires a conspiracy. Whereas with some voting machines, especially with ones that have wireless connections or can execute code off the flash cards, it would be possible for one person to make much wider changes to vote totals by affecting multiple machines.
It’s not so much that voting machines are more prone to being corrupted, as that the consequences of them being corrupted are possibly much broader, and also harder to prove or recover from.
It’s not that computerized voting machines let you cheat. It’s that they let you cheat more, faster, and secretly.
Valid points Bryan.
As to your first point, I hope that we can overcome that pattern of thinking and expand to use technology in a secure manner even if it means that the people running elections have to think outside of their comfort zones to secure them. My hope is that in future technology can be embraced to expand our voter turnout from the ridiculously low numbers that we currently have in the US. Granted this form of electronic voting machine doesn’t necessarily help reach that goal, but I see it as a potential stepping stone.
To your second point, I see some validity there. However, I don’t see any reason to have network connections enabled on these machines. Also, it should be possible to go beyond the sealing system and come up with some better method of ensuring the voting machine is in a proper state. Maybe some sort of certified, secured ROM replacements that happen just as the machine goes into use.
Thanks for fighting for this Andrew. There are plenty of people who appreciate it.