September 26, 2022

ES&S Uses Undergraduate Project to Lobby New York Legislature on Risky Voting Machines

The New York State Legislature is considering a bill that would ban all-in-one voting machines. That is, voting machines that can both print votes on a ballot and scan and count votes from a ballot – all in the same paper path.

This is an important safeguard because such machines, if they are hacked by the installation of fraudulent software, can change or add votes that the voter did not intend and never got a chance to see on paper.

One voting machine company, Elections Systems and Software (ES&S), which makes an all-in-one voting machine, the ExpressVote XL, is lobbying hard against this bill. As part of its lobbying package, ES&S is claiming that “Rochester Institute of Technology researchers found zero attacks” on the ExpressVote XL, based on an article (included in ES&S’s lobbying package) from Rochester Institute of Technology entitled “RIT cybersecurity student researchers put voting machine security to the test.

If this were actually a scientific article, one could critique it as actual science.  But it’s not a scientific paper:  The article is written by Scott Bureau, Senior Communications Specialist, RIT Marketing and Communications in the RIT public relations department. 

The article describes an undergraduate student “capstone project.”  The students were interviewed by ES&S, allowed ES&S to inspect their testing site, and then signed a nondisclosure agreement with ES&S.  The students made up two attack scenarios, then spent 10 days trying to find attacks.  They found some vulnerabilities, but not one that could change votes.

The students made public a one-page poster describing their project. It’s fine for undergraduate student work; capstone projects are a really useful part of engineering education.  But it’s not a scientific paper that describes their methods, the limitations placed upon them by needing permission from ES&S, or, in any detail – their results.

Even so, the students describe enough for me to notice that they missed three of the most important attack scenarios:

  • Hacker intrusion into the ES&S corporate engineering network, stealing cryptographic keys and source code, or altering the software to be installed into all ExpressVote XL machines nationwide in the next software update.
  • Hacker intrusion into the county election administrator’s network, stealing cryptographic keys and allowing manipulation of ballot-definition downloads.
  • Stealing an ExpressVote XL anywhere in the country, not just in New York, and tearing it apart to reverse engineer and steal crypto keys.
  • There may be many other attacks.  That’s why penetration testing can never prove that a computer system is secure: pen-testing only examines the attacks that the pen-testers happen to think of.

These are standard attacks. These are the ones that can be so effective and dangerous that there is good reason for banning such voting machines.    Maybe those Rochester students are aware of such attacks. Maybe not. But it seems unlikely that ES&S would have given permission for such experiments. That’s why respectable academic security researchers don’t restrict their activities to those in the comfort zone of the corporations whose products they are examining.It is irresponsible and misleading of ES&S to characterize an undergraduate student project, conducted under conditions controlled by ES&S, described in a publicity puff-piece written by a public-relations flack, as “RIT researchers found zero attacks.”

Comments

  1. Dorothy Holley says:

    If any voting machines are vulnerable to attack and change they should be banned for ones that
    are not.