April 24, 2014

avatar

Report on the Sequioa AVC Advantage

Today I am releasing an in-depth study of the Sequoia AVC Advantage direct-recording electronic (DRE) voting machine, available at citp.princeton.edu/voting/advantage. I led a team of six computer scientists in a monthlong examination of the source code and hardware of these voting computers, which are used in New Jersey, Pennsylvania, and other states.

The Rutgers Law School Constitutional Litigation Clinic filed a lawsuit seeking to decommission of all of New Jersey’s voting computers, and asked me to serve as an expert witness. This year the Court ordered the State of New Jersey and Sequoia Voting Systems to provide voting machines and their source code for me to examine. By Court Order, I can release the report no sooner than October 17th, 2008.

Accompanying the report is a video and a FAQ.

Executive Summary

I. The AVC Advantage 9.00 is easily “hacked” by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this “hack” takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County’s Board of Elections uses to add up votes from all the different precincts.)

III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

V. Sequoia’s sloppy software practices can lead to error and insecurity. Wyle’s Independent Testing Authority (ITA) reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.

Comments

  1. Anonymous says:

    Voting machines can be hacked? Knock me down with a feather!

  2. Preston L. Bannister says:

    I do not believe “voter-verified” printer output on paper is worth very much. Is the record on paper accurate? Maybe, watching voters (I host the local polling place) – they clearly have a hard time matching up their vote with what appears on paper. I would not bet on their catching errors. A user interface design issue in part – the printed output should be as similar as possible to what appears on-screen.

    I can guarantee that no one tampered with the machines or the votes while in my possession, but once the votes leave my hands, I have very little idea what happens next (and no means of verification). (I also have no idea if the voting machines were tampered with before they were delivered.) The most economic place to steal votes is upstream of the voting place. A strip of printed paper could be replaced with another strip of printed paper, pretty much anywhere upstream.

    To paraphrase Butler Lampson:
    “Only end-to-end checks matter – everything else is (or should be) an optimization.”

    (Reading Lampson’s “Hints for Computer System Design” was – for me – key to understanding why the then-new ISO OSI network standard was a bad idea, and later failed.)

    If you cannot verify that a vote cast is a vote counted, pretty much everything else is a waste of time.

    To be clear – I am not in even the remotest sense defending any existing voting machine. Rather I am concerned that the analysis focuses too much on the wrong aspects.

  3. joehall says:

    @Preston: One cannot perform post-election audits (manual tallies of independent records against electronic tallies) without an independent record… the only such records currently available on the market are paper records. I would call that worth something… in fact, a significant something (significant enough that 32 states mandate or otherwise use them).

  4. Anonymous says:

    “We am not lawyers”?. Ouch. English are not our first language either
    apparently :)

  5. Preston L. Bannister says:

    @Joe: What does that “audit” count? If you are not counting votes (made by voters) then the count means nothing. The paper record only covers the case where there is an error (accidental or deliberate) in only the electronic tally at the polling place, and only then when you can count on voters to spot errors in the paper record.

    If you are going to subvert an election, changing the results at a single polling place is not enough. It would be far more effective to subvert upstream from the polling place.

    Since the paper tally and the electronic tally both go to the same upstream collection place, that is your most effective/least risky place to subvert the election. A printed record can be replaced with another printed record.

    Once votes go to the upstream collection point, anything can be changed. There is no outside verification. The paper-based record proves nothing. You do not want any single point of failure. The upstream collection point is a single point of failure.

    Security is ultimately based on people. If all the people in the process are subverted, you cannot have a secure system. If you have enough dissimilar folk able to verify votes, then the risk of detection gets high enough to make subverting an election very risky. We need, but do not have, that sort of verification.

    Paper-based recounts make more sense when you use paper-based ballots.

  6. Neal McBurnett says:

    @preston: you make good points, but so does Joe. In the end it is clear that a good audit of paper records is among the best defenses. Modifying or replacing thousands of paper records which should be well secured by people from multiple parties is a tall order that should be hard to hide. In contrast, as the Software-Independent Systems paper from Rivest and Wack shows, there are numerous ways that software can be quietly subverted.

    But you’re right that it is important to get as close to “end-to-end” as you can, and go further than just comparing VVPATs to DRE results. The scanners and tally systems are also easy to attack. So the thing to do, as we are doing in Boulder County, Colorado, is to have paper records for all votes (VVPATs for DREs, and ballots for the scanners), to account for all the ballots as best you can (mail-in ballots complicate this enormously!), to produce a full report of all precincts or batches of paper and how the candidates did in each of them, and to audit that report against the paper records.
    Check out my recent posts on the topic (including the independent open-source code we’ll use to facilitate the process.) Disclaimer – that’s my project… :)

    http://neal.mcburnett.org/blog/2008/10/18/electionaudits-software-help-audit-election/

    • Preston L. Bannister says:

      @neal: I think it important to reiterate this point – the end-to-end check is crucial. Anything else is (at best) an optimization.

      Just getting “close” to end-to-end is not good enough.

      If you stood in a common room, dropped your vote in a box, watched the box carried to the front, and watched the votes counted – then you have an end-to-end check on a paper-based system. If you know and trust enough of the people in the process, you do not have to watch everything yourself. Break that chain of trust, and you need a different approach. In almost all voting in the United States, you cannot have that chain of trust.

      Lacking a chain of trust, you need an independent means of verification. You need a valid end-to-end check.

      Mail-in ballots are far worse – lots of new attack vectors. A couple notes…

      Postal workers do not have to open absentee voter ballots to change the course of an election. Given information about the probable voting habits of individual voters, the worker could simply discard the ballot, either when sent to the voter, or when sent back by the voter.

      A much easier variant is to discard a fraction of the ballots for an area known for voting unfavorably on a cause or candidate you want to promote. Discarding all ballots for an area might be detected, but discarding a fraction is often sufficient to change an election result, while remaining hard to detect.

      From experience (I have hosted the local polling place for several years) it seems that a lot of absentee ballots expected by voters are not delivered, and most of those voters do not vote. The entire process is (or seems) usually very error-prone – so the above attack should be effective.

      A variant of the same attack applies when the absentee ballots are mailed to voters. A subverted government worker could simply fail to mail a fraction of the ballots for some areas.

      If between the post office and when votes are counted the mail-in ballots are ever in the hands of an individual or small group, and if they can be subverted, then you have another attack vector.

      Our local Registrar of Voters has representatives of both political parties present to observe the counting of votes, so the risk of detection seems high at that point.

      Between the observed error rate (intentional or not), the many attack vectors, and lack of any means of verification, I have a very low opinion of vote-by-mail.

  7. Mark says:

    Reading the full 158-page report is frightening. I assumed that there would be several vulnerabilities in Sequoia’s machines, but I never would have guessed it was to this extent.

    I can’t believe Sequoia was so incredibly lax when designing machines that determine something as important as elections. Moreover, while I understand why they’ve been trying to hide this for so long, did they honestly think they would be able to keep this up?

  8. eee_eff says:

    The number of flaws is almost unbelievable, and clearly the corner has been turned on the fight against e-voting.

    One thing that I have noticed here in Saint Louis MO, where there have been two different types of voting machines (one is a scanner of a paper ballot, and the other is an electronic voting machine, I think Sequoia) is that almost everyone choses the paper ballot. Since 2004, when the old butterfly punch card ballots were replaced, I have noticed in each election that fewer and fewer people use the electronic machines. Eventually, they should just stop bringing them, I would think.

    How common is it to have a choice in what kind of machine you can use? Missouri, usually on the trailing edge of anything new looks to have gotten something right.

  9. DK says:

    In section 23 of the report, page 64, it’s stated that the Union County laptop used to interface with the voting machines had Symantec Antivirus version 10.0.2.2000 installed when examined in July 2008.

    That version of SAV has a known vulnerability, acknowledged and patched by Symantec in May 2006: http://www.symantec.com/avcenter/security/Content/2006.05.25.html. “A stack overflow in Symantec Client Security and Symantec AntiVirus Corporate Edition could potentially allow a remote or local attacker to execute code on the affected machine. ” The exploit is both locally and remotely exploitable, is publicly available, and being attempted by various viruses, according to Symantec.

    Yet this PC still lacks the patch to their corporate AV product two years later. What else is unpatched on it?

    That tears it, I’m getting a paper absentee ballot.

  10. Lior says:

    Considering “logic and accuracy testing”, you may want to make the following points regarding replacing “dumb” parts of the election system with “smart” parts (this includes replacing the Z80 with a simulator, and replacing the “result cards” with “intelligent” cards, possibly including Wi-Fi).

    First, the “smart” replacement can and probably will contain its own real-time clock, independent of the motherboard/daughterboard clocks. Thus, trying to set the voting machine date to the true election date during testing will not fool such a simulator.

    Moreover, Wi-Fi enabled smart replacements can communicate with each other to tell if any of them has been chosen for parallel testing on election day.

  11. American Voter says:

    Forget Software / System hacks …

    These things are electronic without (I assume) battery
    backups that will run for the required 12 hours of voting
    (give or take).

    What about – a building power outage caused by a car wreck,
    popped circuit breaker, thunderstorm?

    What about black spray paint on the screens?

    What about JB Weld put in the power plugs?

    What about an electrician’s wire cutter?

    What about a short circuit device plugged in some other
    outlet in the room with the machines?

    Seems to me it would be easy to take out an entire polling
    place with just a couple of items.

    And this is secure? Yeah, right.

  12. Conny says:

    Can’t find anywhere any information on who paid for this research. Academics are the best at saying the sky is falling…oh and give me more taxpayer (or liberal foundation) money and I’ll do more research so that I can get tenure and issue another report and say the sky is still falling. Why don’t you do a risk assement of paper ballots? check out how inaccurate they are and how they discriminate against poor and minority voters.

  13. Anonymous says:

    About the first two points of your report. I wonder how easy is it for someone to gain access to the voting machines and audio-ballet catridges to swap out the rom or infect the catridges with malicous firmware / software. I really don’t see why it would be a concern if its not possible to commit such acts unless the voting equipment are carelessly stored. I seriously wonder how people would be standing in the voting booth changing out the rom without being noticed in the 7-mins. And talk about having to get a hold of the catridges beforehand to do any real damage. The first two points are really like saying the bank is insecure since they leave their vaults open during business hours. I mean how do you gain access to the vault even if its open? Its probably guarded so unless you can overpower the guard forcefully, its not possible to get in.

    Same thing is true for the machines, unless you can somehow change out rom without being noticed, or get ahold of an audio catridge, there’s no way to sabatoge the machines. And plus any vulnerability to the WinEDS for virus problems can be solved by using dedicated computers that only have the OS and the voting software installed and isolated from the network. HOW hard is that?

    But I do agree with all other concerns that have to do with poorly designed software as that can cause catastrophe especially when there’s no paper trail for error correction. And bad user interface can also cause voters to cast votes incorrectly or have votes counted incorrectly.

    I have to stay, stick with the software issues and leave the hardware issues for someone who really knows what they’re talking about. Because unless you can show that someone can reasonably manipulate the system through using hardware
    changes, its really not a concern. It just makes your report look a bit unconvincing…

  14. Anonymous says:

    Hi Andrew. The State of New Jersey has posted a rebuttal to your report authored by Dr. Michael J. Shamos from Carnegie Mellon on its website. I’m looking forward to your response:

    http://www.state.nj.us/state/elections/2008_pressrelease/gusciora_shamos_report.pdf

  15. Anonymous says:

    Dr. Shamos’ rebuttal completely misses the point in so many places, it’s laughable. Just to give you an example of his flawed arguments:

    Paragraph 69. Shamos’ argument is just as much wishful thinking (that we are safe for now since no discoveries have been made) as Abbel’s claim that cleverly designed firmware can avoid detection. Who cares whether or not it’s possible to design such firmware. Forget who’s right or wrong — think about the big picture. Should we take the cautious approach and assume it is possible for someone to make such a hacked firmware? Or do we wait until the after the fact — until it actually becomes a problem? I’ll let you decide.

    Paragraph 72. This is an extremely naive argument here. The fact that there have been no reports of manipulations in real elections does NOT preclude that manipulations did not actually occur. For someone with a computer science degree to fail at basic logic is astounding. Moreover, the assumption that we would have seen many failed attempts first is also naive. The classic story about the MIT group who beat the house in Vegas is a clear example of how one type of “cheating” can occur without being detected for prolonged periods of time.

    Paragraph 74. Just because there have been no reports of anyone writing programs to fix votes in a manner that avoids detection does not mean no one has ever done it (see above.) Moreover, this is more a math problem than it is a computer problem.

    Paragraph 75. It is easier to detect someone walking off with physical boxes containing ballots than it is to detect whether or not underlying software within a micro chip has been compromised.

    Paragraph 79. You don’t need to alter every machine. You just need a group of dishonest poll workers to spend a few minutes at select machines. It would take hundreds of hours to install if only one person were doing, yes. But this is a good example where Shamos manipulates the statistics. Obviously you wouldn’t have one person altering all the machines. You’ve have many people, all over, and they each only take 7 minutes. Collectively, it still only takes 7 minutes to open up the machines.

    Shamos seems to prefer the “let’s not fix the problem until shit hits the fan.” For voting machines, that is the wrong approach.

    • Anonymous says:

      I think theres a flaw in your last point. Its more a risk in the actual electoral system rather than e-machines. As the same group of dishonest poll workers can just as easily sabatoge paper voting or any other method.

    • Lior says:

      Is Prof. Shamos really a professor of computer science? This report is amateurish beyond belief. Basically, it asserts that since Prof. Appel did not actually steal a live election, it has not been demonstrated that it is possible to steal a live election. This is a very curious approach to safety and security: when you can imagine a bad scenario, you should not mitigate this potential harm: until this scenario plays out in practice it has not been demonstrated to occur and is therefore ignorable.

      A few further examples:

      Paragraphs 31-32. It is implied that changing physical paper ballots that have already been viewed by the voter, or substituting other ballots for these, is comparable to changing ephemeral electronic records of ballots. This is absurd. The ballot box, containing physical ballots, is under constant observation by partisan operatives during the whole day. Changing the paper records inside it, or substituting its contents, requires serious collusion. While the internal state of the ballot box is not directly observable, it is easy for a human observer to verify that the internal state has not changed during the observation. On the other hand, the internal state of a computer cannot be verified to remain constant by outside observation.

      Paragraph 33. It is essentially certain that the vendor-originated firmware was designed to function correctly. But if we assume with Prof. Shamos that the firmware on the machine is the factory-installed one we have done away with the problem to be studied! This fallacy is known as “begging the question”.

      Paragraph 38. Prof. Shamos ignores “denial-of-service” attacks. Mere detection of tampering is not sufficient.

      Paragraph 39 & 41. Prof Shamos is ignoring the discussion of easy accessibility of voting machines. In other words, the detailed argument that the (indeed, artificial) conditions of the video presentations are in fact not far removed from actual conditions.

      Paragraph 41. Prof. Shamos completely ignores the fact that faulty software in an optical scanning machine cannot have a large-scale effect on an election, since the ballots can also be coutned by humans.

  16. Anonymous says:

    The main problem with e-voting machines is that you essentially have to continue to “patch” the software anytime a new exploit becomes known. It’s no different from, say, an operating system (in fact, the firmware of such a machine is essentially its operating system). With the old-school method, your main (if not only) concern was was whether the people handling the votes (from the poll workers all the way up to the administrators who handle the counting of the votes) could be trusted. With these e-voting machines, you not only have to trust the folks running the show, you also have to deal with the security of the underlying software.

  17. sea-cat says:

    The best solution is to install a totally transparent, open source election system like this one:

    http://sea-cat.info/A-modest-proposal-for-election-reform.html

  18. Mr Moody says:

    This is corrupted from the start. The Liberal biased academic who reviewed the voting system has obviously never worked in the real-world tech job market. There are many assertions that would take a Mission Impossible strike team to accomplish. Granted it takes the Liberal voting groups that ship in busloads of homeless, unemployed and illegal voters at the promise of a free meal to scream bloody murder when the voting machines show a conservative has won a race somewhere. That’s what started us down this slippery slope.

    On the other hand, it takes a strong set of teams, hardware, software, integration and project managent to get a system to production level with a minimum of bugs. It appears that the project management level for this job is too big except for the most experienced and talented managers. The amount of ‘real’ problems found could have been mitigated with a better industry foresite and superior project management.

  19. Anonymous says:

    The only question is whether Mr. Moody is a republican or a shill for Diebold or Sequoia or one of them.

    Assuming there’s even a difference.

  20. supercat says:

    Rather than complaining that the machine’s code can be changed by swapping a ROM chip out of a socket, one should push for things to be taken a little further: the machine’s ROM should be on a removable cartridge whose contents may be readily verified using simple equipment. The cartridge should be locked into the machine before the election, and the machine should be sealed with multiple padlocks (one for each interested party).

    Give a representative from party a $50 memory card verifier (one could profitably design and produce 5,000 such devices for $250,000 including engineering) and a padlock of their own choosing, and code hacking would require making false chips (e.g. the Z80) that could be discovered by some other detection methods. Simple and easy technology.

    No danger of viruses or other such nastiness. Simple hardware and simple verification.

  21. Dax says:

    Thanks for providing this info. I moved since the last election, and these are the machines I’ll be stuck with next week. Doesn’t make me very happy, but at least I’m prepared.