April 19, 2014

avatar

Seals on NJ voting machines, March 2009

During the NJ voting-machines trial, both Roger Johnston and I showed different ways of removing all the seals from voting machines and putting them back without evidence of tampering. The significance of this is that one can then install fraudulent vote-stealing software in the computer.

The State responded by switching seals yet again, right in the middle of the trial! They replaced the white vinyl adhesive-tape seal with a red tape seal that has an extremely soft and sticky adhesive. In addition, they proposed something really wacky: they would squirt superglue into the blue padlock seal and into the security screw cap.

Nothing better illustrates the State’s “band-aid approach, where serious security vulnerabilities can be covered over with ad hoc fixes” (as Roger characterizes it) than this. The superglue will interfere with the ability for election workers to (legitimately) remove the seal to maintain the machine. The superglue will make it more difficult to detect tampering, because it goes on in such a variable way that the inspector doesn’t know what’s supposed to be “normal.” And the extremely soft adhesive on the tape seal is extremely difficult to clean up, when the election worker (legitimately) removes it to maintain the machine. Of course, one must clean up all the old adhesive before resealing the voting machine.

Furthermore, Roger demonstrated for the Court that all these seals can still be defeated, with or without the superglue. Here’s the judge’s summary of his testimony about all these seals:


New Jersey is proposing to add six different kinds of seals in nine different locations to the voting machines. Johnston testified he has never witnessed this many seals applied to a system. At most, Johnston has seen three seals applied to high-level security applications such as nuclear safeguards. According to Johnston, there is recognition among security professionals that the effective use of a seal requires an extensive use protocol. Thus, it becomes impractical to have a large number of seals installed and inspected. He testified that the use of a large number of seals substantially decreases security, because attention cannot be focused for a very long time on any one of the seals, and it requires a great deal more complexity for these seal-use protocols and for training.

For more details and pictures of these seals, see “Seal Regime #4″ in this paper.

Comments

  1. RonK says:

    “The superglue will interfere with the ability for election workers to (legitimately) remove the seal to maintain the machine.”

    As I posted elsewhere here on a dead thread about a proposal to use welds instead of seals: the seals would be superfluous if the machine were designed to not require access to its security-sensitive parts. For example, instead of enabling the easy replacement of the machine’s ROMs, the circuit board should be designed so that the software is flashable over a communications channel, but needs to be digitally signed (by both the company manufacturing the machine and the election officials), and for purposes of auditing, there should be a second non-programmable section of the circuit board whose only purpose is to compute a secure hash of the contents of the flashable memory. All other parts which need to be replaced on a regular basis (e.g., batteries) need to have regulated accessibility (to prevent a DoS attack) without having a secure seal, but the machine has to be designed so that access to them cannot affect the results of the election (tampering with the parts can only temporarily disable the machine, but not affect the vote tally or the machine’s programming).

    None of this, as far as I can see, is impractical to implement. Of course, I’m probably forgetting some vulnerability, which is why the design of such machines needs to be open for public review.