December 25, 2024

The trick to defeating tamper-indicating seals

In this post I’ll tell you the trick to defeating physical tamper-evident seals.

When I signed on as an expert witness in the New Jersey voting-machines lawsuit, voting machines in New Jersey used hardly any security seals. The primary issues were in my main areas of expertise: computer science and computer security.

Even so, when the state stuck a bunch of security seals on their voting machines in October 2008, I found that I could easily defeat them. I sent in a supplement expert report to the Court, explaining how.

Soon after I sent in my report about how to defeat all the State’s new seals, in January 2009 the State told the Court that it was abandoning all those seals, and that it had new seals for the voting machines. As before, I obtained samples of these new seals, and went down to my basement to work on them.

In a day or two, I figured out how to defeat all those new seals.

  • The vinyl tamper-indicating tape can be defeated using packing tape, a razor blade, and (optionally) a heat gun.
  • The blue padlock seal can be defeated with a portable drill and a couple of jigs that I made from scrap metal.
  • The security screw cap can be defeated with a $5 cold chisel and a $10 long-nose pliers, each custom ground on my bench grinder.

For details and pictures, see “Seal Regime #3” in this paper.

The main trick is this: just to know that physical seals are, in general, easy to defeat. Once you know that, then it’s just a matter of thinking about how to do it, and having a pile of samples on which to experiment. In fact, the techniques I describe in my paper are not the only way to defeat these seals, or the best way—not even close. These techniques are what an amateur could come up with. But these seal-defeats were good enough to work just fine when I demonstrated them in the courtroom during my testimony, and they would almost certainly not be detected by the kinds of seal-inspection protocols that most states (including New Jersey) use for election equipment.

(In addition, the commenters on my previous post describe a very simple denial-of-service attack on elections: brazenly cut or peel all the seals in sight. Then what will the election officials do? In principle they should throw out the ballots or data covered by those seals. But then what? “Do-overs” of elections are rare and messy. I suspect the most common action in this case is not even to notice anything wrong; and the second most common is to notice it but say nothing. Nobody wants to rock the boat.)

Seals on NJ voting machines, October-December 2008

In my examination of New Jersey’s voting machines, I found that there were no tamper-indicating seals that prevented fiddling with the vote-counting software—just a plastic strap seal on the vote cartridge. And I was rather skeptical whether slapping seals on the machine would really secure the ROMs containing the software. I remembered Avi Rubin’s observations from a couple of years earlier, that I described in a previous post.

A bit of googling turned up this interesting 1996 article:


Vulnerability Assessment of Security Seals
Roger G. Johnston, Ph.D. and Anthony R.E. Garcia
Los Alamos National Laboratory

… We studied 94 different security seals, both passive and electronic, developed either commercially or by the United States Government. Most of these seals are in wide-spread use, including for critical applications. We learned how to defeat all 94 seals using rapid, inexpensive, low-tech methods.

In my expert report, I cited this scientific article to explain that seals would not be a panacea to solve the problems with the voting machine.

Soon after I delivered this report to the Court, the judge held a hearing in which she asked the defendants (the State of New Jersey) how they intended to secure these voting machines against tampering. A few weeks later, the State explained their new system: more seals.

For the November 2008 election, they slapped on three pieces of tape, a wire seal, and a “security screw cap”, in addition to the plastic strap seal that had already been in use. All these seals are in the general categories described by Johnston and Garcia as easy to defeat using “rapid, inexpensive, low-tech methods”.

Up to this point I knew in theory (by reading Avi Rubin and Roger Johnston) that tamper-indicating seals aren’t very secure, but I hadn’t really tried anything myself.

Here’s what is not so obvious: If you want to study how to lift and replace a seal without breaking it, or how to counterfeit a seal, you can’t practice on the actual voting machine (or other device) in the polling place! You need a few dozen samples of the seal, so that you can try different approaches, to see what works and what doesn’t. Then you need to practice these approaches over and over. So step 1 is to get a big bag of seals.

What I’ve discovered, by whipping out a credit card and trying it, is that the seal vendors are happy to sell you 100 seals, or 1000, or however many you need. They cost about 50 cents apiece, or more, depending on the seal. So I bought some seals. In addition, under Court order we got some samples from the State, but that wasn’t really necessary as all those seals are commercially available, as I found by a few minutes of googling.

The next step was to go down to my basement workshop and start experimenting. After about a day of thinking about the seals and trying things out, I cracked them all.

As I wrote in December 2008, all those seals are easily defeated.

  • The tamper-indicating tape can be lifted using a heat gun and a razor blade, then replaced with no indication of tampering.
  • The security screw cap can be removed using a screwdriver, then the
    serial-numbered top can be replaced (undamaged) onto a fresh (unnumbered) base.

  • The wire seal can be defeated using a #4 wood screw.
  • The plastic strap seal can be picked using a jeweler’s screwdriver.

For details and pictures, see “Seal Regime #2” in this paper.

Seals on NJ voting machines, 2004-2008

I have just released a new paper entitled Security seals on voting machines: a case study and here I’ll explain how I came to write it.

Like many computer scientists, I became interested in the technology of vote-counting after the technological failure of hanging chads and butterfly ballots in 2000. In 2004 I visited my local polling place to watch the procedures for closing the polls, and I noticed that ballot cartridges were sealed by plastic strap seals like this one:

plastic strap seal

The pollworkers are supposed to write down the serial numbers on the official precinct report, but (as I later found when Ed Felten obtained dozens of these reports through an open-records request), about 50% of the time they forget to do this:

In 2008 when (as the expert witness in a lawsuit) I examined the hardware and software of New Jersey’s voting machines, I found that there were no security seals present that would impede opening the circuit-board cover to replace the vote-counting software. The vote-cartridge seal looks like it would prevent the cover from being opened, but it doesn’t.

There was a place to put a seal on the circuit-board cover, through the hole labeled “DO NOT REMOVE”, but there was no seal there:

Somebody had removed a seal, probably a voting-machine repairman who had to open the cover to replace the batteries, and nobody bothered to install a new one.

The problem with paperless electronic voting machines is that if a crooked political operative has access to install fraudulent software, that software can switch votes from one candidate to another. So, in my report to the Court during the lawsuit, I wrote,


10.6. For a system of tamper-evident seals to provide effective protection, the seals must be consistently installed, they must be truly tamper-evident, and they must be consistently inspected. With respect to the Sequoia AVC Advantage, this means that all five of the
following would have to be true. But in fact, not a single one of these is true in practice, as I will explain.

  1. The seals would have to be routinely in place at all times when an attacker might wish to access the Z80 Program ROM; but they are not.
  2. The cartridge should not be removable without leaving evidence of tampering with
    the seal; but plastic seals can be quickly defeated, as I will explain.

  3. The panel covering the main circuit board should not be removable without removing the [vote-cartridge] seal; but in fact it is removable without disturbing the seal.
  4. If a seal with a different serial number is substituted, written records would have to reliably catch this substitution; but I have found major gaps in these records in New Jersey.
  5. Identical replacement seals (with duplicate serial numbers) should not exist; but the evidence shows that no serious attempt is made to avoid duplication.

Those five criteria are just common sense about what would be a required in any effective system for protecting something using tamper-indicating seals. What I found was that (1) the seals aren’t always there; (2) even if they were, you can remove the cartridge without visible evidence of tampering with the seal and (3) you can remove the circuit-board cover without even disturbing the plastic-strap seal; (4) even if that hadn’t been true, the seal-inspection records are quite lackadaisical and incomplete; and (5) even if that weren’t true, since the counties tend to re-use the same serial numbers, the attacker could just obtain fresh seals with the same number!

Since the time I wrote that, I’ve learned from the seal experts that there’s a lot more to a seal use protocol than these five observations. I’ll write about that in the near future.

But first, I’ll write about the State of New Jersey’s slapdash response to my first examination of their seals. Stay tuned.

Unpeeling the mystique of tamper-indicating seals

As computer scientists have studied the trustworthiness of different voting technologies over the past decade, we notice that “security seals” are often used by election officials. It’s natural to wonder whether they really provide any real security, or whether they are just for show. When Professor Avi Rubin volunteered as an election judge (Marylandese for pollworker) in 2006, one of his observations that I found most striking was this:


Avi Rubin


“For example, I carefully studied the tamper tape that is used to guard the memory cards. In light of Hursti’s report, the security of the memory cards is critical. Well, I am 100% convinced that if the tamper tape had been peeled off and put back on, nobody except a very well trained professional would notice it. The tamper tape has a tiny version of the word “void” appear inside it after it has been removed and replaced, but it is very subtle. In fact, a couple of times, due to issues we had with the machines, the chief judge removed the tamper tape and then put it back. One time, it was to reboot a machine that was hanging when a voter was trying to vote. I looked at the tamper tape that was replaced and couldn’t tell the difference, and then it occurred to me that instead of rebooting, someone could mess with the memory card and replace the tape, and we wouldn’t have noticed. I asked if I could play with the tamper tape a bit, and they let me handle it. I believe I can now, with great effort and concentration, tell the difference between one that has been peeled off and one that has not. But, I did not see the judges using that kind of care every time they opened and closed them. As far as I’m concerned, the tamper tape does very little in the way of actual security, and that will be the case as long as it is used by lay poll workers, as opposed to CIA
agents.”

Avi is a first-rate expert in the field of computer security, in part because he’s a good experimentalist—as in, “I asked if I could play with the tamper tape.” To the nonexpert,
security seals have a mystique: there’s this device there, perhaps a special tape or perhaps a thing that looks like a little blue plastic padlock. Most of us encounter these devices in a context where we can’t “play with” them, because that would be breaking the rules: on voting machines, on our electric meter, or whatever. Since we don’t play with them, we can’t tell whether they are secure, and the mystique endures. As soon
as Avi played with one, he discovered that it’s not all that secure.

In fact, we have a word for a piece of tape that only gives the appearance of working:

band-aid: (2) a temporary way of dealing with a problem that will not really solve it (Macmillan Dictionary)

In the last couple of years I’ve been studying security seals on voting machines in New Jersey. For many decades New Jersey law has required that each voting machine be “sealed with a numbered seal”, just after it is prepared for each election (NJSA 19:48-6). Unfortunately it’s hard for legislators to write into the statutes exactly how well these seals must work. Are tamper-indicating seals used in elections really secure? I’ll address that question in my next few articles.

Paper vs. Electronic Voting in Today's Election in Houston

(Cross-posted at the Computing@Rice blog at the Houston Chronicle.)

Back in late August, Harris County (Houston)’s warehouse with all 10,000 of our voting machines, burned to the ground. As I blogged at the time, our county decided to spend roughly $14 million of its $40 million insurance settlement on purchasing replacement electronic voting machines of the same type destroyed in the fire, and of the same type that I and my colleagues found to be unacceptably insecure in the 2007 California Top-to-Bottom Report. This emergency purchase was enough to cover our early voting locations and a smattering of extras for Election Day. We borrowed the rest from other counties, completely ignoring the viral security risks that come with this mixing and matching of equipment. (It’s all documented in the California report above. See Section 7.4 on page 77. Three years later, and the vendor has fixed none of these issues.)

Well, the county also spent the money to print optical-scan paper ballots (two sheets of 8.5″ x 17″, printed front and back), and when I went to vote this morning, I found my local elementary school had eight eSlate machines, all borrowed from Travis County (Austin), Texas. They also had exactly one booth set up for paper ballot voting.

After I signed in, the poll worker handed me the four-digit PIN code for using an eSlate before I could even ask to use paper. “I’d like to vote on paper.” “Really? Uh, okay.” Apparently I was only the second person that day to ask for paper and they were in no way making any attempt to give voters the option to vote on paper.

How did it work? They had a table with three blank ballots (each a stack of two sheets of paper), of which I could choose one. Both sheets shared a long serial number on the left column, which appears to serve two functions. First, it allows the two sheets to be kept together (notably, allowing the straight ticket voting option on the first sheet to apply to the second sheet). Also, these serial numbers, by virtue of being large and hopefully random, would act to prevent ballot stuffing (assuming the county kept records of which numbers were valid). Additionally, there was a signature from one of the poll workers at the bottom of the ballot, which I presume to be an additional anti-ballot-stuffing measure.

I was handed a Bic pen and pointed to a rickety standing table with a privacy partition. At the same time, my wife voted on a standard eSlate. I decided to ask a poll worker the question of how a straight ticket on the first sheet would apply to the second sheet. The first poll worker, who was operating the eSlates, said “sorry, I was only trained on the eSlates” and made me wait until the head guy came over. The head guy then proceeded to give me an extended tutorial in the ways of our straight ticket system, requiring me to interrupt him and say, “yeah, but all I want to know is how my tick of the straight ticket box on the first sheet is carried over to the second sheet.” We ultimately concluded that it must be due to the matching serial numbers.

Anyway, despite all this fun and excitement, I still managed to finish my ballot a solid minute faster than my wife. Also, by that time, a queue of maybe six people was waiting to vote while all the eSlates were busy. I asked the poll workers at the sign-in table if they were planning to offer paper ballots to anybody in line and they looked at me as if I was insane. I also mentioned that I finished voting faster than my wife and one poll worker went as far as to say “don’t tell anybody!” as if that might (gasp!) cause people to want to vote on paper.

What’s going on here? I blame our lame-duck election administrator, who has been urging voters to use the eSlate, and doing her best to ignore the paper ballot option that she was compelled to offer as a consequence of the warehouse fire. If there’s no emphasis on paper, from the leadership on top, one could hardly expect poll workers to behave any differently.

What’s happening next?

One way or another, Harris County will have a new elections administrator after our incumbent one retires, and the next one will be responsible for rebuilding our election systems. Curiously, Travis County recently announced that they’re retiring their eSlates after the 2012 election, replacing them with paper ballots that are scanned in the precinct. This gives Harris County the chance to buy their used gear at a fraction of the price of new equipment, should we choose to go that route, or we could instead follow Travis County’s lead and ditch our eSlates entirely (save for keeping one in each precinct for accessibility purposes). Either way, we would save literally millions of dollars, relative to the costs of purchasing new eSlates from scratch, and of course the new paper ballot systems are more secure and (gasp!) faster and easier to use.

Sidebar: Are these paper ballots really private?

The Texas Election Code actually has a requirement that ballots be “numbered”, which I understand is generally taken to mean that there must be mechanisms in place to prevent tampering and ballot stuffing. (You would require a very broad interpretation of that statute in order to have allowed traditional lever voting machines, used widely in Texas prior to 2000, where there is nothing approximating individual ballot numbers in the machine.) The sparse and hopefully unguessable serial numbers on our paper ballots appear to follow the letter of the law as well as offering the ability to have ballots larger than a single sheet of paper. That’s the good news, but let’s consider what it would mean in the case where somebody was attempting to bribe or coerce my vote and they had access to the output of the central ballot scanner, which presumably includes these ballot numbers.

Of course, the poll worker who puts out the blank ballots can track who gets which ballot. Furthermore, I could simply write down my own ballot number. Because these numbers are sparse, and thus hard to guess, somebody bribing or coercing me would have some serious leverage on me if I produced an invalid ballot number. If I sneakily remembered one of the other two ballot numbers from the table, I could present my coercer with one of those numbers instead, but then I would have no knowledge of how (or even if) that other ballot was cast, and could thus get in trouble with my coercer.

How can this coercion risk be mitigated? One simple option is to render the ballot numbers only as barcodes. Very few of us can visually read a barcode, much less the newer two-dimensional barcodes. So long as we ban smartphones or other cameras, we’re in good shape. Concerned voters or auditors, who want to ensure the same number exists on both ballot sheets could hold them up to a bright light, lining them up together, to make sure that they match up.

Oh, and ballots aren’t private with the current eSlate either. See the California report, linked above, “issue 25” on page 58. See also Section 7.1 which starts on page 72.