By Kim Zetter
December 17, 2007
A new study (PDF) on the security of voting machines was released in Ohio on Friday. The report, one of the most comprehensive and informative that I've seen yet, contains some pretty astounding information about the security of voting machines that hasn't been revealed before. Unfortunately, the report isn't receiving the kind of attention it deserves.
It's the first independent study to examine machines made by Election Systems & Software, the largest voting machine company in the countrythe company's machines are used in 43 states. (A similar study of voting systems done in California earlier this year did not examine ES&S machines.)
What the researchers discovered is pretty significant.
They found that the ES&S tabulation system and the voting machine firmware were rife with basic buffer overflow vulnerabilities that would allow an attacker to easily take control of the systems and "exercise complete control over the results reported by the entire county election system."
They also found serious security vulnerabilities involving the magnetically switched bidirectional infrared (IrDA) port on the front of the machines and the memory devices that are used to communicate with the machine through the port. With nothing more than a magnet and an infrared-enabled Palm Pilot or cell phone they could easily read and alter a memory device that is used to perform important functions on the ES&S iVotronic touch-screen machinesuch as loading the ballot definition file and programming the machine to allow a voter to cast a ballot. They could also use a Palm Pilot to emulate the memory device and hack a voting machine through the infrared port (see the picture above right).
They found that a voter or poll worker with a Palm Pilot and no more than a minute's access to a voting machine could surreptitiously re-calibrate the touch-screen so that it would prevent voters from voting for specific candidates or cause the machine to secretly record a voter's vote for a different candidate than the one the voter chose. Access to the screen calibration function requires no password, and the attacker's actions, the researchers say, would be indistinguishable from the normal behavior of a voter in front of a machine or of a pollworker starting up a machine in the morning.
The attack they describe is significant because the researchers' description of how an intentionally miscalibrated machine would functionthat is, prevent a voter from voting for a certain candidateis precisely how some voters described the ES&S machines were acting in a controversial Florida election last year.
In November 2006 in Sarasota, Florida, more than 18,000 ballots recorded no votes cast in the 13th congressional race between Democrat Christine Jennings and Republican Vern Buchanan. Election officials say that voters intentionally left the race blank or failed to see the race on the ballot. But hundreds of voters complained during the election and afterward that the machines had been malfunctioning. Some said the machines simply failed to respond to their touch in that racethe rest of the ballot, they reported, was fine. Others said that the machines appeared to initially respond to their selection of Christine Jennings, but then showed no vote cast in that race when they reached the review screen at the end of the ballot. Jennings lost to Buchanan by fewer than 400 votes. The race is under investigation by Congress and the Government Accountability Office.
[Earlier this year I did a FOIA request for records documenting the complaints that voters made about the machines on election day in Sarasota and put together a spreadsheet that you can view here. The third column from the left, marked "Problem," describes the nature of each complaint that came in.]
The Ohio researchers' findings raise new and interesting questions about that race. Indeed, the researchers themselves note that their description of how an intentionally miscalibrated ES&S machine might function, or malfunction, is consistent with how iVotronics have apparently acted in some elections (they don't mention the Florida race by name, but they likely had Sarasota in mind when they wrote this).
ES&S isn't singled out in the report. The researchers, among them computer scientist Matt Blaze, examined source code and hardware of touch-screen and optical scan machines from two other vendors as wellPremier (formerly known as Diebold) and Hart InterCivic. They found vulnerabilities in the various systems that would allow voters and pollworkers to place multiple votes on machines, to infect machines with a virus and to corrupt already cast votes.
But one of the most worrisome flaws in my mind involves that infrared port on the front of ES&S touch-screen machines because it doesn't require anyone to open a machine to hack it. (The Premier/Diebold machine also has an infrared port on it, but the report doesn't discuss it, and the Ohio researchers weren't available to answer my questions.)
The problem concerns the PEB (personalized electronic ballot) interface used for preparing ES&S's iVotronic touch-screen machines for an election. The PEB is the external memory device that I mentioned above that is used to communicate with the iVotronic machine through the infrared port. PEBs are used by election administrators to load the ballot definition file and basic configurations onto the machine before the machines are deployed to polling sites. They are also used by poll workers to launch the machines on the morning of an election, to instruct the machine to pull up a ballot for each voter and allow the voter to cast just one ballot, and to close the terminal and collect the vote totals at the end of the election.
The researchers found that access to the PEB memory itself is not protected by encryption or passwords, although some of the data stored on the PEB is encrypted (using Bruce Schneier's Blowfish ciphernote to Bruce to add the ES&S machine to your Blowfish products page). Nonetheless, the researchers were able to read and alter the contents of a PEB using a Palm Pilot as well as substitute the Pilot for the PEB. It's worth reading the section about this from page 51 of the report:
Anyone with physical access to polling station PEBs can easily extract or alter their memory. This requires
only a small magnet and a conventional IrDA-based palmtop computer (exactly the same kind of readily-available
hardware that can be used to emulate a PEB to an iVotronic terminal). Because PEBs themselves
enforce no passwords or access control features, physical contact with a PEB (or sufficient proximity to
activate its magnetic switch and IR window) is sufficient to allow reading or writing of its memory.
The ease of reading and altering PEB memory facilitates a number of powerful attacks against a precinct’s
results and even against county-wide results. An attacker who extracts the correct EQC, cryptographic key,
and ballot definition can perform any election function on a corresponding iVotronic terminal, including enabling voting, closing the terminal, loading firmware, and so on. An attacker who has access to a precinct’s main PEB when the polls are being closed can alter the precinct’s reported vote tallies, and, as noted in Section 6.3, can inject code that takes control over the county-wide back-end system (and that thus affects the results reported for all of a county’s precincts).
Elsewhere on the same page, they write:
Many of the more sensitive iVotronic administrative functions (closing the polls, clearing the terminal, etc) require the entry of passwords in addition to the insertion of a supervisor PEB. However, there is a special Quality Assurance (QA) PEB type recognized by the iVotronic firmware that behaves essentially as a supervisor PEB but that, when used, does not require the entry of any passwords. This PEB type does not appear to have been described or documented in any of the ES&S manuals or training materials provided to our review.
This undocumented PEB feature can be used to neutralize the security of any iVotronic administration features that depend on passwords, no matter how carefully passwords are managed by a county. Anyone with such a PEBwhether it was supplied by ES&S, stolen, or emulated with a palmtop computereffectively has a “back door” that bypasses this basic security check. As noted above, a simple Palm Pilot-type device can be programmed to emulate a PEB. QA PEBs are no more difficult to emulate than regular supervisor PEBs; they are similar to supervisor PEBs but with a single character changed in the communication protocol.
Note that while the QA PEB bypasses password checks, there is another iVotronic security feature required for access to some (but not all) administrative functions, For these functions, a PEB must be configured with the correct Election Qualification Code (EQC) (a 32 bit random number assigned for each election). However, as noted in the next section, precinct poll workers (and others with brief access to the poll worker equipment) can easily extract this code from the precinct’s supervisor PEB using a palmtop computer.
The report is fascinating for the level of detail it provides about the machines. I highly recommend reading it. You'll find it here.