Aug. 4 Action: Study Decertification Directives and Thank Secretary Bowen!

Below are the conclusions from Bowen's three source code reports

Our study of the Diebold source code found that the system does not meet the requirements for a security-critical system. It is built upon an inherently fragile design and suffers from implementation flaws that can expose the entire voting system to attacks. These vulnerabilities, if exploited, could jeopardize voter privacy and the integrity of elections. An attack could plausibly be accomplished by a single skilled individual
with temporary access to a single voting machine. The damage could be extensive—malicious code could spread to every voting machine in polling places and to county election servers. Even with a paper trail, malicious code might be able to subtly influence close elections, and it could disrupt elections by causing widespread equipment failure on election day.

We conclude that these problems arose because of a failure to design and build the system with security as a central focus, which led to the inconsistent application of accepted security engineering practices. For this reason, the safest way to repair the Diebold system is to reengineer it so that it is secure by design.

We discussed a number of limited solutions and procedural changes that may improve the security of the system, but we warn that implementing any particular set of technical or procedural safeguards may still be insufficient. Similarly, fixing individual flaws in the system—even all of the issues identified in this report—may not yield a secure voting system because of the possibility that unidentified problems will be exploited. We are also concerned that future updates to the system may introduce new, unknown vulnerabilities or fail to adequately correct known ones. We
urge the state to conduct further studies to determine whether any new or updated voting systems are secure.

SEQUOIA, Pg 82

We found pervasive security weaknesses throughout the Sequoia software. Virtually every important software security mechanism is vulnerable to circumvention. The integrity of elections conducted with the system depends almost entirely on the physical security of the equipment and the procedural controls under
which election operations are conducted.

Whether the software vulnerabilities we describe can be compensated for with procedural and physical security mitigations depends on a range of factors, most of which were beyond the scope of this study. However, we caution that mitigation will place considerable additional pressure on physical security features (such as locks and seals) and human procedures (such as two-person control by poll workers). Many of the physical security features and procedures typically used with the
Sequoia system appear to have been engineered under the assumption that the underlying software is considerably more secure than it actually is, and thus may not provide sufficient protection in light of the vulnerabilities discussed here.

Designing robust, practical, and effective procedures that substantially reduce the risks identified in this report would itself
be a very complex task, requiring a broad range of computer security, physical security, legal, and operational elections expertise. As a starting point, we attempted to identify mitigation strategies for the vulnerabilities we discovered. Unfortunately, we were unable to find practical strategies that reliably prevent exploitation of some of the system’s weaknesses. Fixing some of the problems will require substantial changes to the software and the architecture. In fact, we are not optimistic that acceptable practical and secure mitigation
procedures are even possible for some of the Sequoia system’s components and features, at least in the absence of a comprehensive re-engineering of the system itself.

The problem is compounded by the inter-related nature of many of the vulnerabilities and the relative ease with which certain attacks can be carried out. As the table in Figure 5.2 summarized, even brief exposure of many system components to an attacker can have ramifications beyond the components themselves.

Of particular concern is that virtually every software mechanism related to counting votes is
exposed, directly or indirectly, to compromise through tampering with equipment that is deployed in the field. In many cases, tampering sufficient to cause compromise requires only brief physical access and may leave behind little or no evidence.

We are regrettably unable to suggest with confidence any comprehensive strategy for mitigating the vulnerabilities in the Sequoia system that simultaneously provides a high assurance of security, maintains accessible DRE voting, and substantially incorporates existing hardware and software.

HART, pg 87

Although we had only limited time to review the source code of the system, our review nevertheless uncovered what we believe to be a number of significant security issues. In many cases the Hart system does not incorporate defense-in-depth principles, which may allow individual attacks to be escalated up to much broader attacks.

The Hart software and devices appear to be susceptible to a variety of attacks which would allow an attacker to gain control of some or all of the systems in a county:

• The Hart eScan, eSlate, and JBC devices incorporate an unsecured management capability. We believe that given brief physical access to an eScan, eSlate, or JBC device, an attacker can subvert it and overwrite the existing software with malicious software of his choice.

• These attacks could be mounted by a poll worker or possibly by a voter while in the process of voting. The effects of such an attack are essentially permanent; once malicious software is loaded onto such a device, there is no realistic way to remove it.

• Subversion of single polling place devices can be used to mount a variety of vote forgery and ballot stuffing attacks.

• The mechanisms provided by Hart for detecting device subversion appear to be easy to bypass and therefore system subversion is likely to go undetected.

• The Hart back-end SERVO software contains multiple buffer overflows which appear to be remotely exploitable by a single compromised polling place device. We have exploited one of these in our test environment and used it to install software of our choice on the SERVO machine.

By combining the above attacks, a malicious pollworker could subvert an eScan, through that SERVO, and through SERVO all the machines in the county for the next election. We have tested what we believe to be the essential elements of this attack but not performed an end-to-end test. Furthermore, a malicious voter could subvert a single eSlate, through that SERVO, and through SERVO all the machines in a county for the next election. We have tested some but not all of the elements of this attack.

Beyond direct system compromise, we found that Hart’s management of ballot and vote data is vulnerable to several attacks:

• Hart’s cryptographic key management requires a county-wide symmetric key which is stored on vulnerable field devices. This key can be obtained by an attacker with brief physical access to an eScan or JBC.

• Compromise of this single key would allow an attacker to forge both ballot information and vote results.

• We found multiple avenues for compromising voter privacy, enabling both vote buying/coercion and wholesale information gathering attacks.

This list does not include all the issues discovered during our review and there may be other issues that would be uncovered with further review. We encourage the Secretary of State to undertake such a review.

We stress that due to limited time and access to Hart equipment, we did not attempt to validate all of the above issues. In the body of the report we clearly indicate the validation status of each issue. We encourage the Secretary of State and Hart to attempt such validation.

Some of these issues can be mitigated with stricter polling place procedures. Others may be repaired with minor modifications to Hart’s systems, while yet others may require significant redesign. Providing a complete assessment of mitigation strategies was out of scope of this review, but we encourage the Hart and the Secretary of State to study
these issues.

We have deliberately avoided addressing the broader issue of whether or how this system should be used for voting in California. Making that judgement requires assessing not only the technical issues described in this report but also the procedures and policies with which the system is used.

Top To Bottom Review

To watch the archived video of the July 30, 2007, public hearing on the Top-To-Bottom Review, please click here.
To read the transcript of the hearing, please click here.

Secretary of State Debra Bowen began her top-to-bottom review of the voting machines certified for use in California on May 31, 2007. The review is designed to restore the public's confidence in the integrity of the electoral process and is designed to ensure that California voters are being asked to cast their ballots on machines that are secure, accurate, reliable, and accessible.
Voting Systems Certification

UC Final Reports

The University of California has submitted the reports on the findings from the top-to-bottom review. The red team and source code team reports are separated by voting system. The accessibility report contains findings on all of the voting systems that were reviewed. The document review team submitted their reports on schedule. Their reports will be posted as soon as the Secretary of State ensures the reports do not inadvertently disclose security-sensitive information.

UC Source Code Team Reports:

• Principal Investigator's Statement on Protection of Security-Sensitive Information  (.pdf, 13.9KB)
• Diebold Elections Systems, Inc.  (.pdf, 561KB)
• Hart InterCivic  (.pdf, 573KB)
• Sequoia Voting Systems  (.pdf, 831KB)

UC Red Team Reports:

• Overview by UC Principal Investigator Matt Bishop  (.pdf, 303KB)
• Diebold Elections Systems, Inc.  (.pdf, 498KB)
• Hart InterCivic  (.pdf, 376KB)
• Sequoia Voting Systems  (.pdf, 108KB)

UC Accessibility Report:

• Accessibility Report  (.pdf, 1.07MB)

U.S. ELECTION ASSISTANCE COMMISSION1225 New York Ave. NW Suite 1100Washington, DC 20005

For Immediate Release
August 3, 2007

Contact:
Jeannie Layson
Bryan Whitener
(202) 566-3100

<!-- 1999,1999,FFFF -->EAC Will Post and Distribute State Reports on Voting Systems

WASHINGTON- The United States Election Assistance Commission (EAC) has
<!-- 1999,1999,FFFF -->adopted a policy authorizing staff to post and distribute
voting system reports and studies that have been conducted or commissioned by a state or local government.

"EAC believes it is important to provide a central location for election officials to post reports about their voting systems that can be shared with election officials throughout the nation and the
public," said Chairwoman Donetta Davidson.  "This will provide an opportunity for election officials to share critical information and good ideas.

"As part of our role as the national clearinghouse for election information, EAC will continue to explore ways to share and distribute information about how, where and when we vote."

The new policy is part of the EAC's clearinghouse responsibilities under Section 202 of the Help America Vote Act.  To be considered for posting on the EAC website, a state or local government must submit the report to the EAC chair or executive director and certify that the
report reflects their experience operating voting systems or implementing EAC's voluntary voting systems guidelines.

EAC is also operating the federal government's first voting system certification program. For information on voting system test labs, registered voting system manufacturers, voting systems that have been submitted for testing, test plans, notices of clarification, and other program-related information, click <!-- 1999,1999,FFFF -->here.

EAC is an independent bipartisan commission created by HAVA. It is charged with administering payments to states and developing guidance to meet HAVA requirements, adopting voluntary voting system guidelines, and accrediting voting system test laboratories and certifying voting equipment. EAC also serves as a national clearinghouse and resource of information regarding election
administration. The four EAC commissioners are Donetta Davidson, chair; Rosemary Rodriguez, vice chair; Caroline Hunter; and Gracia Hillman.