CA Voting Systems: Overview of Red Team Reports

Overview of Red Team Reports

Matt Bishop, Principle Investigator, University of California, Davis

1.0. Executive Summary

The California Secretary of State entered into a contract with the University of California to test the security of three electronic voting systems as part of her top to bottom review.
Each “red team” was to try to compromise the accuracy, security, and integrity of the voting systems without making assumptions about compensating controls or procedural mitigation measures that vendors, the Secretary of State, or individual counties may have
adopted. The red teams demonstrated that, under these conditions, the technology and security of all three systems could be compromised.

[Continued below]

Links to TTBR Overview, Red Team Reports, News Accounts

Voting System Review, main page, CA Secretary of State website

Read the full 12-page Red Team Overview

Click these download links to retrieve Red Team reports on each vendor system reviewed:

For news accounts of the CA Voting System Top to Bottom Review ("TTBR") click here: TTBR News Stories

[Overview, continued]

2.0 Goals

In May 2007, the California Secretary of State began a study of all electronic voting systems currently certified in California. This “top to bottom review” (TTBR) was to determine whether the systems currently certified should be left alone, or specific procedures required to provide additional protections for their use, or the machines simply decertified and banned from use.

As part of this study, the Secretary contracted with the University of California to conduct a “red team” review of the systems. The specific goal of the Red Team study was “to identify and document vulnerabilities, if any, to tampering or error that could cause incorrect recording, tabulation, tallying or reporting of votes or that could alter critical election data such as election definition or system audit data.” ([1], p. 5).

A red team study, also called a penetration study, examines a system from the point of view of an attacker, and analyzes the system to determine how secure it is against an attack. Such a study requires establishing several parameters:

• The specific goals of the system: what is it to do?
• The threat model: with whom or what are the testers concerned?
• The information to be made available to the testers: how much do they know at
the start?
• The environment in which the system is used: what policies and procedures are to
be applied?
• The specific “rules of engagement”: what are the team members allowed to do?

For this TTBR, the specific goals of each system are to record, tabulate, tally, and report votes correctly and to prevent critical election data and system audit data from being altered without authorization. The threats were taken to be both insiders (those with
complete knowledge of the system and various degrees of access to the system) and outsiders (those with limited access to the systems). As a result, all information available to the Secretary of State was made available to the testers.

The testers were told to assume that the environments in which the systems were used would vary, and that the testers could do whatever they thought necessary to test the machines. The testers therefore assumed the attackers would include anyone coming in contact with the voting systems at some point in the process – voters, poll workers, election officials, vendor employees, and others with varying degrees of access [18].

In developing attack scenarios, the red teams made no assumptions about constraints on the attackers. We recommend that future Red Teams should adopt a similar attitude. The testers did not evaluate the likelihood of any attack being feasible. Instead, they
described the conditions necessary for an attacker to succeed. This approach had several benefits:

• The testers could focus on the technology rather than on the policies procedures, and laws intended to compensate for any technological shortcomings.

• In California, specific procedures for controlling access to the election systems and for setting up, using, and storing the election systems is a local matter. As there are 58 different counties, there are at least 58 different sets of procedures. It was impractical for the red team testers to evaluate them.

• If a problem is discovered, the people who know the law and election policies and procedures can modify their policies and procedures appropriately to attempt to address the problem.

• Finally, the effectiveness of the policies and procedures used to control and protect the election systems depends on their implementation. Policies and procedures that look effective on paper may be implemented poorly, rendering them ineffective. It was impractical to evaluate this aspect of the policies and procedures.

Therefore, the results of this study must be evaluated in light of the context in which these election systems are used. This emphasizes a key point often overlooked in the discussion of the benefits and drawbacks of electronic voting systems: those systems are part of a process, the election process; and the key question is whether the election process, taken as a whole, meets the requirements of an election as defined by the body politic.

The participants in this study hope our work contributes in some measure to answering that question. . . . [Continued]

CA_VS_RedTeam_Overview.pdf303.08 KB
CA_TTBR_accessibility_review.pdf1.08 MB