Home

Issues

Resources

Index

USA

California

Alameda

SF

Systems

Diebold

ES&S

Hart

InkaVote

Sequoia

Open Source

Alternatives

ES&S Executive Summary

www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf

"This part of the EVEREST report evaluates the ability of the ES&S Unity EMS, iVotronic DRE, and M100/M650-based optical scan voting systems to conduct trustworthy elections. The review team was provided access to the ES&S source code and election equipment. The reviewers studied these materials in order to identify security issues that might be exploited to affect an election. As part of that analysis, the reviewers were asked to identify, where possible, practices that limit or neutralize the impact of discovered issues.

Our analysis suggests that the ES&S Unity EMS, iVotronic DRE and M100 optical scan systems lack the fundamental technical controls necessary to guarantee a trustworthy election under operational conditions. Exploitable vulnerabilities allow even persons with limited access - voters and precinct poll workers - to compromise voting machines and precinct results, and, in some cases, to inject and spread software viruses into the central election management system. Such compromises render the election result subject to subtle manipulations - potentially across election cycles. These vulnerabilities arise from several pervasive, critical failures of the ES&S system:

• Failure to protect election data and software

  The firmware and configuration of the ES&S precinct hardware can be easily tampered with in the field. Virtually every piece of critical data at a precinct - including precinct vote tallies, equipment configuration and equipment firmware – can be compromised through exposed interfaces, without knowledge of passwords and without the use of any specialized proprietary hardware.

• Failure to effectively control access to election operations

  Access to administrative and voter functions are protected with ineffective security mechanisms. For example undocumented "quality assurance" hardware tokens that bypass password checks are easily forged using inexpensive commodity devices such as palmtop computers. Central back-end election management software is vulnerable to attacks that exploit coding and design errors and that can be triggered from data sent from the field.

• Failure to correctly implement security mechanisms

  Many of the most serious vulnerabilities in the ES&S system arise from the incorrect use of security technologies such as cryptography. This effectively neutralizes several basic security features, exposing the system and its data to misuse or manipulation.

• Failure to follow standard software and security engineering practices

  A root cause of the security and reliability issues present in the system is the visible lack of sound software and security engineering practices. Examples of poor or unsafe coding practices, unclear or undefined security goals, technology misuse, and poor maintenance are pervasive. This general lack of quality leads to a buggy, unstable, and exploitable system.

We believe the issues reported in this study represent practical threats to ES&S-based elections as they are conducted in Ohio. It may in some cases be possible to construct procedural safeguards that partially mitigate some of the individual vulnerabilities reported here. However, taken as a whole, the security failures in the ES&S system are of a magnitude and depth that, absent a substantial re-engineering of the software itself, renders procedural changes alone unlikely to meaningfully improve security.

Nevertheless, we attempted to identify practical procedural safeguards that might substantially increase the security of the ES&S system in practice. We regret that we ultimately failed to find any such procedures that we could recommend with any degree of confidence.

A particular challenge in securing the iVotronic DRE terminal is the large number of precinct-based attack vectors whose exploitation must be prevented. Effective procedures that accomplish this, even if they existed, would be arduous indeed, and would likely substantially hamper poll workers in their duties, reduce the ability to serve voters efficiently, and greatly increase the logistical challenges of running an election.

The security failings of the ES&S system are severe and pervasive. There are exploitable weaknesses in virtually every election device and software module, and we found practical attacks that can be mounted by almost any participant in an election. For this reason, the team feels strongly that any prudent approach to securing ES&S-based elections must include a substantial re-engineering of the software and firmware architecture to make it "secure by design."

It may be possible to deploy a reduced subset of the ES&S hardware and software that excludes components that present the greatest risks. For example, a system that uses only centrally-counted optical scan hardware eliminates many of the threats of precinct-based attacks. We defer to the expertise of the Ohio election officials to determine whether it is possible to use a version of the ES&S system with reduced functionality in a way that presents an acceptable level of risk to the integrity of their elections."

Nobody, and no machine, should be counting American votes in secret.