Home

Issues

Resources

Index

USA

California

Alameda

SF

Systems

Diebold

ES&S

Hart

InkaVote

Sequoia

Open Source

Alternatives

Hart Executive Summary

www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf

"This study evaluates the ability of the Hart voting system to conduct a trustworthy election. The review team was provided access to the Hart source code and election equipment. The reviewers studied these materials in order to identify any security issues that can be exploited to affect an election. As part of that analysis, the reviewers were asked to identify best practices that may limit or neutralize the impact of discovered issues.

Our evaluation suggests that the Hart system lacks the technical protections necessary to guarantee a trustworthy election under operational conditions. The vulnerabilities and features of the system work in concert to provide numerous opportunities to manipulate election outcomes or cast doubt on legitimate election activities. Such vulnerabilities are exploitable under election conditions, and often require minimal physical access to equipment or information. These vulnerabilities are a result of the following failures of the Hart system’s design, implementation, and practices:

• Failure to effectively protect election data integrity

  Virtually every ballot, vote, election result, and audit log is forgeable or otherwise manipulatable by an attacker with even brief access to the voting systems. These vulnerabilities place enormous burdens on physical procedures.

• Failure to eliminate or document unsafe functionality

  There are a number of largely undocumented features in the system that are highly dangerous in a production election system. For example, existing features allow an attacker to remotely "script" DRE voting machines to cast votes as the attacker chooses, to allow a single (or photocopied) voter ballot to be counted many times, and to print prevoted ballots that will be accepted by voting equipment. Note that all of these activities are not attacks per se, but are the apparent intended use of existing Hart system features. These features are available during a live election.

• Failure to protect election from malicious insiders

  The protections in the Hart system that are intended to prevent election officials, poll workers, and vendor representatives from using dangerous features or modifying election data are circumventable. Attackers with access to the system can quickly recover critical system passwords, extract cryptographic keys, and reproduce security hardware. These artifacts are the "keys to the kingdom" that can be used to forge election data and compromise nearly all of the Hart election equipment.

• Failure to provide trustworthy auditing

  The auditing capabilities of the Hart system are limited. Those features that are provided are vulnerable to a broad range of attacks that can corrupt or erase logs of election activities. This severely limits the ability of election officials to detect and diagnose attacks. Moreover, because the auditing features are generally unreliable, recovery from an attack may in practice be enormously difficult or impossible.

One of the critical discoveries in this study is that the full functionality of the Hart system is currently unknown, and in some cases may never be known. We found many functions and system configurations that were not documented and whose purpose was non-obvious. The vast majority of these remain unstudied for lack of reviewer time. Furthermore, certain interfaces - in particular in the election tally software - were designed to be augmented at run time with additional software. Because these interfaces were apparently designed to allow previously unknown software to be introduced into the live system, they represent a source of potential vulnerability.

Our findings are consistent with those of previous studies. The lack of protections leave the system vulnerable. Thus, the security of an election is almost entirely reliant on the physical practices. The technical limitations of its design further show that when those practices are not uniformly followed, it will be difficult to determine if attacks happened and what they were. Even when such attacks are identified, it is unlikely that the resulting damage can be contained and the public’s confidence in the accuracy and fairness of the election restored."

Nobody, and no machine, should be counting American votes in secret.