2007 Technology Tests of Computerized Voting Systems

Below is a partial reproduction of Dr. Hoke’s summary of California’s TTBR:

Election management/tabulation software For all voting systems (“VS”), the system architecture depends on a commercial operating system known to have security vulnerabilities. All vendors failed to secure this system properly. System architecture had not been designed with either basic or sophisticated security protections. All systems failed to follow standard security design principles.  

All systems were susceptible to viruses that could be introduced from a number of vectors, including from voting device memory cards. (Viruses and other rogue programming can, e.g., “flip” votes among candidates, scramble tabulation data, delete voting data, and cause system programming to fail.)  

Viruses could infect the central computer and then be spread to all the voting devices when their memory cards are prepared for the next election.  

System logs of operator activity (“audit logs”) could be overwritten or erased, meaning that insider attackers could manipulate voting data and results, and then erase the logging inventories that would show the access and activity; or, could be used to frame a different employee. 

Systems permitted relatively easy bypassing of passwords, thus permitting broader access than authorized.  

In each VS, many other security holes exist that could compromise the system’s ability to report accurate election results -- or any results.  

Voting Devices  

All systems failed to follow standard security design principles, and lacked even basic security protections. All systems’ devices (DREs and precinct-based optical scanners) were subject to easy, undetectable attacks that could occur during the normal time that a voter would be at a voting machine casting a ballot.  

Some devices permitted the researchers to introduce malicious code onto a voting machine in under a minute, while appearing to be in the process of voting.  

All DRE touchscreen voting units permit a voter to generate and cast multiple ballots during a normal time voting could occur, in ways that would be largely undetectable to poll workers unless they were specially trained and closely supervising the voter’s activity at the unit (voter privacy might still be compromised).  

Some DRE devices permitted the researchers to damage the Voter-Verified Paper Audit Trail (VVPAT) covertly, so the voters could verify that their votes were printed correctly, but after the election the VVPAT could not be read.  

Other DRE devices could be modified to store votes incorrectly, but print them on the VVPAT correctly (for example, a voter’s choice of John Adams results in the VVPAT printing “John Adams” but the DRE stores the vote as a vote for “Thomas Jefferson”).  

Documentation Review  

The NASED “qualification” (certification) of all systems was based on testing lab (“ITA”) studies that were seriously flawed. While the ITA reports varied significantly, generally it was not possible to ascertain whether the lab had conducted the independent tests needed to determine VS satisfaction of FEC 2002 standards.

 1  |  2  |  3  |  4  |  5  |  6  |  7  |  8