Local election systems may be vulnerable to hackers James Faulk/The Times-Standard Article Launched: 07/28/2007 04:21:31 AM PDT EUREKA -- A team of University of California computer scientists were able to hack into several voting systems used by California counties, including the two systems currently used in Humboldt County, the secretary of state announced Friday.I don't know that Faulk could have written a more straight up or accurate intro to this story. It makes it clear that hackers ARE able to hack into Humboldt voting systems. Then why does the headline say merely that the machines MAY be vulnerable to hackers? The second comment I have about this article pertains to the last two paragraphs:
Humboldt County Registrar of Voters Carolyn Crnich said it's unclear under what conditions the tests were prepared. "It's my understanding that the red team attacks that were made during the top-to-bottom review did not take into consideration the security efforts or guidelines that had been added by former Secretary of State Bruce McPherson -- so whether or not the systems could be penetrated with those other security guidelines in place, I don't know," Crnich said.As I noted in the comments on the T-S website, the introduction of this report dismisses the Registrar's dodge:
In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire is not an acceptable option for any system that can't afford to have its security compromised. Our study examined what a dedicated attacker could accomplish with all possible kinds of access.Quoting myself from the T-S site...The greatest threat to our election systems comes not from an individual voter, but rather from insiders at the elections department or working for the machine vendor (Diebold). These are the people with the greatest access to these exploits who can secretly make large scale changes that will never be detected...I go on to say some other things but that's the gist for this post. Now, the next article to land will be in Tuesday's Eureka Reporter. The story has been online for maybe an hour now. It is kind of strange. There is no byline and I'm the only person quoted other than a Bowen press release. The headline is: "Audit standards review group releases report." This refers to yet another component of Bowen's Top To Bottom Review (TTBR). Check out the 38-page report as a .pdf here. This article is comprised almost entirely of excerpts from the report and then concludes with quotes from me. I believe the person who called me said her name was Laura. She sounded young and a little uncertain. She told me former elections beat writer Rebecca S. Bender had left the paper as of Friday last week. I knew about this because a few months ago at an Election Advisory Committee meeting, David Cobb inadvertently "outed" Rebecca's planned departure before she really wanted people to know. I had no reason to mention it until now but I do wish her well. So anyway, Laura asked for a comment on this new standards review report that came out today. I declined to comment since I hadn't read it. She then asked about the other related reports and we had a more general conversation about what is happening. Here's what she used:
Though he had not yet seen the report, Dave Berman, one of the founding members of the local Voter Confidence Committee, said he is aware that other studies have been conducted recently regarding the voting process in California, and said he looks forward to Bowen's announcement on Friday as to what action she plans to take. Berman said the Voter Confidence Committee promotes the idea of handcounting 100 percent of the ballots the first time around and recounting 10 percent for the audit. He said simply increasing the percentage recounted in the audit is like "putting a Band-Aid on a gunshot wound" when the first count is performed by machines.It seemed out of place at the end of this article but then I'm not sure I've ever had a better quote! Hank Sims from The Journal and also KHUM called me today too, presumably for his Town Dandy column due out on Wednesday. We actually spoke twice, and in between he spoke with Registrar Crnich. That made our second chat very interesting. During that time he also got to look at something I am now making public for the first time. This is a spreadsheet that allows you to enter different variables, such as how many precincts are in your county and the average number of ballots cast per precinct. All together, the numbers you enter will then estimate how many ballot counters you need and what it will cost to pay them to do an all hand-count election. The Voter Confidence Committee will be incorporating this great new tool into the next iteration of our Report on Election Conditions in Humboldt County, CA. I don't know when that will happen. Meanwhile, election integrity advocates working for HCPB anywhere will find this tool useful. We all owe a debt of gratitude to Nancy Tobi and Democracy For New Hampshire. It is their recent presentation that provided me with the formula for creating the calculator. I have a feeling that after I've heard from a few people about the calculator I'll probably want to make it the centerpiece of another post instead of burying this announcement 80,000 paragraphs under the sea. At any rate, back to Hank Sims. He asked me if I felt vindicated by these new reports. I told him I would not use that word. It suggests I had previously been thought wrong but now stand affirmed. The truth is that the findings of Bowen's TTBR explicitly state that previous exploits were again confirmed. Anybody coming around to these findings of fact really can't plausibly exlplain previously thinking otherwise. Sims informed me that Registrar Crnich took a position with him that was similar to the one she took in the T-S piece above. Having already addressed this once, I realized it wasn't just sounding familiar from the Registrar. Moments before I got the first Sims call, I was looking at a document I had just received from the indefatigable Tom Courbat of Sav-R-Vote in Riverside County, CA. Click here for "the corporate line" by Sequoia, attempting to explain away all the findings of Bowen's Red Team members. I never did finish reading it, but its "those aren't the droids you're looking for" tone pretty much parallel what our Registrar was trying to pull off. Plain and simple: there is no way to spin these reports to make the machines look good. Their time has passed. We've reached a tipping point of public consciousness where secret vote counting machines are completely unacceptable and public officials who continue to defend them do so at the risk of their own credibility. Finally, as promised at the beginning of this marathon post, here are excerpts from Bowen's Red Team report on Hart Intercivic. These first two passages are identical to wording in the Diebold report. There are several other passages in common.
page 1 In developing our attacks, we made no assumptions about constraints on the attackers. "Security through obscurity" or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or of using tools that are perceived to be difficult to acquire is not an acceptable option for any system that can't afford to have its security compromised Our study examined what a dedicated attacker could accomplish with all possible kinds of access. p.10 Our study was constrained by the short time allowed. The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities. (emphasis in original) p.11 The Red Team, working in close conjunction with the 2007 TTBR Hart Source Code Team, discovered that the Hart EMS software implicitly trusts all communication coming from devices appearing to be Hart-branded and neither authenticates the devices nor performs adequate input validation on data transmitted to it by the devices. This allows for the possibility that a compromised device, such as an eScan that had been tampered with at a polling station, could infect the EMS systems. In particular, the Source Code Team discovered a weakness in the code that would allow an eScan to perform a buffer overflow attack and execute arbitrary code on the computer running SERVO. ... The team was also able to access device-level menus that should be locked with passwords but were not. This access could allow an attacker a vector for altering configuration settings and/or executing a denial of service on the eScan. Some of the findings from previous studies on precinct count optical scanners were replicated on the eScan, and they allowed the Red Team to maliciously alter vote totals with the potential to affect the outcome of an election. These attacks were low-tech and required tools that could be found in a typical office. The Red Team implemented an attack devised by the 2007 TTBR Hart Source Code Team that was able to extract election-sensitive information from the eScan and issue administrative commands to the eScan. The leaked information would allow an attacker the ability to execute further attacks, while administrative commands issued to the eScan could erase electronic vote totals and audit records from an eScan while putting it out of service for the remainder of the Election Day. For more details on these attacks, please see the 2007 TTBR Hart Source Code Team report. 3. JBC The Red Team verified previous findings on the JBC regarding access code generation and also discovered that a surreptitious device could issue commands that caused the JBC to authorize access codes. If the JBC is in early voting mode, it will not print receipts for the access codes issued. If the JBC is in regular election mode, it prints a receipt each time an access code is issued. When in early voting mode, an attacker could attach the surreptitious device to the JBC. (Note: the surreptitious device is easily concealable in one hand.) After waiting for about a minute, while all possible access codes are issued, the attacker could then proceed to cast multiple ballots using any access codes. Additionally, the team expanded on previous findings that the MBB in the JBC is vulnerable to tampering during an election. Extracting the MBB from within the JBC during an election and tampering with it without detection would probably require poll worker access, but the team was able to prove that this access would be sufficient to alter vote totals and in such a manner that it would not be detected in the course of normal operation, though a very thorough audit might reveal it. Furthermore, the team found that post-election MBB tampering safeguards (by which we mean only the technological safeguards, not procedural safeguards such as the use of tamper-evident seals) are insufficient to guarantee that such tampering would be detected. Thus, the team is confident that post-election MBB tampering would succeed in many, if not all, instances. Finally, the Red Team collaborated with the 2007 TTBR Hart Source Code Team to decode the protocol used for communication between the JBC and eSlates. This protocol does not authenticate the devices on the bus (the communication line), so all communication is considered trusted. The teams were able to intercept the communication, but they were unable to get an exploit working to interrupt or manipulate the communication; this, again, was due to time constraints. Full details of this work can be found in the 2007 TTBR Hart Source Code Team report. The teams are confident that, given more time, they could craft a device that could maliciously alter vote totals and violate voter privacy. p.14 IV. Successful Attack Scenarios The following attack scenarios were successfully carried out in the laboratory environment of the Secretary of State's testing facility. 1. Attack Scenario 1 In this scenario, a malicious voter prepares a surreptitious device and brings it with her to the polling station during early voting. She registers as usual and is issued an access code. Before she leaves the registration table, however, she quickly connects her device to the JBC and converses with the poll workers for a brief time-thirty to forty seconds should suffice. She proceeds to an eSlate and casts a ballot normally. She then enters arbitrary access codes and casts ballots at will, continuing to do this for as long as she suspects she will be unchallenged in the voting booth, casting an arbitrary number of ballots. This results in an electronic ballot box stuffing attack. In an early voting situation, when the JBC doesn't print out a ballot access receipt each time an access code is issued, the Polls Suspended Report (automatically printed by the JBC) will indicate an unusually large number of access codes issued and more ballots cast than voters who checked in at the registration desk when polling concludes. In regular election mode, this problem would likely be detected much sooner, since the JBC is designed to print a ballot access receipt each time an access code is issued by the machine. 2. Attack Scenario 2 In this scenario, a malicious poll worker finds an opportunity after the close of polls to alter the contents of the MBB using his personal laptop. The attacker identifies ballots containing votes for a candidate he doesn't want to win the election and overwrites those ballots with records containing votes for a candidate he does want to be successful. After tampering with the MBB, the attacker replaces it in the expected chain of custody. The technological safeguards for detecting this tampering are insufficient and can, by default, go unobserved. This results in altered vote totals that can only be detected in the event of a manual recount of eSlate VVPAT records. 3. Attack Scenario 3 In this scenario, a malicious observer uses a remote device to capture the audio narration including the narration associated with a voter's actual voted ballot from an eSlate with audio capabilities. She is able to observe voters walking up to the eSlate and match them to the audio narration she is capturing, allowing her to violate a voter's right to privacy by linking voters to their vote selections. ... p. 16 VI. Conclusions Although the Red Team did not have time to finish exploits for all of the vulnerabilities we discovered, nor to provide a complete evaluation of the Hart voting system (System 6.2.1), we were able to discover attacks for the Hart system that could compromise the accuracy, secrecy, and availability of the voting systems and their auditing mechanisms. That is, the Red Team has developed exploits that absent procedural mitigation strategies can alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails.