Ohio finds more vulnerabilities in voting systems
In another indictment of the reliability of electronic voting systems put in place since the 2000 federal elections debacle, a report released Friday shows some Ohio tallies could be rendered inaccurate using tools as simple as a magnet.
The integrity of electronic voting systems has been a key issue in Ohio, where the last two presidential elections have generated considerable controversy, and where many believe the real outcomes remain in doubt. In November 2006, Jennifer Brunner was elected Secretary of State there mostly on the promise of restoring voting integrity to the state.
Last Friday, Sec. Brunner's office released the first comprehensive results of her efforts: a report from multiple independent testers from both the academic and commercial sectors, essentially condemning the integrity and reliability of systems in use in Ohio, notably among them ES&S -- the same brand of systems that was believed to have undercounted Florida votes at this time last year, and that which were found to have been used throughout California even though that state's election officials had already decertified them.
"To put it in everyday terms," read a report from Ohio's Brunner's office last Friday, "the tools needed to compromise an accurate vote count could be as simple as tampering with the paper audit trail connector or using a magnet and a personal digital assistant."
Alluding to the nature of the task itself, last Friday's report was entitled, "Evaluation and Validation of Election Related Equipment, Standards and Testing," or "Project EVEREST" for short (PDF available here). The project's commercial assessment team was the Columbus-based private security consultancy MicroSolved. It conducted multiple "red team" analyses in which each team was provided with a different attacker profile, ranging from casual tampering to semi-knowledgeable tinkering to skilled malicious engineering.
It also performed a "cascading failure analysis," to determine the impact of an integrity failure on one system upon the Ohio election system as a whole.
Of Ohio's 88 counties, 47 use systems from Premier Election Solutions as their primary devices, according to the EVEREST report. The MicroSolved teams were able to determine that Premier devices could be made to reboot themselves in administrative mode, by way of a simple physical attack.
The nature of that attack wasn't revealed in the EVEREST report, though was likely detailed in MicroSolved's several hundred pages of detail -- one possibility could be, dropping the system on the floor.
With admin access, an attacker could have access to any number of unauthorized functions; and conceivably, one would not need to know how those functions worked in order to cause havoc in the system. "Additionally, security protections on the power button and primary memory slot could be 'easily circumvented," cites EVEREST, noting that testers were able to gain access to ballot sorting bins using common lock picking tools.
In one case, the "dumb attacker" profile team was found to have been able to cause havoc in an even more obvious way: There's a tamper seal on Premier systems. Normally, if the seal is found to be broken, state policy may be to declare its results invalid. So if one wanted to disrupt the system, one could break the seal with his thumbnail.
In one extraordinary revelation, an after-market security fix marketed to be used with Premier systems was actually found to provide no security whatsoever.
"The Digital Guardian application is not configured to enforce many of the rules for which it is programmed," reads the EVEREST report. "For example, instead of actually blocking user actions recognized as malicious, Digital Guardian simply alerts the user that the actions have been detected but allows the actions to occur."
ES&S systems are also used throughout Ohio, including optical scanners for paper ballots. The MicroSolved teams were able to penetrate those as well. "First, a simple physical manipulation of the machine could result in it performing its poll closing function," reads EVEREST. "As a result, an unauthorized individual could delete records of votes by zeroing out the vote totals."
One fairly effective hacking tool for some ES&S devices, they found, was one's foot: "Physical battering of a DRE by a voter at the precinct could easily cause the voting machine to have to be rebooted, causing delays and confusion during the voting process."
| A speech released to YouTube last Friday from Ohio Sec. of State Jennifer Brunner, outlining the findings of the EVEREST report and setting some immediate goals for how the State can respond. |
And some devices which use memory cards as storage devices, including ES&S, are particularly susceptible, as Sec. Brunner stated herself in a speech from her office released last week to YouTube:
"Unless specific instructions and training are provided to election officials," she remarked, "there are no safeguards built into the way that the operation of the system is designed. For instance, if a memory card gets too full, votes [will] be erased starting at the beginning of the sequence of votes on the card. In addition, as the machines are calibrated, if they're not calibrated precisely, they can result in difficulties where if a person doesn't press exactly in the right spot, there's a switching of votes in an election."
At this late stage, taking a majority of the state's election systems offline may be impossible. Instead, Sec. Brunner suggests, the state should institute interim measures to use the machines they're currently stuck with in more safeguarded conditions, while they're being replaced with the all-optical paper ballot system she would prefer and on which she campaigned last year.
"The goal of the recommendations that we've made to the legislature has been to isolate the machines from as many risks as possible," she stated. "If you think about a voting system, the people who have access to that system are the voters, the poll workers, the workers at the boards of elections, even Secretary of State employees, the vendors for the voting machine companies, and their contractors...In looking at the risks that are there, our goal is to minimize the risks -- we can't eliminate all risks -- but to put the machines in a place where they will be safe, secure, worked with by Board of Election officials which we will take the responsibility to well train, and allow the voters then to have the peace of mind that they can still vote easily, but that their votes will be counted in a secure fashion, and they can trust the results."
Sec. Brunner's recommendations will be added to a sweeping proposal for consideration by the Ohio legislature, which would include creating election weeks for as long as six days at a time, where state-run centers would be open from 7:00 a.m. to 7:00 p.m. Monday through Saturday. Those centers would also be staffed by guards -- perhaps the types of guards Ohio could hire for the week, but not for just a day, and the types of guards who could use some battering equipment of their own to dispel tampering.
An op-ed piece in this morning's Columbus Dispatch asked Ohioans to refrain from interpreting the EVEREST conclusions as an indictment of existing elections' results. "[Sec.] Brunner was right to order the research," the Dispatch stated, "but the unfortunate consequence of the study is that conspiracy theorists will renew their claims that Ohio's elections are inherently untrustworthy. That's simply not the case."