California Revokes Four Voting Machine Certifications

Following last week's report by University of California, Davis engineers on the integrity -- or lack thereof -- of electronic voting machines used in statewide elections, the California Secretary of State late last week revoked the approval of systems from Diebold, Hart InterCivic, Sequoia, and Elections Systems and Software, Inc. Manufacturers now each have 30 days to come up with a plan for how they intend to harden their systems' internal configuration security, and 45 days for a network security hardening plan, before their systems can be submitted for re-approval for use in next February's presidential primary.

Among the findings Sec. of State Debra Bowen cited in her proclamations this morning was this: "The Diebold Red Team members [from UC Davis], with access only to the Windows operating system on the Diebold GEMS election management server supplied to Diebold and without requiring access to Diebold source code, were able to access the Diebold voting system server software and to corrupt the election management system database, which could result in manipulated voter totals or the inability to read election results, rendering an election impossible to complete electronically."

Officially dis-approved and uncertified for use in next year's primaries were the Diebold/AccuVote TS system to which Sec. Bowen referred above, plus the Hart InterCivic system 6.2.1 (the manufacturer voluntarily withdrew version 6.1) and a Sequoia WinEDS system that Bowen mentioned was found to contain "a shell-like scripting language in the firmware of the Edge direct recording electronic voting machine that could be coerced into performing malicious actions, in apparent violation of 2002 Voting System Standards that prohibit 'self-modifying, dynamically loaded or interpreted code."' One of its shell commands easily reset the machine's protective vote counter.

Bowen revoked the certification for the ES&S InkaVote Plus system after its manufacturer only complied with requests to participate in the testing program just five days prior to the release of test results during last week's public hearing. ES&S won't get a chance to resubmit.

Responding to this morning's decision, Diebold Election Systems (DESI) President Dave Byrd took issue with the way the testing was conducted. "Secretary Bowen's top-to-bottom review was designed to ignore security procedures and protocols that are used during every election," Byrd said. "Her team of hackers was given unfettered access to the equipment, the source code, and all other information on security features provided by DESI to the Secretary of State's office. And she refused to include in the review the current version of DESI's touch screen software with enhanced security features."

Byrd's characterization of UC Davis' researchers lends credence to the argument that manufacturers didn't feel obliged to cooperate with the research effort, on the basis that manufacturers would not be obliged or expected to cooperate with real malicious users to the same extent. However, California's refusal not to test the latest version of Diebold's software has to do with the fact that the state has not yet certified that version, and chose to only test machines already certified.

Sequoia Voting Systems issued a similar statement: "The California Top-to-Bottom Review was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the voting machines and software over several weeks. This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation's democracy that Sequoia's customers - and election officials everywhere - carry out every day in their very important jobs of conducting elections in California and throughout the United States."

Last week, in an attempt to pre-empt possible criticism, UC Davis principal investigator Matt Bishop defended the methodology used by his and one other "Red Team." "The threats were taken to be both insiders (those with complete knowledge of the system and various degrees of access to the system) and outsiders (those with limited access to the systems)," Bishop wrote.

"As a result, all information available to the Secretary of State was made available to the testers. The testers were told to assume that the environments in which the systems were used would vary, and that the testers could do whatever they thought necessary to test the machines. The testers therefore assumed the attackers would include anyone coming in contact with the voting systems at some point in the process - voters, poll workers, election officials, vendor employees, and others with varying degrees of access."

Bishop added that his teams chose not to presume that hackers on the outside wouldn't know or be able to ascertain everything they could about the technology they were working to compromise. This way, he said, the teams could concentrate on the integrity of the technology rather than the mindsets of hackers or the efficacy of manufacturers' policies.

But criticism of the Red Teams' methods has not been restricted to outside of state government. In a statement prior to last week's public hearing, the president of the California Association of Clerks and Election Officials, Steve Weir, expressed his regret that researchers didn't appear to be conducting searches for malicious code that may have already found their way inside voting machines.

"I am sorry to say that I find the approach of the so-called Top-to-Bottom Review to be more to do with headlines than with definitive science or the pursuit of legitimate public policy," Weir wrote. "We have been told that no malicious code was found during the source code examination. Unfortunately, while this issue is a matter of public debate nationwide, no such comprehensive review was even attempted. If true, this is a tragic missed opportunity and a public policy blunder."

Despite that pronouncement, Sec. Bowen's proclamations state, "The expert reviewers reported that all of the voting systems studied contain serious design flaws that have led directly to specific vulnerabilities, which attackers could exploit to affect election outcomes."