200 likes | 392 Views
Computer Science 654 Lecture 7: Electronic Voting Security Issues. Wayne Patterson Professor of Computer Science Howard University Spring 2009. Automated and e-Voting. Automated voting systems have been in existence for over a century Only came into public use in the 1980s
E N D
Computer Science 654Lecture 7: Electronic Voting Security Issues Wayne Patterson Professor of Computer Science Howard University Spring 2009
Automated and e-Voting • Automated voting systems have been in existence for over a century • Only came into public use in the 1980s • An electronic voting (or e-voting) system is a voting system in which the election data is recorded, stored and processed primarily as digital information.
In the United States, interest in electronic voting rose after the fiasco of the 2000 presidential election in Florida with confusing ballots and “hanging chads” Hanging Chads and Funny Ballots
Other Country Examples of Electronic Voting • Australia • In October of 2001 electronic voting was used for the first time in an Australian parliamentary election (8.3%). • Belgium • started in 1991. It is widely used since 1999. • Brazil • Since 2000, all Brazilian elections have been fully electronic. • Canada • used since at least the 1990s at the municipal level in many cities • Estonia • first country to have legally binding general elections using the Internet – 2005 • France • remote Internet voting for the first time in 2003 when French citizens living in the United States elected their representatives to the Assembly of the French Citizens Abroad. • Germany • About 2000 Nedap machines have been used in the 2005 Bundestag elections covering approximately 2 million voters • India • Electronic voting in India was first introduced in 1989 and used on experimental basis.
Other Country Examples of Electronic Voting • Ireland • Nedap machines were used on a 'pilot' basis in some constituencies in two elections in 2002. Due to campaigning, the machines have not been used since. • Italy • experimented in the 2006 elections with electronic voting machines from Nedap • Netherlands • Since the late nineties, voting machines are used extensively during elections. • Norway • carried out pilots in three municipalities at local elections in 2003 on voting machines in the polling stations using touch screens. • Romania • first implemented electronic voting systems in 2003, on a limited basis, to extend voting capabilities to soldiers • Switzerland • Several cantons (Geneva, Neuchâtel and Zürich) have developed Internet voting test projects to allow citizens to vote via the Internet or by SMS. • United Kingdom • Voting pilots have taken place since 2000 in Englamd, and in Scotland, scanners will be used to electronically count paper ballots in the Scottish Parliament general election in 2007.
Machine Manufacturers • AccuPoll/Unisys • Advanced Voting Solutions • Avante • Diebold (US) • Danaher Corporation (Guardian Voing Systems) • Election Systems and Software (ES&S) (US) • Hart Intercivic (US) • Inkavote (EDS) • Liberty/NEDAP • Powervote • Microvote • Populex • Sequoia/Smartmatic • Unilect • VoteHere (Dategrity)Vote-PAD ES&S iVotronic Sequoia
The Rubin/Johns Hopkins Attack on Diebold • May 2004 IEEE Symposium on Privacy and Security • Analysis of the source code • “Far below even the most minimal security standards applicable in other contexts.” • Unauthorized privilege escalation • Incorrect use of cryptography • Vulnerabilities to network threats • Poor software development processes • No “voter-verified audit trail” • KEY MANAGEMENT. All of the data on a storage device is encrypted using a single, hardcoded DES key: • #define DESKEY ((des_key*)"F2654hD4")
The Princeton Hack of Diebold • September 2006 • Fully independent security study of a Diebold AccuVote-TS Voting Machine • “Vulnerable to extremely serious attacks” • Physical access to a machine or its removable memory card for one minute could allow installation of malicious code • Which could steal votes undetectably, modifying all records, logs, and counters • Malicious code could also spread silently from machine to machine • See http://www.youtube.com/watch?v=5WMG34cv0zM
Sequoia Gets Hacked • Sequoia Makes Like Diebold And Gets Hacked By Princeton • By John Gideon, • VotersUnite.org • February 11, 2007 • A New Jersey Attorney Will Ask A Judge To Decertify Sequoia AVC Advantage Machines A Princeton Professor Paid $86 For What A NJ County Paid $40,000 For • In a report in Sunday's The Star-Ledger [NJ] it was revealed that Sequoia AVC Advantage Direct Recording Electronic (DRE) voting machines used in 18 of New Jersey's 21 counties were improperly certified for use by the state. • [Attorney Penny]Venetis filed legal papers Friday claiming the state never certified some 10,000 Sequoia AVC Advantage machines as secure or reliable as required by law. "There is zero documentation --- no proof whatsoever --- that any state official has ever reviewed Sequoia machines," Venetis, co-director of the Rutgers Constitutional Litigation Clinic, said in an interview. "This means you cannot use them. ... These machines are being used to count most of the votes in the state without being tested in any way, shape or form."
Sequoia Still Being Hacked • At the same time Princeton Computer Science Professor Andrew Appel revealed that he bought 5 of the Advantage voting machines from an on-line government equipment clearinghouse for a total of $86. Virtually identical machines were bought in 2005 by Essex County New Jersey for $8,000 apiece. Professor Appel and his team put the 5 machines to good use according to the article. A Princeton student picked one machine's lock "in seven seconds" to access the removable chips containing Sequoia's vote-recording software, Appel said. "We can take a version of Sequoia's software program and modify it to do something different --- like appear to count votes, but really move them from one candidate to another.” • And what does Sequoia have to say for itself? Citing more than a century in the election business, Sequoia Voting Systems asserts on its Web site that "our tamperproof products, including ... the AVC Advantage, are sought after from coast to coast for their accuracy and reliability." While promising to look into Appel's claims, Sequoia's Michelle Shafer asserted that hacking scenarios are unlikely. • Appel counters:But Appel said voting machines often are left unattended at polling places prior to elections. He is confident his students and other recent buyers of 136 Sequoia machines sold on GovDeals.com --- where bidders also can find surplus coffins, locomotives and World War I cannons --- will crack Sequoia's code. Then, he said, it will be fairly simple for anyone with bad intentions and a screwdriver to swap Sequoia's memory chips for reprogrammed ones.
State-by-State • California 10 out of 58 counties • Diebold AccuVote-TS, Sequoia AVC Edge, ES&S iVotronic, Hart Intercivic eSlate • No voter-verifiable paper with DRE in this election but voters must be given paper ballot alternative to using DRE. • Florida 15 out of 67 counties • ES&S iVotronic, Sequoia AVC Edge • No voter-verifiable paper with DRE, recounts on touchscreens will not be possible, in violation of state law mandating them in close elections. • Maryland Statewide • Diebold AccuVote-TS • No voter-verifiable paper with DRE • Nevada Statewide • Sequoia AVC Edge • Has voter-verifiable paper trail; state chose Sequoia partly because paper trail was offered. • Ohio 7 of 88 counties use DRE • ES&S iVotronic, Sequoia AVC Advantage, Danaher, MicroVote MV 464 • Ohio has mandated a paper audit trail for DRE machines by 2006. No system currently in use has voter-verifiable paper trail, though some older systems, like the MV-464 have internal printers that record ballot information for each machine. • South Carolina 36 of 46 counties use DRE -- 85 percent of registered voters. • ES&S iVotronic, Danaher ELECTronic 1242, Microvote 464, Microvote Infinity, Unilect • No voter-verifiable paper with DRE. iVotronic has three different memory locations where vote data is stored.
Brennan Center Report • In December 2006, the Brennan Center for Social Justice at New York University released a comprehensive report, • “The Machinery of Democracy: Voting System Security, Accessibility, Usability, and Cost” • Recommendations regarding security: • Conduct automatic routine audits comparing voter-verified paper records to the electronic record following every election. • Perform “parallel testing” (selection of voting machines at random and testing them as realistically as possible) on Election Day. • Ban use of voting machines with wireless components. • Use a transparent and random selection process for all auditing procedures. • Ensure decentralized programming and voting system administration. • Institute clear and effective procedures for addressing evidence of fraud or error. • Unfortunately, very few jurisdictions have implemented any of the security measures that the Task Force’s analysis shows are necessary to make voting systems substantially more secure.
The Role of HAVA, Election Assistance Commission, NIST • HAVA (Help America Vote Act of 2002) • Requires voting system standards, permanent paper record, disabled accessibility, alternative language accessibility, provisional voting, registration by mail • Election Assistance Commission • to assist in the administration of Federal elections and to otherwise provide assistance with the administration of certain Federal election laws and programs, to establish minimum election administration standards for States and units of local government with responsibility for the administration of Federal elections • National Institute of Standards and Technology • Agency mandated to carry out work of EAC • “software-independent voting systems” • Independent audit
NIST: Security Aspects Of Electronic Voting • The Help America Vote Act (HAVA) of 2002 was passed by Congress to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. To explore and research issues related to the security and transparency of voting systems, the TGDC established the Security and Transparency Subcommittee (STS). The Security Technology Group of the Information Technology Laboratory’s Computer Security Division supports the activities of the EAC, TGDC, and STS related to voting equipment security. The Security Technology Group supports the TGDC’s development effort for the next generation of the Voluntary Voting System Guidelines (VVSG), focusing on developing a security architecture that addresses significant threats to voting systems and enhancing voting system auditability.For more information on NIST’s efforts related to HAVA see http://vote.nist.gov/
NIST and the Help America Vote Act (HAVA) • The 2002 Help America Vote Act has given NIST a key role in helping to realize nationwide improvements in voting systems. To assist the Election Assistance Commission with the development of voluntary voting system guidelines, HAVA established the Technical Guidelines Development Committee (TGDC) and directs NIST to chair the TGDC. NIST research activities include: • security of computers, computer networks, and computer data storage used in voting systems; • methods to detect and prevent fraud; • protection of voter privacy; and • the role of human factors in the design and application of voting systems, including assistive technologies for individuals with disabilities (including blindness) and varying levels of literacy • the recommendation of testing laboratories to the U.S. Election Assistance Commission (EAC). The EAC, not NIST, certifies voting systems for use in elections. • More details of NIST's role in HAVA are available here.
NIST HAVA Efforts • Technical Guidelines Development Committee (TGDC)The TGDC is charged by the U.S. Election Assistance Commission (EAC) to provide technical guidance on implementing election-related technologies and to foster the development of voluntary, consensus guidelines. The NIST Director chairs the TGDC and NIST staff conduct the committee's technical work in accordance with HAVA. The TGDC page provides access to full details. • National Voluntary Laboratory Accreditation Program (NVLAP)NIST's NVLAP has established an accreditation program for laboratories that perform testing of voting systems, including hardware and software components. This program will provide for the accreditation of laboratories that test voting systems using standards determined by the Election Assistance Commission (EAC). The EAC, not NIST, certifies voting systems for use in elections. • National Software Reference Library (NSRL)NIST's National Software Reference Library collects software from various sources and incorporates file profiles computed from this software into a Reference Data Set of information. This concept can assist in addressing voting systems needs in several areas. Officials could determine that the software used during elections is the expected software. Verification that the software remains the same during distribution, installation, setup, or use is possible, supporting a “chain of custody.” Full details are available on the NSRL voting page.
High-Interest Events and Items • A Threat Analysis on UOCAVA Voting Systems • NVLAP Suspends Accreditation of SysTest Labs, Incorporated • NIST VVSG Test Development • Next Version Voluntary Voting System Guidelines (VVSG) • How NIST Works With the TGDC (video) • VVSG Recommendations Companion Document and Video Tutorials • June 12, 2008, Letter from NIST to EAC Regarding Ciber, Inc. (html) • Federal Register Notice: Voting Equipment Evaluations Phase II (Extension) (html) • Federal Register Notice: Voting Equipment Evaluations Phase II(html)
Princeton Warning on E-Voting Machine Hack Shows Human Touch Can Be a Good Thing • By Brian Prince, 2008-10-27, eweek.com • A report released by Princeton University claims an electronic voting machine used in New Jersey can be hacked in 7 minutes. Sequoia, the company that makes the machines, denies the report's conclusions. Still, the Princeton report is a reminder that, sometimes, it's nice to have a set of human eyes go over data.Sometimes it’s better to do things the old-fashioned way—at least partly. • Perhaps that’s the lesson to be learned from a report released by Princeton University that outlines security concerns surrounding an electronic voting machine used in New Jersey. • With the U.S. presidential election looming, the report states it is possible to hack the Sequoia AVC Advantage 9.00H DRE (direct-recording electronic) voting machine in 7 minutes by loading fraudulent firmware. • By replacing the Z80 processor chip in the machine or removing one ROM chip from its socket and putting in a new one, a hacker can potentially siphon votes from one candidate and give them to another. • “The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do,” the report states. “The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.” • The subject of the voting machines entered the legal arena in 2004, when the Coalition for Peace Action, a Princeton-based civic group, sued the state over its use of the machines. The case was dismissed by the trial court in January 2005 and then reinstated in 2006 by the Appellate Court. While the appeal was pending in the summer of 2005, a bill was passed requiring that any voting system in New Jersey produce a voter-verified paper ballot as of Jan. 1, 2008. The state was given a six-month extension to comply on two occasions.
Some Valuable Readings • http://itpolicy.princeton.edu/voting/videos.html • Demonstrations at Princeton on video • http://www.cs.ucsb.edu/%7Eseclab/projects/voting/#video • Demonstration at UC Santa Barbara on YouTube • http://www.wired.com/news/technology/0,72742-0.html • Article about Appel’s purchase of Sequoia machines for $16 • http://www.acm.org/crossroads/xrds2-4/voting.html • Article from 1997 by Lorrie Cranor outlining some e-voting issues • http://avirubin.com/vote/ • Rubin’s website at Johns Hopkins about e-voting • http://www.internetnews.com/bus-news/article.php/3646231 • Article about NIST’s recommendations
Valuable Readings (More) • http://www.diebold.com/dieboldes/demos_tsx.asp • Diebold’s home page • http://www.sequoiavote.com/demo.php?lang=en#overflash • Sequoia’s demo • http://www.essvote.com/HTML/products/electronic_voting.html • ES&S website • http://www.hartic.com/innerpage.php?pageid=98# • Hart Intercivic eSlate demo • http://electionline.org/Default.aspx?tabid=1099 • State-by-State data 9/06 • http://www.scpronet.com/helpscvote.html • South Carolina Progressive Network information • http://www.votetrustusa.org/index.php?option=com_frontpage&Itemid=1 • VoteTrust, a national organization advocating fair elections • http://www.epic.org/privacy/surveillance/spotlight/0906/ • Electronic Privacy Information Center • http://www.brennancenter.org/ • Brennan Center at NYU