Critique of the Alameda County Report
Remarkably positive spin on remarkably negative results
On October 4, Alameda County California released a report, Sequoia Voting Systems Vulnerability Assessment and Practical Countermeasure Development for Alameda County, prepared by Craig Humphreys and Craig Merchant of Pacific Design Engineering. (See http://accurate-voting.org/wp-content/uploads/2006/10/alameda_sequoia_vuln.pdf ).
This 22 page report (with a 5-page executive summary), examines the security of the Sequoia AVC Edge DRE voting machine, the Optech Insight precinct-count mark-sense scanner, the Optech 400C central-count mark-sense scanner, and the WinEDS election management system. The executive summary concludes that
No pracctical, realizable vulnerabilities were uncovered that could not be eliminated through appropriate countermeasures involving additional software and data validation or improved physical process countermeasures. ...
From a technology perspective, the Sequoia Electronic Voting System acquired by Alameda County, along with the processes and countermeasures planned by Alameda County for Election Day [November 7, 2006], can be considered secure."
In point of fact, this study uncovered several "practical, realizable vulnerabilities" that had not been previously disclosed to the public. It is only through reliance on physical and procedural countermeasures that these vulnerabilities are rendered insignificant, and then, only if these countermeasures are followed with scrupulous attention to detail.
In sum, from a "technology perspective" this report finds the Sequoia Electronic voting system to contain several serious security flaws. It is only by taking into account significant non-technical assumptions that the report can be considered to draw positive conclusions.
Furthermore, several of these non-technical assumptions are dangerously dependent on the ability of large numbers of temporary employees such as polling-place workers to follow complex procedures without error. For the short term, the election that is almost exactly a month away, these defensive measures may be sufficient, but in the long run, all Sequoia customers must demand that Sequoia deliver systems with better technical security measures.
Having made these negative comments, I want to say some positive things. First, many of the recommended improvements to physical security in the report are excellent. Regardless of all criticisms I have of this report, the county would be ill advised to ignore any of these recommendations, and other counties using electronic voting systems should take similar measures if they have not already done so. Second, without question, Alameda County is to be commended for commissioning this study. Many counties around the country would profit by following this example.
The physical security measures currently in place rely on tamper-evident seals, with seals checked and logged by the various machine custodians as they receive the equipment. This is an effective physical countermeasure against anyone breaking into a machine or container to alter its contents, but tamper-evident seals are generally fragile. A fingernail suffices to break one, if it is exposed.
As a result, where seals are exposed to votes, in the polling place, or exposed to the public, while equipment is sitting, in sealed cases prior to the opening of the polls, someone could break seals in order to create suspicion about the integrity of the equipment. This has happened in one Colorado county during this year's primary [County?] and I encountered this problem with lightweight plastic seals during pre-election testing in Miami-Dade County in August 2004.
In both the Colorado case and the Miami case, there is no evidence that the seals were broken deliberately. They may well have been broken in "normal handling". My conclusion, based on this experience, is that tamper-evident seals should always be either physically robust, requiring deliberate use of tools to break, or should be physically protected. Tamper evident seals that are under protective covers are safe from accidental breakage, but seals exposed to the public or to careless handling should not be relied on.
Sequoia, and other voting system vendors, should redesign the cases for their machines to include lockable or screwed-down covers over all seal locations, or alternatively, should redesign the cases for their machines so that the cases incorporate seal lugs of sufficient strength to hold 3/16 inch or larger nylon wire-tie-style seals. These seals require the use of wire cutters to break them.
In my Expert Report for Conroy v. Dennis of Sept. 5, 2006 ( http://www.cs.uiowa.edu/~jones/voting/conroy_v_dennis_jones.pdf ) I reported on a possible area of concern in the Optech Insight precinct-count mark-sense ballot tabulator. The firmware for this machine is split between two components, the APX (which holds all election dependent code) and the HPX (which holds what might be called the operatig system of the machine). The HPX can only be changed by removing and replacing chips inside the machine, but the APX is stored in the machine's removable memory pack.
I speculated, in my report, that the APX component might create a vulnerability to a Hursti-style attack. My reading of the report for Alameda county does nothing to allay my concerns. This report suggests that the APX is secured only by a CRC16 checksum -- a form of hash code, but only 16 bits, and therefore quite easy to counterfit.
The Alameda report says, on page 7:
The APX application memory has special signaling lines that make it extremely difficult for another type of physical device to alter the memory, and thus the APX program. In other words, should an attacker somehow gain access to APX firmware, be able to interpret it, modify it, and generate useful assembly language code, they would have to understand and properly use the memory line signaling required to actually alter a MemoryPack memory contents. This is a very rare skill, and requires unfettered, extended access to both Optech lnsight devices and MemoryPacks, since standards-based microprocessors and memory devices simply will not work the same way.
In other words, the obscurity of the device's construction will deter attack. It is noteworth that, on October 4, Rop Gonggrijp, Willem-Jan Hengeveld, and others released a report, Nedap/Groenendaal ES3B voting computer, a security analysis on a widely used DRE voting system in the Netherlands made by NEDAP. ( http://wijvertrouwenstemcomputersniet.nl/other/es3b-en.pdf ) This report documents, in considerable detail, exactly what is involved in undertaking an attack of the type that the authors of the Alameda report consider to be unlikely. The attackers of the NEDAP system obtained three machines, one from a cooperating unnamed government official, and two by purchase on the open market. I have seen Optech II and III machines on E-bay, and I have seen Diebold TS machines on Ebay. There is no reason to believe that other voting systems will not become available to the public in the near future, if they have not already.
I conclude that the Optech Insight is vulnerable to a Hursti type I attack, but not to the more dangerous Hursti type II attack. The latter is prevented by the fact that the HPX cannot be changed by software running on the Insight.
Because this machine uses paper ballots, and because California not only allows hand recounts of these ballots but requires randomly selected precincts to be subject to such recounts as an auditing measure, this vulnerability is probably acceptable in Alameda County and in other California counties.
In states where hand recounts are forbidden, this security vulnerability is devastating. In states where there is no routine auditing using hand counts, this security vulnerability could lead to attacks going unnoticed until a close election forces a hand recount. As a result, these machines should be considered to be as bad as DRE voting with no voter verified paper trail in such states.