Friday, July 8, 2016

Vote Rigging in the 21st Century

Few Americans knew about Al Gore's Florida vote total going backwards on election night, but officials in Volusia County were perplexed. Lana Hires, a Volusia County elections worker, demanded an explanation from Global Election Systems, who had made their ballot tabulators. The finding, that someone had intentionally injected negative votes into the system, was worrying, but even more worrying was that the software accepted them at all.

Ion Sancho, Supervisor of Elections in Leon County, was concerned as well. His county used the same AccuVote optical scanners as Volusia County, and he wanted to know whether those machines made it easy to rig an election. Sancho invited Bev Harris, founder of Black Box Voting, and her team to test that out. The climactic ending of the Emmy-nominated HBO documentary Hacking Democracy shows just how easily it can be done. Ion Sancho admits, "If I had not seen what was behind this [...] I would have certified this election as a true and accurate result of a vote."


The AccuVote scanners are far from the only voting system with major security flaws. Across the country, our elections are run by machines that can easily have votes altered or switched. And they can do so invisibly, thanks to their inner workings being a complete mystery to observers. Our most essential public process of democratic elections is under the purview of black boxes, where votes go in, and a mysterious number comes back out. To question whether these black boxes are counting votes properly is wholly reasonable.

Trusting the vote count

Imagine that when we go to vote, there's a man standing in the voting booth. We each tell him our vote, and he writes it down on a piece of paper. Once the polls close, he adds up all the votes he wrote down and declares the winner. Would you trust this system as accurate? It seems ludicrous: the man could have misheard us, or he could be switching our votes if he doesn't like them. And if he miscounted, there'd be no way to prove it. What if instead, we wrote our vote on a piece of paper, showed it to him, and then kept the paper in a secure place? That doesn't solve the problem: he can still miscount the votes. The paper would only help us catch him cheating after the fact.

Electronic voting machines aren't much different from that scenario. A touchscreen or ballot scanner isn't a single man, but what it does is dictated by many men and women. Machines will do whatever they're programmed to do, and a single person can program it to miscount the votes. That one person can make a programming mistake, or put their political bias into it. While not the same as having one man count your vote, it's functionally equivalent when a single person can control everything the machine does. Yet we balk at the scenario above, while being fine with electronic voting.




An accurate vote count thrives on transparency. If we can't see how votes are being counted, there's no reason to trust it. A single man counting the votes can apply any arbitrary standard he wants. Boss Tweed's political machine, Tammany Hall, took the votes to a secret location and counted them in a way that got them whatever result they wanted. Many of the famously corrupt political machines of that era were no different. A machine is a single entity applying the counting standard of whoever programmed it, and it carries out those processes unseen. Anybody who controls one can undetectably change an election.




Who controls the machines?

The lack of transparency makes it easy to hide election fraud, but who's actually in the position to rig a voting machine? A rather obvious answer is the machine vendors, those who make the hardware and software that goes on the machines. If a company developing voting machines wants to rig an election, they can modify them to do just that. The lack of transparency makes it unlikely they'll get caught, especially since the vendor usually keeps their system design a secret.

One common concern about election companies is their Republican ties. Election Systems & Software (ES&S), the largest elections vendor, was founded by the Urosevich brothers, with funding from right-wing millionaire Howard Ahmanson. Chuck Hagel was chair of ES&S before running for Senate. Bob Urosevich later left and become president of Global Election Systems, which was bought by Diebold in 2002. Diebold's CEO infamously promised to deliver Ohio to Bush at a fundraiser in 2003. In 2012, there was concern over Hart Intercivic being tied to Mitt Romney's old financial firm.

The Republican ties, while not incriminating, do create a perceived conflict of interest. To make things worse, the companies have often applied untested patches right before elections. Bob Urosevich was alleged to have personally delivered a software patch to Georgia in 2002, right before several Republican upsets occurred. Diebold has installed patches in other states "after the systems already were certified."  In 2012, Ohio election officials installed untested patches from ES&S before election day, software that could have changed votes.

More dangerous, however, is that these machines are vulnerable to outside groups tampering with them. Voting machines are meant to do only what the vendor programmed, but the security features to ensure that are often lacking or nonexistent. Security vulnerabilities are common, allowing anyone with access to the machine to replace its software or change results. This means that malicious voting machine vendors aren't the only group that can rig an election. Election officials, private contractors, poll workers, or even total outsiders can do so, given vulnerable machines to work with.

The state of electronic voting

America's election system is really a patchwork of systems that differs state-by-state, and even at the county level. More than 90% of our voting process today involves electronic machines (optical scanners and direct recording machines), so the differences between counties often pertain to which machines they use. Verified Voting helpfully keeps an online database of this information.

Three voting machine vendors control most of the market: ES&S, Diebold, and Sequoia. Diebold and Sequoia are both owned by Dominion, a Canadian voting system company. Voting systems from all three vendors, as well as others, have had security vulnerabilities publicized over the years. Diebold received most of the attention in the 2000s, its products serving as the focus of Hacking Democracy. But other systems share similar vulnerabilities of their own, and are used all across the country.

In 2015, the Brennan Center published a report on America's electronic voting infrastructure. Kim Zetter, senior cybersecurity writer for Wired, covered the report in her article, "The Dismal State of America's Decade-Old Voting Machines". She details how almost every state uses voting machines that are more than 10 years old, leaving them open to malfunctions and security issues. Many run on an OS that Microsoft has stopped providing security patches for, or use antiquated hardware and software. Some machines don't even receive vendor support anymore.

Figure 1: The Brennan Center's graphic showing the age of voting systems across the country. Most states have a majority of counties with systems older than 10 years. Almost no states only use systems that are newer than 10 years old.

Zetter explains that the problems with our voting systems came from poor standards, and a rush to upgrade our machines in the wake of the 2000 election fiasco. She writes,

In 2002, Congress passed the Help America Vote Act, which allocated about $4 billion in federal funds to help states purchase new voting equipment. [...] Most states replaced their antiquated punchcard and lever machines with new electronic touchscreen and optical-scan voting machines by 2006. But many of the machines installed then, which are still in use today, were never properly vetted—the initial voting standards and testing processes turned out to be highly flawed—and ultimately introduced new problems in the form of insecure software code and design.

The Help America Vote Act (HAVA) was designed to deal with the numerous issues that came to light during the 2000 election, including confusing ballots, malfunctioning machines, and missing votes. A significant part of it was grants to states to upgrade their voting systems, as Kim Zetter describes. HAVA created the Election Assistance Commission (EAC) to set standards for those systems, but 28 states bought systems before the standards came out, and the Brennan Center authors now find them inadequate for "the security standard that we consider necessary today."

In other words, our election system across the country relies on black boxes with significant gaps in their reliability and security. The old machines have it the worst, but even the machines newer than 10 years old can still have major security flaws. With vulnerable machines so prevalent, there's a lot of low-hanging fruit for bad-intentioned people and groups who have access to them.

How to rig an election

Since election systems can differ at the county level, county officials tend to handle the mechanics of running an election. Counties set up the individual voting machines, and pull together all the precinct results into a county report after polls close. The state government aggregates the reports from each county to produce its official election results. When you look at the election results process as a whole, it's a flow of information: precinct votes, to county reports, to state results. Any step of the process can be compromised to change voting results.

A county's election reporting is based around an election management system (EMS). An EMS is software that runs on a standard PC, used to set up and tabulate a county's elections. Before an election, the EMS is used to prepare the ballot layout, which is loaded onto the voting machines. The voting machines receive votes (by scanning ballots or recording voter selections) throughout the day. After the polls close, their results are sent to the EMS computer for central tabulation. All the communication between the EMS and voting machine is via a network or removable media. Once all the voting machine results are uploaded, the EMS is used to make the county report.

The memory cards used by Diebold voting machines to load ballot info and store results.

Each county runs a single EMS computer, often called the central tabulator. Since the voting machines have to upload results to the EMS, the voting machine and EMS must be compatible with each other. As a result, voting machine vendors also write their own EMS for use with their machines. Diebold has GEMS, ES&S has Unity, and Dominion has Democracy Suite EMS. Just like the voting machines, these programs are black boxes with security flaws.

Voting machines can be located within each precinct or at a central county location. Direct electronic recording (DRE) machines (such as touchscreens) and some ballot scanners are at the precinct, tabulating ballots as they're cast. Other ballot scanners are in a central location, for the purpose of counting large stacks of ballots at once. Whether the voting machines are precinct count or central count, however, they ultimately feed their data into the county central tabulator.

This multi-stage process of election reporting leaves many places to rig the results: the individual voting machines, the county tabulators, or the state's final aggregation. And both the voting machines and central tabulators have major security concerns, allowing hidden malicious code and results tampering. When results flow over a network, they can also be changed midstream, like Stephen Spoonamore alleged happened in the 2004 Ohio election. Even removable media that go into the central tabulator can be used to rig results, as they did in Florida's 2000 election.

The situation seems rather dismal. However, there are safeguards that election officials employ. Individual voting machines often print out a record of the votes they counted, called a poll tape. These poll tapes, if preserved, serve as an official record of what the machine tabulated. Once the results go into the county tabulators, they can be checked against those poll tapes. So modifications to the results after being uploaded from the voting machine can be caught.

Procedures of checking the tabulated results against the poll tapes, the post-election canvass, vary state-by-state. Some states have rigorous canvasses, while others fall short. Bev Harris, Black Box Voting founder, has a generally negative view of states' procedures:

Almost nowhere actually canvasses each precinct, though a few locations canvass SOME precincts. Of those, they tend to be chosen non-randomly and, even so, there are usually discrepancies which no effort is made to resolve. For example in Shelby County Tennessee, out of 230 precincts, they canvassed only the Election Day votes (not absentee or early) for only 15 precincts, 25% of which did not match. Then, as is typical, without making any effort to determine whether the non-matching precincts were part of a bigger problem, they added up only the numbers for those few precincts and concluded "it wouldn't have changed the result."

And as Harris notes, early and absentee votes aren't even canvassed. Jim March, another election integrity activist, has pointed out that Diebold's absentee ballot tabulation is only done in the central tabulator. Their central count ballot scanners simply feed results directly into the EMS for tallying, so the results can be changed undetectably on the central tabulator. Bev Harris describes this as part of a larger trend in election administration, eliminating poll tapes in many cases.

So when it comes to rigging an election, there's a trade-off: ease of rigging vs. risk of getting caught. Changing results on the county or state tabulators lets you alter a lot of results easily, but you can be caught by proper canvassing procedures. But since many states don't canvass properly and poll tapes aren't always produced, you can often get away with it anyway. The most assured way of rigging an election is changing what the individual voting machines say, which even a canvass won't catch. However, a lot more voting machines need to be rigged to actually change an election.


Now that we know how election rigging can work, let's look at some of the known vulnerabilities that make it possible. If an election systems vendor wants to alter an election, none of these are needed, since they can just change the software. But for others with access to the machines who want to rig an election, these vulnerabilities are a way to control the innards of the black box.

Optical scanner vulnerabilities

Electronic voting isn't just limited to voting directly on a machine. Many jurisdictions, especially those with vote-by-mail and absentee voting, have paper ballots that are counted by optical scanners. Though they have a paper record of the vote if the electronic tally ends up disputed, this doesn't change the fact that a hackable black box is producing the initial vote count.


AccuVote OS/OSx

Diebold's AccuVote OS is the optical scanner shown being rigged in the Hacking Democracy clip above. Ion Sancho ran a mock election to test whether it could be hacked. Harri Hursti, a Finnish security expert working for Black Box Voting, put a modified memory card into the system beforehand. 2 people voted yes and 6 people voted no, but when the ballots were run through the machine, it led to a final tally of 7 yes and 1 no votes. The results were completely reversed.

Hursti's attack was a form of electronic ballot stuffing, preloading the card with 5 yes votes and -5 no votes. In addition to that, he had to modify some code on the memory card to avoid detection. At the beginning of the election, the AccuVote OS prints a zero poll tape to help poll workers check if the memory card has any stored votes. But the poll tape is printed by modifiable scripts on the memory card, so Hursti simply changed the script to always print 0 votes.

A Berkeley study confirmed Harri Husti's attack was possible, and detailed other attacks as well. In addition to the zero tape, the final poll tapes at the end of the election (which a canvass checks against) can be falsified. And the scripts can also be used as a springboard to further take over the system. The scripts are run by an interpreter program, and the interpreter contains several software bugs in running them. These bugs allow the scripts to take control of the interpreter, giving them full access to the system. It can then change votes or install malicious firmware on the system.

The AccuVote optical scanners are used in several states, especially those with a majority of voting machines older than 10 years. They're used almost universally in New Hampshire, Massachusetts, and Connecticut; and in many counties in Michigan, Ohio, Missouri, and Indiana. Notably, the use of these machines was linked to Clinton's upset in the 2008 New Hampshire primary.


Model 100/650

The Model 100 and 650 are from ES&S's older brand of optical scanners. Model 100 scanners count ballots at the precinct, while Model 650's are designed for counting stacks of ballots in a central location. In 2007, the Ohio Secretary of State commissioned a security review of ES&S's machines. This study, EVEREST, was done at the University of Pennsylvania.

EVEREST found that the Model 100 is vulnerable to an attacker replacing its firmware. If the machine turns on and finds new firmware on the memory card, it will install it with no password and no verification. Someone can craft malicious firmware that tampers with votes, put it on a memory card, and load it into the system within seconds. In fact, the firmware can copy itself onto other memory cards that get inserted, spreading virally to other machines.

The study only referred to this vulnerability for the Model 100, but the Model 650 likely has the same issue. Both machines are architecturally similar, and the M100 and M650 have nearly identical procedures for installing new firmware (except the M650 uses a zip disk, not a memory card).

Model 100 machines are used in almost every South Carolina county, roughly 50% of South Dakota counties, over 1/3 of Illinois counties, nearly 1/3 of Ohio counties, nearly 20% of Alabama counties, and about 1/6 of California counties.  Model 650 machines are often in the same places, but they sometimes show up on their own, such as in West Virginia, where it's used in 1/3 of the counties.


Optech

Sequoia has three main models of Optech scanners: the IIIP-Eagle, Insight, and 400-C. They date back to the 1980s, but are still in use today. Security tests, such as California's 2007 Sequoia review, reveal multiple Optech vulnerabilities allowing malicious code to be executed.

The California report found that parts of the Optech's operation were controlled by interpreted scripts on removable media. Several types of scripts exist, overseeing ballot counting and poll tape printing. Anyone with access to the memory packs can change these scripts and alter how votes are counted. The report only confirmed this for the Insight and 400-C, but John Washburn states that the same is true of the IIIP-Eagle. Such a vulnerability is the same one Harri Hursti used on the AccuVote.

Machine firmware can also be altered in a couple ways. The Insight's firmware is split between an internal HPX chip and the memory pack, both of which can be altered. Other Optech machines store all their firmware on the system, but it can likely be updated from removable media. All the Optech devices have no way of checking whether firmware is from the vendor or an outside source.

The Insight and 400-C altogether count ballots in nearly 50% of California counties. Insight scanners also count roughly 1/3 of counties in Michigan, and 1/6 of counties in Missouri. Eagle scanners are used statewide in Rhode Island and Nevada, where all the voting machines are older than 10 years, and in scattered towns in Massachusetts and Wisconsin.


ImageCast

The ImageCast optical scanners were made by Sequoia (now Dominion) specifically for New York's switch from lever machines to optical scanners in 2009. This makes them far newer than almost all of the other common machines in this list. Upstate New York is the main customer of the ImageCast, but they're also used statewide in New Mexico, and in an assortment of counties in other states.

There are no red team tests or security evaluations of the ImageCast that I could find. Little evidence of vulnerabilities exists, though there are concerns about illegal USB and network ports. These could allow malicious data to enter the system, but aren't vulnerabilities on their own. One allegation about the ImageCast's security, however, stands out: the claim that some scanners in the 23rd congressional district had a virus during the 2009 election.

A county election official reported that they discovered a "virus" during pre-election testing, causing some machines to freeze and crash. She said that they had to get Dominion to fix the machine. The state Board of Elections later said it was a software bug, not a virus. They claimed that an issue in parsing the ballot configuration led to the system hanging, and Dominion worked around it by changing the ballot info to use less memory.

Bo Lipari, a New York election integrity advocate, also argued that a virus would have been nearly impossible because the machines ran Linux. This is factually incorrect. Any software can be exploited given malicious data, which another New York election integrity advocate, Howard Stanislevic, suggested as a possibility. He raised some questions about the BoE's explanation, and pointed out that an infection from a malicious memory card was plausible.

Overall, the allegation that New York's ImageCast machines had a virus is just a rumor, and one that's denied by the Board of Elections. But with information on it so lacking, it's worth digging into more. It's still quite plausible that ImageCast machines could have been infected.


eScan

Hart Intercivic's eScan optical scanner is also newer than most of the others on this list, but it still has its fair share of vulnerabilities. California also tested the Hart products in its 2007 review, performing a source code review and red team test.

The source code review found that a hacker could easily extract sensitive information from and send administrative commands to the eScan. eScan devices have a special Ethernet port for the EMS to configure it, but an attacker can also connect to the port. Commands sent to the port can erase votes and audit records, dump firmware (including secure keys), and replace the firmware (allowing results to be altered). The red team also identified another attack that would let them alter the firmware.

eScans are used nearly universally in Oklahoma, Kentucky, and Hawaii, where most or all of the voting machines are newer than 10 years old. They're also used in about 20% of Texas counties and 50% of Washington counties, both of which are states with mostly newer machines. Tennessee, with a minority of counties using newer machines, uses eScans in 25% of its counties.

DRE vulnerabilities

Direct electronic recording (DRE) machines are what people usually think of as electronic voting: you make your selection directly on the machine, and it records the result internally. This leads to a serious integrity risk: if the machine miscounts, there's no original ballot to check. Some machines implement a voter-verified paper audit trail (VVPAT) to address this: in addition to electronic recording, they print a paper ballot with the voter's choices. But while this makes it easier to catch fraud, it can't stop it from happening in the first place, just as with optical scanners.


AccuVote TS/TSx

Diebold's AccuVote touchscreens also install unverified firmware in seconds. A 2006 Princeton study found that vote tampering software can easily be installed from a memory card. When the machine starts up, its bootloader checks for firmware updates on the memory card, and installs them with no verification. An attacker can prepare a memory card with a malicious bootloader and operating system that manipulates votes. Here's a demonstration of their attack, with an AccuVote TS programmed to flip votes:


Furthermore, that bootloader can be programmed to copy itself onto any memory card that's inserted, creating a virus that spreads across AccuVote touchscreens. Memory cards are often shared between machines for firmware updates and loading ballot definitions, so a couple compromised machines could infect a large population.

The scripting vulnerabilities in the AccuVote OS are also present in the AccuVote TS. Malicious scripts on a memory card can falsify poll tapes or completely take over the system. And since the VVPAT is produced from the same printer as the poll tapes, the scripts to print it can be modified as well. This means that even the paper audit trail, when in use, can be falsified.

Even if these issues have been since fixed, which Diebold has a poor history of doing, plenty of jurisdictions have never upgraded. The AccuVote TS/TSx machines are used statewide in places whose machines are all older than 10 years, such as Georgia, Utah, and Alaska. States with mostly outdated voting machines also feature it prominently: the AccuVote TS is in over 50% of Ohio counties, over 50% of Mississippi counties, and over 20% of Indiana counties.


iVotronic

ES&S's iVotronic touchscreens are similarly vulnerable to firmware replacement. The EVEREST study at the University of Pennsylvania found multiple security issues.

The iVotronic's data transfer medium is a wireless hardware module called a PEB. PEBs transfer data between the EMS and the iVotronic, and are used to authenticate poll workers as election supervisors. One can easily make a fake PEB using a device like a Palm Pilot, giving them supervisor control over the machine. There's even a special undocumented supervisor mode which bypasses all passwords. Real PEBs can have their data (such as results) modified using a Palm Pilot and a magnet.

A PEB (real or fake) can introduce data that exploits one of several buffer overflows, allowing for a full takeover of the machine. Code that takes over the machine can manipulate votes, and install modified firmware that does the same. A supervisor PEB also lets attackers replace the firmware, which is never checked for validity. One compromised machine is able to modify connected PEBs to compromise other machines, creating a virus that spreads across iVotronics.

iVotronics with no paper trail are used statewide in South Carolina, as well as in nearly 40% of Pennsylvania counties and nearly 20% of Kentucky counties. They're also used with a paper trail in nearly every West Virginia county, and in a little over 1/3 of North Carolina counties.


AVC Edge, Advantage

Sequoia has two DRE machines under its AVC line: the touchscreen AVC Edge and the push-button AVC Advantage. California and New Jersey reviewed the Edge and Advantage, respectively, with both reviews finding vulnerabilities that allowed vote tampering firmware to be installed.

California's 2007 red team test discovered two ways to alter the Edge firmware: a results cartridge that exploits the system to run malicious code, and a directory traversal issue that allows the firmware files to be overwritten. The New Jersey test discovered that malicious audio ballot info could compromise the Advantage and replace the firmware in a similar manner. Additionally, someone with physical access could remove and replace the flash chip containing the firmware.

The California red team also produced a video showing their malicious firmware in action. Not only is it possible to change votes, but the paper audit trail can be faked. If the voter doesn't notice, all results of the election are compromised, even recounts:



In Louisiana, which uses outdated voting machines in all its counties, paperless AVC machines are used statewide: the Edge for early voting, and the Advantage on election day. New Jersey uses Advantage and Edge machines almost exclusively, again with no paper trail. Almost 40% of California counties and 20% of Missouri counties use the Edge with a paper trail. The Edge is also used in Chicago, where the audit of the paper trail failed to match the machine count.


eSlate

Hart Intercivic's eSlate is vulnerable to the same issues as the eScan. The eSlate is a terminal with LCD and dial, attached to a Judge Booth Controller (JBC), the machine that actually controls the voting. Multiple eSlates in a precinct are connected to a single JBC. Like with the eScan, the JBC has a configuration interface that can be used to read sensitive data and alter the firmware. And the eSlate itself receives similar commands through the JBC, so a hacker can just attach directly to the eSlate and send these commands.

eSlates are used nearly statewide in Hawaii (with a paper trail) and Kentucky (without a paper trail). 14% of California counties have eSlates with a VVPAT. Paperless eSlates are also used in about 40% of Texas counties, and nearly 1/3 of Tennessee counties.


WINVote

WINVote touchscreen DREs are no longer in use, but they're a great example of just how flawed electronic voting can get. From 2003 to 2015, Virginia and other states used these machines, which could be hacked to change results without touching the machine. In fact, it wasn't even necessary to set foot in the polling place: a hacker could alter an election from the parking lot.

The machines created their own wireless network to transmit votes, which anyone within range could access. The network used weak security that could be broken within minutes, and the password turned out to be "abcde." Once on the network, it was trivial to start sending fake election results. And since the machines ran outdated copies of Windows XP, hackers could use one of 18 known exploits to take over the machine. Then they could guess the password to a hidden administrator account (with password of "admin") and start editing the vote database.

Luckily, the WINVotes aren't in use anymore, but it's quite likely that past Virginia elections were hacked. If they weren't, a researcher said, "it was only because no one tried."


EMS vulnerabilities

Voting machines are clearly susceptible to rigging, but modifying individual voting machines is limited in impact, and requires more work to pull off. A hacker has to write an exploit for the specific voting machine, and get it into the hands of someone with physical access to one. This is still possible, and rigging a select few precincts can be enough. But going after a county's election management system (EMS) computer is a much easier way to alter an election.

Since the EMS computer is a general purpose PC, it often doesn't even require programming skills to change results. The election results, tabulated from all of the voting machines, are usually stored in an editable database. Anyone with access to the EMS computer can change them. Doing this is hardly even an exploit: it's simply using a computer.

Controlling the EMS also lets a hacker infect all the voting machines in a county. Most of the voting machine exploits described above are installed from removable media, which the EMS initializes with ballot info before an election, or network interfaces, which the EMS controls. So anyone in command of a county's EMS computer can take over every voting machine in the county and alter the results tabulated from them.

The EMS computer, or central tabulator, sits in a county elections office. Bev Harris has reported that a surprising number of people have physical access to the tabulator. County election officials obviously have access, and they often fail to track who goes into the tabulator room. There are also frequently election vendors or private contractors running the technical aspect of an election, including the central tabulators. And some vendors even have remote access into the systems.

Remote access can also be done by hackers. The EMS software packages contain web results reporting, so the central tabulator might be connected to the Internet. Tabulators tend to be running old versions of Windows, which are full of unpatched vulnerabilities and can sometimes be hacked after 4 minutes online. Even if they're off the Internet, the central tabulators may still use a modem to receive results from voting machines. The modem phone number can be discovered and used to dial into the central tabulator.

With so many people able to access the central tabulator, and little ability to account for them, elections across the country are ridiculously vulnerable to tampering. Election officials, private contractors, and hackers can take over a county's central tabulator, letting them infect voting machines or tamper with the results. This problem is inherent to every EMS computer, no matter who the vendor is. Some vendors, however, make it even easier for people who gain tabulator access.


Global Election Management System (GEMS)

Diebold's EMS software, GEMS, manages roughly 25% of votes in the country. Bev Harris and others have studied it since 2003, when she found GEMS files on an unprotected FTP server. Even before then, GEMS drew some scrutiny: Al Gore's Florida vote total went backwards after GEMS accepted a rigged memory card with -16022 votes. Why it would allow negative votes is a mystery. GEMS has several other design quirks that make election rigging even easier.

Many of the key issues were detailed by Harris in 2004. GEMS stores votes in a Microsoft Access database, along with passwords and audit logs. All of this data simply sits in a database file that anyone can open and edit with the Microsoft Access program. This program is included with Microsoft Office, so it's commonly found on Windows PCs. But even if Access is uninstalled, the database can be edited with VBScript, a scripting language built into Windows. There's no way to prevent those on the central tabulator from tampering with an election.

Figure 2: GEMS vote totals, open for editing in Microsoft Access. One candidate has 404 votes and the other has 208 votes.

GEMS has security features - audit logs and password protection - but being able to edit the database makes them useless. The password is checked against what's stored in the database, which can simply be changed. And the GEMS program is meant to audit every action taken in GEMS, but the audit log itself is part of the database and can be altered. Not to mention that neither of these security features stop you from simply changing votes in the database without using GEMS at all.

Figure 3: The GEMS audit log, which is also editable in the database.

There's also a more subtle and dangerous quirk. GEMS can produce two kinds of election results: a summary report with countywide totals, and a statement of votes cast (SOVC) report that has results by precinct. SOVC reports are used to verify poll tapes and hand recounts, while summary reports are sent to the state government to produce statewide results. Both reports should still pull from the same vote data, but in GEMS databases, there are separate data tables for summary and SOVC reports. An attacker can edit the data for the summary report but leave the SOVC data alone, rigging an election while defeating canvasses and recounts.

Bev Harris recently made another GEMS discovery: vote totals are stored as decimals rather than whole numbers. The purpose was to implement weighted races, allowing the votes of certain people to be more or less than 1 vote. Weighted races do exist legitimately, but they aren't done with fractional votes. And in GEMS, all races, not just weighted ones, use fractions. Fractional vote counts allow the total votes to be easily reapportioned by preset margins. Someone with access to GEMS can set whatever percent outcome they want, and the votes will be redistributed to match.

Unity

ES&S's Unity software has received much less attention than GEMS, but it shares many of the same issues. A 2008 California red team report found that users on the central tabulator can gain access to vote totals, extract passwords, and edit the audit logs. Zip disks containing results from the M650 optical scanner can be modified before being uploaded to Unity. The EVEREST report confirms that the same issue exists for the M100 memory cards. So just as in Volusia County in 2000, someone can forge election results on removable media and upload them.

EVEREST also found that Unity can be taken over by malicious results media. Unity has a buffer overflow vulnerability in reading iVotronic PEBs and M100 memory cards. This means that a single infected voting machine can introduce a virus that takes over the central tabulator.

WinEDS

Sequoia's EMS, WinEDS, can also have its database altered outside of the EMS, just as with GEMS. California's 2007 Sequoia code review discovered this problem. WinEDS has user accounts for each election official/contractor that uses the system. These users are restricted in what they can do inside WinEDS, but that has no effect outside of the EMS. All of the users are database administrators, so they can modify whatever they want directly in the database.

Democracy Suite EMS

Democracy Suite EMS, from Dominion, separates the EMS into a client PC (used by election officials) and a server that the client talks to. The election database is stored on the server, so nobody using the EMS has direct access to it. But a California red team evaluation found that the server allows the client to access the election database anyway. They still need the database key or user credentials, but both can be easily obtained, from the server application binary or system RAM.

Hart EMS

The Hart Intercivic EMS also fails to protect its database security, as the California source code review found. Usernames and passwords protecting database access are stored in a file with no meaningful encryption, so anyone on the system can easily discover them. Once they do, they can access the database behind the back of the EMS.


Rigging in practice

Election fraud is often derisively called a "conspiracy theory." That would be fair if it was completely implausible, but thanks to our horribly flawed electronic voting system, it's not. Voting machines can easily have vote tampering firmware installed. Election management systems run on poorly-secured PCs, with the vote totals database wide open to tampering. Nothing about election fraud is technologically impossible, and most people know this. But perhaps it's logistically impossible.

A security vulnerability, of course, doesn't matter unless you have the opportunity to exploit it. That's where the logistical argument comes in: that far too many people would have to be involved with rigging an election. Such a massive conspiracy would easily collapse under its own weight, and it would have been revealed by now. That may have been true with past voting systems (yet they still got rigged). But we're here in the 21st century, and technology completely changes the game.

Any programmer at an election systems vendor can slip in code to rig an election. Voting machine software and EMS programs are built from the work of numerous developers. With only one dishonest programmer able to hide their code, countless machines across the country can be rigged. The black box nature of machines eliminates oversight, forcing trust in the vendor and every one of its programmers. But the added insecurity of voting machines means that outsiders also need to be trusted.

Individual voting machines can be compromised by a single person in a small window of time. They don't need to know how the machine works: all it takes is inserting a hack someone else prepares. Voting machine hacks can be prepared by one person or a small team, and then deployed on as many machines as needed. Think of everyone who has access to them: election officials, contractors, poll workers, voters, and anyone else who finds them unattended. It only takes one who's untrustworthy.

Of course, that's only one voting machine. Rigging an election requires a lot more to be compromised. But almost all of the voting machine exploits from above are able to copy themselves. They can easily spread to memory cards, which are then loaded into other machines, or over a network, to compromise other networked machines. One infected machine can quickly take over all the machines in a precinct, or even beyond that. All from one person installing a prepared hack.

Even easier would be to go after the central tabulator. All the votes are ultimately added up at that one computer, so a single person controlling it can flip countywide totals. Worried about being caught by canvasses? The risk is overstated, since canvassing procedures are often poor, and poll tapes are not always even present. Not to mention some central tabulators (GEMS) allow you to hide your modifications so a canvass (or even a recount!) won't catch them.

Still worried? Well, the central tabulator runs a county's election management system. This includes setting up the ballot info and sending it to all the machines, via memory card or network. And these are the same vectors used to infect voting machines with malware. So one compromised EMS computer can compromise every single voting machine in the county. People setting up the machines will unwittingly carry memory cards that are infected, putting them into machines without ever knowing.

Who has access to the central tabulator? A number of election officials, which counties often fail to keep track of. Private contractors might be running the tabulator for the county or state. If so, the elections are prepared and tabulated by shadowy middlemen, whose activities are unobserved or not understood. Some contractors manage entire or multiple states. Election system vendors can have access to central tabulators, even remotely on election night. All of these people have to be trusted.

Not to mention the unauthorized access that can occur to the central tabulators. They often end up connected to the Internet, or connected over dial up, leaving them exposed to hackers. Someone can log into them from anywhere in the country, and use one the same way as someone sitting right in front of it. All the illicit things you can do on a central tabulator - flipping results and preparing voting machine malware - can be done by one hacker without leaving their home.

Malware spreading from the EMS computer to the voting machine is powerful, but it can work the other way as well. EMS software can be exploited by malicious data sent back from the voting machines. So if someone compromises an individual voting machine at the polling place, it can spread not just to other voting machines, but to the central tabulator. And then the infected central tabulator can infect more voting machines.

Worrying about election fraud isn't tilting at conspiracy theories. It's the result of a devastating recognition: trusting our election system is only possible if every single one of the numerous people with access is also trustworthy. As soon as a single person turns out to be malicious, one component is infected, and soon every component can be breached. Realistically, that level of trust can't exist.

Like I said, technology changes the game. It means one untrustworthy person anywhere can compromise the trust of the entire election system. That's scary. But it's a reality, and the unfortunate consequence is that election fraud can easily exist. It would be more surprising if it didn't.

Detecting fraud

If our voting systems are compromised, how do we catch election fraud? When we use optical scanners, or DREs with a VVPAT, we can recount to check the results. Some states do use random hand-count audits to verify their electronic results, though plenty of others don't. When an audit does find a discrepancy, it often ends up ignored without affecting the election. Outside of that, recounts are rare. Clever tricks, like the multiple tables in GEMS, can evade recounts entirely. And the stored ballots might be physically altered, like Richard Hayes Phillips documented in Ohio's 2004 election.

A useful check on our election results would be a second count. An alternate tally of voter preferences that doesn't rely on electronic machines. This isn't wishful thinking. It exists right now, and the media has been conducting them for decades: exit polls.

Do exit polls have potential flaws? Of course, but so do our own electronic voting systems! When the polling fails to match the official results, it means two flawed counts that were supposed to show the same thing are different. The next step is finding out why: the polls could be wrong, the results could be wrong, or both could be wrong. But neither is more implausible than the other.

Other posts on election fraud

5 Comments:

At December 28, 2016 at 3:18 AM , Blogger Unknown said...

Hey!!!!!.... Your Blog Is very nice and informative, I have some important knowledge about
http://bit.ly/2ipMUtC

 
At March 9, 2017 at 9:59 AM , Blogger Unknown said...

This comment has been removed by the author.

 
At March 9, 2017 at 9:59 AM , Blogger Unknown said...

Thanks for sharing this wonderful post. It is important and very useful, and the articles are nice to share everyone. Election Management System

 
At November 14, 2020 at 8:06 PM , Blogger Merika said...

How does one reach you? Do you have an email?

 
At November 17, 2020 at 2:05 AM , Blogger Dan, Emily, Isaac, and Micah said...

This comment has been removed by the author.

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home