Earlier I had promised more on the USENIX/ACCURATE Conference in San Jose. In addition to the panels, the presentations on the Ohio EVEREST studies provided information that we have not covered here at CTVotersCount.org. Released in mid December, following the California Top-To-Bottom review the Ohio reports have gotten less attention by many, including me. Two presentations on EVEREST at the conference grabbed my attention – they not only confirmed the CA reports but added additional vulnerabilities and devastating conclusions.
Links:
Ohio One Page EVEREST Summary
Ohio Secretary of the State’s Executive Report
USENIX Hart and Premier [Diebold] Paper
USENIX ES&S Paper
HOPE Conf ES&S Video Presentation
From the Ohio Secretary of State’s summary:
Ohio’s electronic voting systems have “critical security failures†which could impact the integrity of elections in the Buckeye State, according to a review of the systems commissioned by Secretary of State Jennifer Brunner.
“The results underscore the need for a fundamental change in the structure of Ohio’s election system to ensure ballot and voting system security while still making voting convenient and accessible to all Ohio voters, “ Secretary Brunner said Friday in unveiling the report…
“To put it in every-day terms, the tools needed to compromise an accurate vote count could be as simple as tampering with the paper audit trail connector or using a magnet and a personal digital assistant,†Brunner said.
(Note: Since Connecticut uses Premier [Diebold] equipment that report’s findings are most relevant. Note, however, that all the findings do not apply to Premier and that Connecticut uses a subset of their products – yet all the findings indicate the state of the industry, our vendor, and the general qualities and security of our electronic election equipment.)
From the Hart/Premier report:
As in previous studies, we found the election systems to be critically flawed in ways that are practically and easily exploitable. Such exploits could effect election results, prevent legitimate votes from being cast, or simply cast doubt on the legitimacy of the election itself. In this
effort we identified new areas of concern including novel exploitable failures of software and election data integrity protection and the discovery of dangerous hidden software features…
there were several important failures detailed by this study that were not known prior to the release of this study. Several important discoveries include:
- here is a veritable sea of previously undetected functionality in the Hart system. Note that we found what we believe is only a tiny fraction of the features enabled through undocumented software triggers, e.g., Windows registry entries.
- An attacker may subvert all backend data protections in the Hart and Premier systems by exploiting combinations of new and previously known vulnerabilities…
- There exist critical failures in the previously unstuded Verdasys Digital Guardian security software. This software is used by the state of Ohio to defend the Premier GEMS server upon which the back-end election processes are based…
Our assessment methodology was particularly effective – in nine weeks, this study doubled the number of publicly known vulnerabilities in Premier systems and found over 25 new vulnerabilities in the Hart system. In fact, ,as the evaluation approached its end, the rate of vulnerability discovery continued to increase. Given more time, it is our firm belief that additional significant vulnerabilities would continue to be found.
Failure to effectively protect election data integrity: Virtually every ballot, vote, election result, and audit log is forgeable or otherwise manipulatable by an attacker with access to the voting systems. Further issues expose voter choices and can lead to voter coercion and vote sellng. These vulnerabilities place enormous burdens on the physical procedures of an election…
Failure to protect an election from malicious insiders: Neither system provides adequate protections to ensure election officials, poll workers, or vendor representatives do not manipulate the system or its data. These attacks are often invisible after the fact, and therefore misuse is difficult or impossible to uncover later…
Failure to provide trustworthy auditing: The auditing capabilities of the Premier and Hart systems are limited. Those features that are provided are subject to a broad range of attacks that can corrupt or erase logs of election activities. This severely limits the ability of election of- ficials to detect and diagnose attacks. Moreover, because the auditing features are generally unreliable, recovery from an attack may in practice be enormously difficult or impossible…
Unsafe features and practices: The studied systems embrace dangerous designs and practices. Each system possesses undocumented features that are highly dangerous. Further, the visible lack of sound engineering practices leads to widespread security and reliability failures.
Also Matt Blaze gave a similar ES&S presentation recently at the HOPE (Hackers On Planet Earth) Conference in New York City. Available on video from Connecticut filmmaker, Nick Pasquariello. <view> Well worth watching to get a feel for the process and the general lack of security provided by today’s voting machines.
