Computer scientists agree: software-based election systems cannot be made secure from undetectable manipulation or error

Since 2002, when HAVA was enacted, computer scientists have released over three dozen studies of  the software-based voting systems rushed in by HAVA. Every one of these studies has concluded that software-based optical scanners and DREs (direct record electronic systems, often known as “touch screens”) are vulnerable to undetectable manipulation and error. While any machine, including a lever voting machine, can be hacked, software enables a single individual to change thousands of votes in a few minutes without leaving a trace.

The inner workings of the software-based machine are invisible. Systematic exploits enable massive vote switching in minutes. In contrast, to affect the outcome of an election conducted with lever machines is labor-intensive since each machine must be individually rigged, increasing the likelihood that the crime would be caught; levers are not capable of systematic exploits. Vote flipping, common on electronic machines, is also not possible on a lever machine. Tampering to a lever machine can be detected because the working parts of the lever machine are visible, as contrasted with software, which is invisible to all but the programmers. Regardless of how the software has been programmed, self-erasing malware can be introduced into an electronic system but not into a lever system. Certification of computerized systems is a ruse because no amount of certification testing will make voting computers secure.

  • The National Institute of Standards and Technology, the Federal government’s own technical advisers, found that certification testing cannot provide security or reliability:

[E]xperience in testing software and systems has shown that testing to high degrees of security and reliability is from a practical perspective not possible.” (Emphasis added.)

  • A 2007 report authorized by the California Secretary of State found that with software-based voting machines:

An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine.  The damage could be extensive – malicious code could spread to every voting machine in polling places and to county election servers.

  • Finding error or fraud in software code has been shown to be prohibitively expensive and time-consuming due to self-erasing code and the fact that code can be several hundred thousand lines in length, according to the 2008 ACCURATE Report (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections):

[N]o matter how hard one looks for errors or faults in voting system software, there is no way to guarantee that one has found them all. Even if no errors or faults are found, there is no way to guarantee that none exist….

  • Notwithstanding the pre-election certification of the optical scanners and even with security seals in place, in 2006 the University of Connecticut established how easily election results can be falsified on an optical scanner:

An Accu-Vote Optical Scan can be compromised with off-the-shelf equipment in a matter of minutes even if the machine has its removable memory card sealed in place. The basic attack can be applied to effect a variety of results, including entirely neutralizing one candidate so that their votes are not counted, swapping the votes of two candidates, or biasing the results by shifting some votes from one candidate to another….

Such vote tabulation corruptions can lay dormant until Election Day, thus avoiding detection through pre-election tests….  [V]oters could be unaware of any discrepancies between their cast votes and the internally recorded votes.

  • A 2007 Florida report demonstrated how viruses can be introduced and propagated from a single machine to every other computer in the jurisdiction as well as from one election to the next.  Each county will use an Election Management System (EMS) computer (commonly known as a “central tabulator”). The central tabulator reprograms the optical scanners before every election using a memory card that tells the machine who is on the ballot and how to count it, and then accumulates and reports precinct-level results after an election.  Florida’s study demonstrated how a virus introduced to a single machine would spread to every other machine in the county via memory cards:

A cleverly constructed virus can cover its tracks so that infected machines could not be detected by ordinary means and an appropriately programmed virus could self-destruct and erase all its tracks…. [I]f carefully constructed, it can allow an attacker to transfer program control to her own malicious code.  Once this happens, the attacker controls the machine.

  • A 2006 Princeton University report “describes how the virus propagates … via memory cards, without requiring any network.” NY’s wireless ban would not prevent this massive attack because all computers in a county communicate with the EMS central tabulator, which in turn communicates with each computer in the county:

An infected machine will infect any memory card that is inserted into it. An infected memory card will infect any machine that is powered up or rebooted with the memory card inserted.  Because cards are transferred between machines during vote counting and administrative activities, the infected population will grow over time.

  • A 2006 report commissioned by California’s Secretary of State corroborated that these attacks to optical scanners cannot be discerned by election officials responsible for ensuring the accuracy of the election:

There would be no way to know that any of these attacks occurred; the canvass procedure would not detect any anomalies, and would just produce incorrect results. The only way to detect and correct the problem would be by recount of the original paper ballots.

  • A 2007 report commissioned by Florida’s Secretary of State reaffirmed that election results could be readily compromised by an individual with only brief access to an optical scanner, by replacing the memory card with one preprogrammed to read one candidate’s votes as counting for another. The report also found “The attack can be carried out with a reasonably low probability of detection….”

Flaws in the Optical Scan software enable an unofficial memory card to be inserted into an active terminal. Such a card can be preprogrammed to swap the electronically tabulated votes for two candidates, reroute all of a candidate’s votes to a different candidate, or tabulate votes for several candidates of choice toward a different candidate.

  • In 2007, Ohio’s Secretary of State released the Evaluation and Validation of Election Related Equipment, Standards and Testing (EVEREST) study, which revealed, among other things, the ineffectiveness of requirements –such as NY’s — that the source code be escrowed to secure the software. The EVEREST team was able to penetrate all of Ohio’s voting systems, including Sequoia’s optical scanner, without the source code.  None of these attacks could have been detected or prevented by knowing the source code. The EVEREST report concluded that software-based systems are “insufficient to guarantee a trustworthy election.”

Comments are closed.

  • Pages

  • %d bloggers like this: