Ohio's E-Voting Disaster; Or: The Triumph Of State-Sponsored Greed Over Free Elections

Ars Technica:

The results are now in from a thorough, $1.9 million test of the voting machines that Ohio has used in elections over the past few years, and they paint about as awful a picture of the state's electoral apparatus as one would expect given the stead stream of grim news out of counties like Cuyahoga. The two private-sector and three academic research teams that carried out the Evaluation & Validation of Election-Related Equipment, Standards & Testing (EVEREST) study of Ohio's e=voting systems did not mince words in the 86-page Executive report that they released this past Friday (or, if words were minced, then one can imagine that the unminced version wasn't family-friendly): "The findings of the various scientists engaged by Project EVEREST are disturbing. These findings do not lend themselves to sustained or increased confidence in Ohio's voting systems."

Ohio e-voting review makes a mockery of "recounts"
New California e-voting measure uses hackers to test voting machine security
ES&S e-voting system used in California cracked wide open
Congress finally considers aggressive e-voting overhaul
Ohio Secretary of State Jennifer Brenner, a woman whose recent and spectacular bungling of a Cuyahoga County recount gives ample reason to doubt her commitment to fair and accurate elections, didn't even bother trying to sugarcoat this report.

"To put it in every-day terms, the tools needed to compromise an accurate vote count could be as simple as tampering with the paper audit trail connector or using a magnet and a personal digital assistant," Brunner said in a statement. Note that Brenner here is describing machines that have been in use in Ohio since before the 2004 presidential election. This isn't some glimpse of how bad things might be in November 2008. It's a look at how bad they've been all along.

Brenner went on to make the following unintentionally funny remark, which was presumably intended to inject a note of confidence into the release of a report that could almost have been titled, Barn Door Left Open; Whereabouts of Horse In Doubt: "It's a testament to our state's boards of elections officials that elections on the new HAVA mandated voting systems have gone as smoothly as they have in light of these findings."

E-voting in Ohio has gone "smoothly"? Really?!

Speaking of damage control attempts, however feeble, Premier released this press statement in response to Friday's report that contains plenty to chuckle at. I thought this gem was particularly priceless:

"It is important to note that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States."

Given the magnitude of the vulnerabilities that the report details in Premier's systems and the impossibility of conducting a meaningful audit with those systems, this is sort of like a blind and deaf person saying, "Despite my habit of cleaning my first-floor apartment in the nude with all of the street-facing windows open, I have no documented evidence that anyone has ever seen me naked."

Almost 1,000 pages of bad news
The voting systems investigated in the study came from ES&S, Hart Intercivic, and Premier Election Systems (formerly Diebold). The researchers evaluated individual components, whole systems, and elections procedures, and the list of detailed reports on each vendor's systems that they produced described technical and procedural problems with almost every aspect of each system. Like so many of their kind that litter my hard drive after years of e-voting coverage, the EVEREST reports list of page after page of flaws, vulnerabilities, and bone-headed design decisions, many of which would boggle my mind were it not already completely boggled out on this topic by said prior coverage.

Ultimately, the voting systems got failing grades in the following main areas tested, according to the "Findings" section of the executive report:

Insufficient Security: The voting systems uniformly "failed to adequately address important threats against election data and processes," including a "failure to adequately defend an election from insiders, to prevent virally infected software... and to ensure cast votes are appropriately protected and accurately counted."
Security Technology: The voting systems allow the "pervasive mis-application of security technology," including failure to follow "standard and well-known practices for the use of cryptography, key and password management, and security hardware."
Auditing: The voting systems exhibit "a visible lack of trustworthy auditing capability," resulting in difficulty discovering when a security attack occurs or how to isolate or recover from an attack when detected.
Software Maintenance: The voting systems' software maintenance practices are "deeply flawed," leading to "fragile software in which exploitable crashes, lockups, and failures are common in normal use."
The EVEREST executive report's conclusions summarize the findings as follows:

Unfortunately, the findings in this study indicate that the computer-based voting systems in use in Ohio do not meet computer industry security standards and are susceptible to breaches of security that may jeopardize the integrity of the voting process. Such safeguards were neither required by federal regulatory authorities, nor voluntarily applied to their systems by voting machine companies, as these products were certified for use in federal and state elections.

In lieu of my typical bullet list of outrageous report highlights—obvious admin passwords, a complete lack of encryption on critical files, a reliance on easily manipulated "security tape" to prevent tampering, the ease with which anyone can boot some of the machines into admin mode, and other typical problems that were there in spades in this report—I'll just highlight one critical flaw in an optical scan machine of the type that everyone wants to replace the touchscreens with.

The EVEREST researchers described a vulnerability in the ES&S M100 optical scanner in which simply flipping the write-protect switch on the device's CF card to "on" would result in a precinct-wide undercount that's extremely hard to detect.

If this switch is activated after the polls are opened and reset before the polls are closed...the internal counts of the m100, and the paper tape reports will be correct and the system will function normally, but the counts of the votes scanned will not be added to the electronic media delivered to the central Board of Elections... To add to the level of difficulty in detection of the exploit, while the physical ballots are in the ballot box in the correct number and the paper tape shows the correct number, the memory card is delivered to the central Board of Elections where it is read and processed. The current processes in use in most polling places are a simple review of the paper tapes, which would be correct. As such, it is likely that unless close scrutiny or recounts of the precinct were performed that surgical use of this vulnerability would go undetected.

Note that this write-protect switch is apparently easy to flip accidentally.

Obviously, turning on the write-protect for the duration of a whole election would cause that machine's precinct to report "zero" votes cast, thereby tipping off election officials that something was wrong. But if a malicious precinct worker were to just reach down periodically and flip the switch on and off during the course of a day's polling, he or she could easily cause a serious undervote that would only be detected by a hand count of the optical scan ballots.

Of course, the problems with the optical scan machines didn't end there. In an section of one report document that brought back memories of hanging chads for me, the researcher team from a company called Systest reported that the M100 also had serious problems properly recognizing votes on ballots where the ovals were less than fully filled in. "It is possible that clearly indicated votes may not be recognized by the scanner," Systest stated in their report, "and if the election is not configured to warn of undervotes, those votes will be lost. It's also possible that overvotes may not be recognized as such and warned about if made with marks that the scanner does not recognize."

Nonetheless, optical scan to the rescue
In the wake of the report, Brenner is talking about scrapping all of the direct recording electronic machines (DREs, aka "touchscreens") in the state and moving to a system in which Ohio voters manually mark optical scan ballots that are then shipped off to a centralized location for scanning. In order to give this system enough time to work, Brenner is proposing that early voting begin a full fifteen days before the election date, with polling locations open from 7am to 7pm six days a week, and from noon to 7pm on Sundays.

The move to centralize the actual ballot scanning is intended to cut down on the number of points at which attackers could influence the polling using simple tricks like the CF card "write protect" manipulation described above. Unfortunately, it would also have the effect creating fewer points of failure for the entire voting system, so that you'd need fewer bad actors willing to do the CF card trick if you wanted to steal an election. Unless the security at the centralized polling location is extremely tight and the people who are doing the ballot scanning are 100 percent trustworthy, this portion Brenner's plan could make stealing an election even easier.

Even though the long-term plan is to replace all of the DREs in the state with optical scan machines, the report admits that this won't be possible in time for the March 2008 presidential primaries. There is some hope, however, that the new system (such as it is) will be in place for the 2008 presidential election.

Links to the report and its appendixes are here.