Sources and Validators

Security Analysis of the Diebold AccuVote-TS Voting Machine (archived)

2007 | Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten

Abstract:
"This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. 

For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities—a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. 

Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures."

Excerpts:
“Malicious software running on a single voting machine can steal votes with little risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.

Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines. [...]

From a computer security standpoint, [Direct Recording Electronic Voting Systems] have much in common with desktop PCs. Both suffer from many of the same security and reliability problems, including bugs, crashes, malicious software, and data tampering. Despite years of research and enormous investment, PCs remain vulnerable to these problems, so it is doubtful, unfortunately, that [Direct Recording Electronic Voting Systems] vendors will be able to overcome them.”

-

Note: Diebold Election Systems was acquired by Election Systems and Software (ES&S) in 2009 before assets formerly belonging to Diebold were split between ES&S and Dominion Voting.

Source: The Genesis of America’s Corrupted Computerized Election System

October 10, 2018 | Jennifer Cohn

Questions for the Record | Senate Select Committee on Intelligence
Jeanette Manfra, Acting Director of Undersecretary, National Protection and Programs Directorate U.S. Department of Homeland Security

Excerpt:

“While not a definitive source in identifying individual activity attributed to Russian government cyber actors, the Department of Homeland Security (DHS) is aware of Internet-connected election-related networks, including websites, in at least 21 states that were potentially targeted by Russian government cyber actors. Although we’ve refined our understanding of individual targeted networks, supported by classified reporting, our observations include: a small number of networks were successfully compromised, there were a larger number of states where attempts to compromise networks were unsuccessful, and there were an even greater number of states where only preparatory activity like scanning was observed.”

Expert Testimony |  Professor Dr. J. Alex Halderman, Professor of Computer Science & Engineering, University of Michigan. 

Excerpts:

U.S. Voting Machines Are Vulnerable 

As you know, states choose their own voting technology. Today, the vast majority of 3 votes are cast using one of two computerized methods. Most states and most voters use the first type, called optical scan ballots, in which the voter fills out a paper ballot that is then scanned and counted by a computer. The other widely used approach has voters interact directly with a computer, rather than marking a choice on paper. It’s called DRE, or direct-recording electronic, voting. With DRE voting machines, the primary records of the vote are stored in computer memory. 

Both optical scanners and DRE voting machines are computers. Under the hood, they’re not so different from your laptop or smartphone, although they tend to use much older technology—sometimes decades out of date. Fundamentally, they suffer from security weaknesses similar to those of other computer devices. I know because I’ve developed ways to attack many of them myself as part of my research into election security threats. 

Ten years ago, I was part of the first academic team to conduct a comprehensive security analysis of a DRE voting machine. We examined what was at that time the most widely used touch-screen DRE in the country, and spent several months probing it for vulnerabilities. What we found was disturbing: we could reprogram the machine to invisibly cause any candidate to win. We also created malicious software—vote-stealing code—that could spread from machine-to-machine like a computer virus, and silently change the election outcome. Vulnerabilities like these are endemic throughout our election system. 

Cybersecurity experts have studied a wide range of U.S. voting machines—including both DREs and optical scanners—and in every single case, they’ve found severe vulnerabilities that would allow attackers to sabotage machines and to alter votes.

That’s why there is overwhelming consensus in the cybersecurity and election integrity research communities that our elections are at risk.

Cyberattacks Could Compromise Elections

Of course, interfering in a state or national election is a bigger job than just attacking a single machine. Some say the decentralized nature of the U.S. voting system and the fact that voting machines aren’t directly connected to the Internet make changing a state or national election outcome impossible. Unfortunately, that is not true.

Some election functions are actually quite centralized. A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters.

Furthermore, in close elections, decentralization can actually work against us. An attacker can probe different areas of the most important “swing states” for vulnerabilities, find the areas that have the weakest protection, and strike there. In a close election, changing a few votes may be enough to tip the result, and an attacker can choose where—and on which equipment—to steal those votes. State and local elections are also at risk.

Note: Underlining added for emphasis.