|ES&S e-voting system used in California cracked wide open
technica | December 05, 2007
Earlier this year, California Secretary of State Debra Bowen established strict new standards for electronic voting machines, requiring independent code audits, Red Team security testing, and support for paper records. The Red Team testing process primarily involves subjecting the machines to review by security experts who attempt to hack the software and bypass the physical security mechanisms. Recent Red Team tests of ES&S voting machines have uncovered serious security flaws.
Previous Red Team tests commissioned by the state of California revealed significant vulnerabilities in devices sold by Diebold and Sequoia. At the time, ES&S declined to participate in the testing, citing lack of preparedness. The tests on the ES&S machines were finally conducted in October, and the results, which were recently published (PDF), show that products from ES&S are as insecure as the rest.
The first round of tests focused on the physical security of the Polling Ballot Counter (PBC), which the Red Team researchers were able to circumvent with little effort. "In the physical security testing, the wire- and tamper-proof paper seals were easily removed without damage to the seals using simple household chemicals and tools and could be replaced without detection," the report says. "Once the seals are bypassed, simple tools or easy modifications to simple tools could be used to access the computer and its components. The key lock for the Transfer Device was unlocked using a common office item without the special 'key' and the seal removed."
After bypassing the physical security of the voting machines, the Red Team researchers were able to gain direct access to all of the files on the systems, including password files. "Making a change to the BIOS to reconfigure the boot sequence allows the system to be booted up using external memory devices containing a bootable Linux copy," according to the researchers. "Once done, all the files can be accessed and potentially modified, including sensitive files such as the password file which can be cracked by openly available cracker programs. New users may be added with known passwords and used by the same attacker or other attackers later."
The Election Management System workstations were also found to be vulnerable, with critical security codes stored in files as plain text. The Red Team also discovered that the Election Loader System used unencrypted protocols to transmit election initialization data to the PBC units, which implies vulnerability to a man-in-the-middle attack. The Election Loader System is populated with data from an Election Distribution CD, which is generated by a special Election Converter Application. The researchers were able to break the encryption used on the generated CD to "breakdown the CD, revise the election definition, and replace the CD with a new encrypted CD with an alternate election definition." The researchers note that this tactic could be used to alter vote tallies.
ES&S is already in serious trouble in California for selling uncertified voting machines to several counties in violation of state law. The results of the Red Team test, which demonstrate beyond doubt that the security of ES&S voting machines is utterly inadequate for use in elections, make it seem unlikely that ES&S will be able to continue peddling their defective products in the state.