Determining the Causes of AccuVote Optical Scan Voting Terminal Memory Card Failures

Posted: August 13th, 2010 | Author: | Filed under: Other Publications | Tags: , , , , , , ,

Determining the Causes of AccuVote Optical Scan Voting Terminal Memory Card Failures
Tigran Antonyan, Nicolas Nicolaou Alexander Shvartsman and Therese Smith
In Proceedings of the 2010 USENIX/ACCURATE Electronic Voting Workshop (EVT 10)
August 11–13, 2010, Washington, DC, USA www.usenix.org/events/evtwote10/

Abstract
Optical scan (OS) voting systems play an increasing role in the United States elections, with over 40 states deploying such systems. The AccuVote optical scanners (AV-OS) manufactured by ES&S account for over 20% of all OS systems. OS systems typically use removable media (cards) to provide election-specific programming to the scanners and to convey precinct election results for central tabulation. Several reports document occurrences of AV-OS memory card failures, with up to 15% of all cards failing in some cases.

This paper reports on determining the causes of memory card failures that lead to complete loss of data from the card. An initial experimental analysis identified the battery discharge as a significant part of the problem. This finding led to the question of the dependability of the builtin function of the AccuVote OS system that issues a warning when the memory card contains a low-voltage battery. We identified the components used to implement this function in one type of AccuVote memory card. Using the specifications of the commodity batteries that are used in these cards, we determined the time interval from the instant when a battery warning is issued by the AccuVote to the point when the battery does not have enough voltage to retain data on the memory card. We show that such interval is about 2 weeks. Thus timely warnings cannot be provided to protect against battery discharge and loss of data during the election process. The factors contributing to the short warning interval are likely to apply to other battery-backed RAM cards, such as those used in the ES&S Model 100. Recommendations for mitigating the problem are made in light of the expected behavior of the warning system.

Research funded by the Secretary of the State of Connecticut and performed at the Center for Voting Technology Research at the University of Connecticut.

Full Paper: evt2010


Automating Voting Terminal Event Log Analysis

Posted: August 14th, 2009 | Author: | Filed under: Other Publications | Tags: , , , , , ,

Automating Voting Terminal Event Log Analysis
Tigran Antonyan, Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel, Nicolas Nicolaou, Alexander Russell and Alexander Shvartsman
In Proceedings of the 2009 USENIX/ACCURATE Electronic Voting Workshop (EVT 09)
August 10–14, 2009, Montreal, Canada www.usenix.org/events/evtwote09/

Abstract
In the interest of auditing election procedures, certain electronic voting technologies provide monitoring capabilities that record select actions undertaken by election officials before, during, and after an election process, as well as the conditions present in an electronic voting terminal as the result of its interactions with its environment. In this paper we report on an automated auditing process for detecting procedural irregularities for elections employing the AccuVote Optical Scan (AV-OS) terminal (manufactured by Premier Election Systems).
Our auditing process is derived from an abstract finite state model of the AV-OS; this determines, in particular, a correspondence between state transitions and logged events that separates expected and “irregular” histories. Automating the detection of these irregular histories has permitted us to provide detailed election procedure audits for full-scale Connecticut elections. We conclude the article with a discussion of the result of the event log analysis performed within the post-election audit of the November 2008 elections in Connecticut.
Additionally, we identify a defect and some deficiencies in the AV-OS event logging subsystem that can interfere with the event log transcript making it vulnerable to manipulation and discuss the effects of these deficiencies.
This research is funded by the Office of the Secretary of the State of Connecticut.

Download full paper:: evt09.pdf


Pre-Election Testing and Post-Election Audit of Optical Scan Voting Terminal Memory

Posted: August 1st, 2008 | Author: | Filed under: Other Publications | Tags: , , , , ,

Pre-Election Testing and Post-Election Audit of Optical Scan Voting Terminal Memory
Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel, Nicolas Nicolaou, Alexander Russell, Andrew See, Narasimha Shashidhar and Alexander A. Shvartsman
In Proceedings of the 2008 USENIX/ACCURATE Electronic Voting Workshop (EVT 08)
July 28–August 1, 2008, San Jose, CA, USA www.usenix.org/events/evt08/

Abstract
Optical scan electronic voting machines employ software components that are customized for each specific election. Such software components are critical from a security and integrity point of view, as they define ballot layout and outcome reporting facilities. The possibility of these components to be tampered with presents a major concern as incorrect election results may be produced due to either malicious interference or accidental corruption. Erroneous results caused by tampering or corruptions can go unnoticed in the absence of testing and auditing, and the errors may not be detectable by election officials/poll workers using the pre-election testing procedures that rely on the machines themselves. This paper presents an actual auditing process for the AccuVote Optical Scan Voting Terminal (AV-OS) (manufactured by Premier Election Solutions) and the ensuing results from a recent statewide audit, showing that thorough auditing of a large sample of voting hardware, specifically the memory cards that contain custom software components, is both practical and informative. We argue that memory card audits are crucial in providing timely information and maintaining the integrity of the electoral process. To substantiate this claim, we present as part of our results hard evidence of inadequate reliability of certain hardware components used with the voting terminals, and indications of marginal procedural compliance on the part of the poll workers. These audits were performed without any access to the manufacturer’s source code or the documentation regarding the design or the internal workings of the AV-OS terminal. We conclude the paper with several observations based on what was learned during the memory card audit process and offer recommendations aimed at enhancing the integrity of elections.
The audits presented in this paper were performed on request of the Office of the Secretary of the State of Connecticut.

Download full paper: evt08.pdf


An Authentication and Ballot Layout Attack against an Optical Scan Voting Terminal

Posted: August 6th, 2007 | Author: | Filed under: Other Publications | Tags: , , , , , ,

An Authentication and Ballot Layout Attack against an Optical Scan Voting Terminal
Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See and Alexander A. Shvartsman
In Proceedings of the 2007 USENIX/ACCURATE Electronic Voting Workshop (EVT 07)
August 6, 2007, Boston, MA, USA www.usenix.org/events/evt07/

Abstract
Recently, two e-voting technologies have been introduced and used extensively in election procedures: direct recording electronic (DRE) systems and optical scanners. The latter are typically deemed safer as many recent security reports have discovered substantial vul- nerabilities in a variety of DRE systems. In this paper we present an attack against the Diebold Accuvote optical scan voting terminal (AV-OS). Previously known attacks direct to the AV-OS required physical access to the memory card and use of difficult to find hardware (card reader/writer).
Our attack bypasses these issues by using the serial port of the AV-OS terminal and reverse engineering the communication protocol, in essence, using the terminal itself as a reader/writer. Our analysis is based solely on reverse-engineering. We demonstrate how an attacker can exploit the serious security vulnerability of weak (non-cryptographic) authentication properties of the terminal. The attack payload delivers a tampered ballot layout that, depending on the scenario, allows swapping of candidate votes, neutralizing votes, or even shifting votes from one candidate to another.

Download full paper: evt07.pdf