Technological Audits of Optical Scan Voting Systems: Summary for 2007 to 2010 Connecticut Elections

Posted: October 20th, 2011 | Author: | Filed under: Audit Reports, Post Election, Pre Election | Tags: , , , , , , ,

Security and integrity concerns regarding the use of electronic voting technologies in elections necessitate comprehensive election audits. Two types of audits are routinely performed in all state-wide elections in Connecticut: random post-election hand-counted audits and technological audits. This report presents the summary of the technological audit results in Connecticut from 2007 to 2010. The technological audits were designed on the request of the Secretary of the State (SOTS) of Connecticut by VoTeR Center and are conducted by the Center before (pre-election) and after (post-election) each state-wide election and selected primaries. The technological audits focus on the information contained on the memory cards used with the AccuVote Optical Scan (AV-OS) tabulators. This report presents the cumulative results of the pre-election and post-election technological audits. The audits examine the correctness of the programming of the memory cards with respect to the specific elections and the usage patterns at the districts in light of the election procedures established by the SOTS Office. The audits also assess the reliability of the memory cards. The conclusions are that districts do not always adhere to the established pre-election procedures. Most notably, in recent elections over 6% of the memory cards are duplicated by the districts, a practice that is not permitted by the SOTS Office; additionally, the number of cards submitted for audits has been substantially lower since 2008. The audits also established that more than 10% of the memory cards may experience data loss between the time they are programmed and the day of the election; this is apparently the reason for card duplication done by the districts. This data loss is most likely caused by the weak batteries on the cards (however, as of this writing it is not clear how long a fresh battery lasts in a memory card as some cards are known to consume substantially more power than others). To provide a better statistical basis for the overall elections landscape in Connecticut, it is recommended that the number of cards examined by the audits is substantially increased.
Read the rest of this entry »

Determining the Causes of AccuVote Optical Scan Voting Terminal Memory Card Failures

Posted: August 13th, 2010 | Author: | Filed under: Other Publications | Tags: , , , , , , ,

Determining the Causes of AccuVote Optical Scan Voting Terminal Memory Card Failures
Tigran Antonyan, Nicolas Nicolaou Alexander Shvartsman and Therese Smith
In Proceedings of the 2010 USENIX/ACCURATE Electronic Voting Workshop (EVT 10)
August 11–13, 2010, Washington, DC, USA

Optical scan (OS) voting systems play an increasing role in the United States elections, with over 40 states deploying such systems. The AccuVote optical scanners (AV-OS) manufactured by ES&S account for over 20% of all OS systems. OS systems typically use removable media (cards) to provide election-specific programming to the scanners and to convey precinct election results for central tabulation. Several reports document occurrences of AV-OS memory card failures, with up to 15% of all cards failing in some cases.

This paper reports on determining the causes of memory card failures that lead to complete loss of data from the card. An initial experimental analysis identified the battery discharge as a significant part of the problem. This finding led to the question of the dependability of the builtin function of the AccuVote OS system that issues a warning when the memory card contains a low-voltage battery. We identified the components used to implement this function in one type of AccuVote memory card. Using the specifications of the commodity batteries that are used in these cards, we determined the time interval from the instant when a battery warning is issued by the AccuVote to the point when the battery does not have enough voltage to retain data on the memory card. We show that such interval is about 2 weeks. Thus timely warnings cannot be provided to protect against battery discharge and loss of data during the election process. The factors contributing to the short warning interval are likely to apply to other battery-backed RAM cards, such as those used in the ES&S Model 100. Recommendations for mitigating the problem are made in light of the expected behavior of the warning system.

Research funded by the Secretary of the State of Connecticut and performed at the Center for Voting Technology Research at the University of Connecticut.

Full Paper: evt2010

Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting

Posted: December 10th, 2007 | Author: | Filed under: Other Publications | Tags: , , , , , ,

Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting
Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See, Alexander Shvartsman and Seda Davtyan
In Proceedings of the Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)
December 10-14, 2007, Miami, Florida

Special purpose trusted computing devices are currently being deployed to offer many services for which the general purpose computing paradigm is unsuitable. The nature of the services offered by many of these devices demand high security and reliability, as well as low cost and low power consumption. Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines currently being used in much of the United States and several other countries, there is a strong need for thorough security evaluation of these devices and the procedures in place for their use. In this work, we first put forth a general framework for special purpose trusted computing devices. We then focus on Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals are a popular e-voting technology with the decided advantage of a user-verified paper trail: the ballot sheets themselves. Still election results are based on machine generated totals as well as machine-generated audit reports to validate the voting process.

In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers. We demonstrate a number of security issues that relate to the machine’s proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access, we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.

Download full paper:: acsac07-voter.pdf

An Authentication and Ballot Layout Attack against an Optical Scan Voting Terminal

Posted: August 6th, 2007 | Author: | Filed under: Other Publications | Tags: , , , , , ,

An Authentication and Ballot Layout Attack against an Optical Scan Voting Terminal
Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See and Alexander A. Shvartsman
In Proceedings of the 2007 USENIX/ACCURATE Electronic Voting Workshop (EVT 07)
August 6, 2007, Boston, MA, USA

Recently, two e-voting technologies have been introduced and used extensively in election procedures: direct recording electronic (DRE) systems and optical scanners. The latter are typically deemed safer as many recent security reports have discovered substantial vul- nerabilities in a variety of DRE systems. In this paper we present an attack against the Diebold Accuvote optical scan voting terminal (AV-OS). Previously known attacks direct to the AV-OS required physical access to the memory card and use of difficult to find hardware (card reader/writer).
Our attack bypasses these issues by using the serial port of the AV-OS terminal and reverse engineering the communication protocol, in essence, using the terminal itself as a reader/writer. Our analysis is based solely on reverse-engineering. We demonstrate how an attacker can exploit the serious security vulnerability of weak (non-cryptographic) authentication properties of the terminal. The attack payload delivers a tampered ballot layout that, depending on the scenario, allows swapping of candidate votes, neutralizing votes, or even shifting votes from one candidate to another.

Download full paper: evt07.pdf