CITP Blog - Formerly Freedom to Tinker

ES&S Uses Undergraduate Project to Lobby New York Legislature on Risky Voting Machines

– by

Comments

,

The New York State Legislature is considering a bill that would ban all-in-one voting machines. That is, voting machines that can both print votes on a ballot and scan and count votes from a ballot – all in the same paper path.

This is an important safeguard because such machines, if they are hacked by the installation of fraudulent software, can change or add votes that the voter did not intend and never got a chance to see on paper.

One voting machine company, Elections Systems and Software (ES&S), which makes an all-in-one voting machine, the ExpressVote XL, is lobbying hard against this bill. As part of its lobbying package, ES&S is claiming that “Rochester Institute of Technology researchers found zero attacks” on the ExpressVote XL, based on an article (included in ES&S’s lobbying package) from Rochester Institute of Technology entitled “RIT cybersecurity student researchers put voting machine security to the test.

If this were actually a scientific article, one could critique it as actual science.  But it’s not a scientific paper:  The article is written by Scott Bureau, Senior Communications Specialist, RIT Marketing and Communications in the RIT public relations department. 

The article describes an undergraduate student “capstone project.”  The students were interviewed by ES&S, allowed ES&S to inspect their testing site, and then signed a nondisclosure agreement with ES&S.  The students made up two attack scenarios, then spent 10 days trying to find attacks.  They found some vulnerabilities, but not one that could change votes.

The students made public a one-page poster describing their project. It’s fine for undergraduate student work; capstone projects are a really useful part of engineering education.  But it’s not a scientific paper that describes their methods, the limitations placed upon them by needing permission from ES&S, or, in any detail – their results.

Even so, the students describe enough for me to notice that they missed three of the most important attack scenarios:

  • Hacker intrusion into the ES&S corporate engineering network, stealing cryptographic keys and source code, or altering the software to be installed into all ExpressVote XL machines nationwide in the next software update.
  • Hacker intrusion into the county election administrator’s network, stealing cryptographic keys and allowing manipulation of ballot-definition downloads.
  • Stealing an ExpressVote XL anywhere in the country, not just in New York, and tearing it apart to reverse engineer and steal crypto keys.
  • There may be many other attacks.  That’s why penetration testing can never prove that a computer system is secure: pen-testing only examines the attacks that the pen-testers happen to think of.

These are standard attacks. These are the ones that can be so effective and dangerous that there is good reason for banning such voting machines.    Maybe those Rochester students are aware of such attacks. Maybe not. But it seems unlikely that ES&S would have given permission for such experiments. That’s why respectable academic security researchers don’t restrict their activities to those in the comfort zone of the corporations whose products they are examining.It is irresponsible and misleading of ES&S to characterize an undergraduate student project, conducted under conditions controlled by ES&S, described in a publicity puff-piece written by a public-relations flack, as “RIT researchers found zero attacks.”

Comments

3 responses to “ES&S Uses Undergraduate Project to Lobby New York Legislature on Risky Voting Machines”

  1. Dorothy Holley

    If any voting machines are vulnerable to attack and change they should be banned for ones that
    are not.

    Reply
  2. Andrew Afonso

    One of the researchers here. Our NDAs prevented publishing the full findings, but rest assured, we considered the scenarios you mentioned.

    What we stated was that we found zero attacks you could carry out that would impact vote count results in the real world.

    Yeah, if you take a crowbar to the machine and rip it apart, you can get access to the computers inside, and you can just pull the firmware. It’s not designed as a system that relies on technical infallibility. What it relies on is that you can’t bring a crowbar and rip apart a polling machine in a polling location unnoticed. It’s not a networked machine. Yes we found possible theoretical attacks in the scenario that someone does indeed get a crowbar in (or otherwise accessed the machines during active polling) unnoticed, but the normal functions of a polling place mitigates everything we found.

    We met with polling place administrators from most of, if not all of, the states that used the EXL at the time of research, and understood the basic universal processes used across them all. I won’t get into those too specifically out of respect for these people speaking freely and in detail about their processes, but if you’re a US citizen you’re more than welcome to contact those organizations in the respective states to learn more.

    Basically, the non technical safeguards in place within polling places mitigate the potential for any technical attacks to actually affect vote counts. A few high level examples, if your paper ballot results don’t match up with the electronically reported info, this is flagged and audited. If the vote counts don’t match the sign in sheets, party registrations, or other known information, this is flagged and audited.

    Absolutely, if you completely rely on the digital systems, your voting process becomes vulnerable to digital attacks. This was not the case for any of the states using the EXL at the time we conducted our research. Steal the crypto keys, reverse the firmware, hax the whole company… it wont get around good ol democracy in action. The frank truth is that we have to rely on the integrity of the people running our election centers to protect any voting process. It doesn’t matter the technology (or lack thereof) being used. A paper ballot can be doctored if the person with the keys (or people, depending on your state) has malicious intent. What stands between us having free, fair, and truthful elections, and becoming another Russia, is these poll workers. Thats why it’s so important to get involved with the polling process in your local community in a constructive way.

    Feel free to reach out with any more questions! I can try to answer as best I can without divulging anything confidential.

    Reply
    1. Andrew Appel

      Many of the threats are not about what the voter does in the polling place, but hacking voting machines before the election. And unlike 1990s era machines where the firmware was in a ROM chip that needed to be physically replaced, the hacks we worry about are, for example, the ones that propagate from election management servers to voting machines on the flash drives that are used to transfer ballot-definition files to the voting machines.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

About

The CITP Blog is hosted by Princeton University’s Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you’ll find comment and analysis from the digital frontier, written by the Center’s faculty, students, and friends.

Categories