Analysis of an Electronic Voting System

IEEE Symposium on Security and Privacy, Oakland, CA, May, 2004.
Authors
Tadayoshi Kohno
Adam Stubblefield
Aviel D. Rubin
Dan S. Wallach

Abstract
With significant U.S. federal funds now available to replace outdated punch-card and mechanical voting systems, municipalities and states throughout the U.S. are adopting paperless electronic voting systems from a number of different vendors. We present a security analysis of the source code to one such machine used in a significant share of the market. Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them. We concludethat this voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any "certification" it could have otherwise received. We suggest that the best solutions are voting systems having a "voter-verifiable audit trail," where a computerized voting system might print a paper ballot that can be read and verified by the voter.

Paper: PDF

Rebuttal
On July 30, 2003, Diebold posted a "technical analysis" of our report at http://www2.diebold.com/checksandbalances.pdf.

Our response is available at: http://avirubin.com/vote/response.html.

Doug Jones from the University of Iowa Department of Computer Science also responded to their analysis http://www.cs.uiowa.edu/~jones/voting/dieboldftp.html#rebuttals.

SAIC Report
In early August 2003 the state of Maryland hired a third-party consulting firm (SAIC) to perform an analysis of Diebold’s AccuVote-TS voting system. On September 24, 2003, Maryland made SAIC’s report public. To quote the SAIC report, “[t]he system, as implemented in policy, procedure, and technology, is at high risk of compromise.” Despite the problems identified in our report and in the SAIC report, Maryland is still planning to proceed with the 55.6 million dollar purchase of Diebold AccuVote-TS voting terminals.

To help mitigate the risks identified in the security analyses, Maryland proposed a set of technological changes to Diebold’s voting machines as well as procedural changes to the election process. While this may help “raise the bar,” it is impossible to know whether any security analysis identifies all the possible vulnerabilities present in an analyzed system. By only patching the known vulnerabilities, Maryland is not actually ensuring that the voting system will be secure. Rather, Maryland should follow security engineering best practices, which state that security can only be assured through a rigorous design process that considers security from a project’s conception, not through a set of patches applied after the fact.

It appears that the state of Maryland has had to compromise on the security of the voting system due to the election calendar. The Maryland State Board of Elections states that “an alternative system could not be implemented in time to conduct the March 2004 Presidential Primary election and could jeopardize the November 2004 Presidential General election.” Unfortunately, by compromising on security, the integrity and privacy of these elections may still be in jeopardy.


RABA Report
The consulting firm, RABA, has issued a report on the security of the Diebold machines. They validated our findings and found other problems as well. Perhaps the best coverage of this study is in a Wired report by Kim Zetter.

Questions for vendors
We have compiled a list of questions you can ask your vendors for people considering buying voting machines.