Researchers from the University of California found IT and physical security vulnerabilities in three electronic voting systems as part of a study for the top election official of the nation's most populous state.
Teams using penetration testing techniques found that electronic voting systems from Diebold, Hart InterCivic and Sequoia are not secure enough to fend off hackers or physical tampering, according to a report penned by Matt Bishop, principal investigator based at the University of California.
"The red teams demonstrated that the security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results," Bishop said in the report.
"Given the importance of voting and elections in the governing of the state of California, one may safely say that these systems are ‘mission critical.’ Such systems need to be of the highest assurance in order to ensure they perform as required. Techniques for developing such systems are well know, but, sadly, not widely used. Vendors would do well to adopt them for electronic voting systems."
The tests were carried out as part of a "top-to-bottom review" of electronic voting for California Secretary of State Debra Bowen, a Democrat.
A testing team led by researcher Robert P. Abbot, based in Sacramento, tested the Diebold GEMS 1.18.24/AccuVote and the Hart InterCivic System 6.2.1. Another team, led by Giovanni Vigna and Richard Kemmerer, based at the University of California, Santa Barbara, tested the Sequoia WinEDS version 3.1.012.
Researchers found a number of information security issues in the Sequoia machine, including ways to overwrite the firmware and boot loader, detect when the machine is in election mode and access the Election Management System.
In the Diebold machine, researchers were able to penetrate the Election Management System and corrupt AccuVote TSx and security keys for cryptography.
Flaws in the Hart system were found in Election Management System, eScan firmware, JBC and eSlate.
Physical security issues were found while testing all three devices, according to the researchers.
Researchers would have found more flaws had they more time to test, according to Bishop.
"The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a ‘lower bound.’ All team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities," he said. "In particular, Abbott’s team reported that it believed it was close to finding several other problems, but stopped in order to prepare and deliver the required reports on time. Vigna’s and Kemmerer’s team also reported that they were confident further testing would reveal additional security issues."
Hart released a statement on Friday defending its security practices.
"The Hart Voting System has a series of redundant and auditable measures in place to ensure accuracy and security. Once cast, three copies of the electronic ballot are saved. Each of the three records is verifiable and auditable for security and accuracy," read the company’s statement. "In addition to regulation by both the federal and state governments, the Hart Voting System has been independently audited by Symantec, an acknowledged leader in technology security, and has received internationally recognized security certification. Hart has implemented Symantec’s recommendations in order to enhance security."
Sequoia said Friday in a statement posted on its website that the methodology used in the penetration testing was not reflective of real-world hackings.
"This was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks," read the company’s statement. "This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation’s democracy that our customers — and all election officials — carry out every day in their very important jobs of conducting elections in California and throughout the United States."
Ted Julian, vice president of marketing and strategy at Application Security, told SCMagazine.com today that electronic voting machine vendors should focus on data security.
"I don’t know that there’s anything revolutionary in [the report]. It’s more a confirmation of things that have been talked about for a long time," he said. "There’s no question that a lot of attention has been placed on the machines themselves, but the reality is that it’s the data that matters, and you don’t see as much conversation about where that is stored, how it is aggregated and how it is protected along the way."
John Fisher, Bharosa CEO, told SCMagazine.com today that electronic voting machines will need to provide interface-level security for citizens.
"It’s inevitable that these types of interfaces and approaches are here to stay and necessary, it’s just that they need to have something where a user is protected at the interface and at the web level," he said.
A Diebold representative could not be immediately reached for comment today.