Researchers A. Kiayias, L. Michel, A. Russell, and A. A. Shvartsman at the University of Connecticut's Voting Technology Research Center and Department of Computer Science and Engineering have released a report assessing the security of the Diebold AccuVote-OS (AV-OS) Optical Scan voting terminal.
The University of Connecticut report identifies a number of new vulnerabilities of this system which, if exploited maliciously, can invalidate the results of an election process utilizing the terminal. The report also indicates that the AV-OS can be compromised with off-the-shelf equipment in a matter of minutes even if the machine has its removable memory card sealed in place. The basic attack can be applied to effect a variety of results, including entirely neutralizing one candidate so that their votes are not counted, swapping the votes of two candidates, or biasing the results by shifting some votes from one candidate to another. Such vote tabulation corruptions can lay dormant until the election day, thus avoiding detection through pre-election tests.
The report describes new safe-use recommendations for the AV-OS terminal, including the installation of tamper-resistant seals for (i) removable memory cards, (ii) serial port, (iii) telephone jacks, as well as (iv) screws that allow access into the terminal’s interior; failure to seal any single one of these components renders the terminal susceptible to the attack outlined above. An alternative is to seal the entire Optical Scan system (sans ballot box) into a tamper-resistant container at all times other than preparation for election and deployment in an election. An unbroken chain of custody must be enforced at all times. Post-election audits are also strongly advised.
Comments on the UConn Report
Comments of Michael Fischer, Prof. of Computer Science, Yale University and founding member of True Vote CT:
The UConn report shows just how vulnerable the AccuVote-OS optical scanner is to manipulations of the "programming" on the memory card and how easy it is to reprogram the card, even without removing it from the machine. However, the most worrisome attack scenario is for the card to be rigged when it is first programmed, before it is delivered to the towns and before it is inserted and sealed into the machine. The safe use procedures in the UConn report are ineffective against such an attack. They do help to prevent the memory card from being altered after it is sealed in the machine, but they do nothing to prevent a malicious program from being written on the card in the first place. While it is certainly prudent to follow such procedures, one must understand that they are not sufficient to assure a trustworthy election.
In Connecticut, the programming of the cards has been contracted out to a private out-of-state company (LHS Associates, Inc., of Massachusetts). The State has no way to verify that the cards are correct when they arrive back at the towns prior to the pre-election logic and accuracy testing. Moreover, pre-election testing is also not adequate to verify the correctness of the programming. The UConn study shows that a card can be programmed so as to behave correctly during the pre-election testing and to only corrupt votes during the real election. This means that LHS has it within their power to completely control the outcomes of all Connecticut votes counted by optical scanners. Of course, the existence of the paper ballots makes it possible to detect such corruption after the fact, but only if the paper is manually counted. In Connecticut, most ballots are not manually counted even in the event of a recount. Rather, the regulations stipulate that the ballots originally counted by machine are to be recounted by running them through the machine again using a new memory card (except for ballots that are determined through a visual inspection to be improperly marked). Obviously, if the second memory card is programmed identically to the first, one can expect the results to be similar, even if wrong.
The real problem is that the design of the AccuVote-OS scanner gives too much power to the programming on the memory card. Instead of restricting the election programming to simply describing the candidates and races and the positions of the bubbles on the printed ballot, it allows fairly general programs to be written that affect not only the testable behavior of the machine (e.g., rejecting a ballot in case of an overvote), but also that permit the manipulation of votes, reports, and audit logs. It is very difficult to prevent the misuse of that power now that it is present in the scanners. Much better would be if it were not there in the first place.
Comments of Avi Rubin, Prof. of Computer Science, Johns Hopkins University, Technical Director of the Information Security Institute and Director of the ACCURATE Center.
| 
