Dan Wallach has published a nice blog post on voting machines, and I would like to comment both as a security evaluator and as a French citizen interested in the electoral process.
In the past few years, I have kept a interest in politics and votes, and I have participated to electoral process in my country, France. Because of that, I am interested in the debate about electronic voting machines. My interest grew even further when my own city of Valbonne decided to switch to voting machines.
But first, a few comments about evaluations. Wallach is disappointed of the result of the (very interesting) source code reviews conducted in the US:
Was our work a “realistic approximation” of what happens in a real election? When the vendors call our work “unrealistic”, they usually mean one of two things:
- Real attackers couldn’t discover these vulnerabilities
- The attackers can’t be exploited in the real world.
Both of these arguments are wrong. In real elections, individual voting machines are not terribly well safeguarded. […] The big difference between what we had and what an attacker might have is that we had some (but not nearly all) source code to the system. An attacker who arranged for some equipment to “fall off the back of a truck” would be able to extract all of the software, in binary form, and then would need to go through a tedious process of reverse engineering before reaching parity with the access we had.
In the smart card industry (and I am sure, in other industries), laboratories practice black-box security evaluations, in which they have the same attacks means as “normal” attackers. That’s the way I have been performing card evaluations for a few years, and it is indeed quite efficient. One of the advantages of this approach is that you are not “polluted” by the thinking of the designer, because you don’t know exactly what he coded. Instead of trying to find a bug in the code, you are directly looking for vulnerabilities in the system. And believe me, it works, and you can find nice bugs this way. Black-box evaluations don’t solve all the problems, but when an attack works, vendors have a hard time explaining why other attackers would not be able to make it work.
About exploitation in the real world, I would not worry too much. In France, cities are responsible for organizing votes. This means that the cities are in particular in charge of guarding the machines before an election. In the particular case of city council elections, this means that one of the potential attackers is actually in charge of the security of the machines.
In France, we typically do elections one at a time, or at worst, two at a time. In such cases, paper ballots work just fine. In a typical precinct with 1,000 registered voters, it takes about an hour to count everything, and the counting process can be absolutely transparent and public and pretty well secured. In this context, voting machines solve no problem; they just create new ones. And for somebody who was used to count ballots by hand, the little button pressed to get the count and the strip of (thermal) paper it prints don’t look secure at all; all they do is make me long of good ol’ times.
For the fun of it, here are a few interesting things that happened during the first day of use of the machines:
- First, we discovered a nice vulnerability in the machines. The machines are portable, and they look like a big suit case, that you open and put on a special stand. The problem is that there was a space at the hinges, which allowed the precinct staff to see very clearly the choice made by the voters. It was nice to be able to see who voted “right”, but we still decided to put some tape on that space.
- Some guy liked the machine very much, because he was clearly convinced that all precinct staff were cheaters, ready to steal his vote. He even wanted to insert his voter registration card in the machine and have the machine perform the authentication and record his vote. Nice features for would-be cheaters, which shows that most people don’t understand that privacy is an important part of voting.
Finally, the funny thing about all these voting machines is how amateurish they look and feel. The ones we use in Valbonne look like they have been built by a electronics hobbyist with pieces scrapped from various devices. And every paper I read seems to show that these people use custom-made electronics that hardly works (for instance, for the little devices in which the tallies are actually stored). These things should use general-purpose electronics. Of course, my background makes me think that smart cards would be good candidates: some smart cards have already been certified by many states for government use. In addition, the technology is widely used, and it has been proved to be hard to tamper with. Well, I will stop the argument here, because I am not sure that I want to have anything to do, even remotely, with the implementation of voting machines.