An Experience in Testing the Security of Real-World Electronic Voting Systems

Voting is the process through which a democratic society determines its government. Therefore, voting systems are as important as other well-known critical systems, such as air traffic control systems or nuclear plant monitors. Unfortunately, voting systems have a history of failures that seems to indicate that their quality is not up to the task. Because of the alarming frequency and impact of the malfunctions of voting systems, in recent years a number of vulnerability analysis exercises have been carried out against voting systems to determine if they can be compromised in order to control the results of an election. We have participated in two such large-scale projects, sponsored by the Secretaries of State of California and Ohio, whose goals were to perform the security testing of the electronic voting systems used in their respective states. As the result of the testing process, we identified major vulnerabilities in all of the systems analyzed. We then took advantage of a combination of these vulnerabilities to generate a series of attacks that would spread across the voting systems and would “steal” votes by combining voting record tampering with social engineering approaches. As a response to the two large-scale security evaluations, the Secretaries of State of California and Ohio recommended changes to improve the security of the voting process. In this paper, we describe the methodology that we used in testing the two real-world electronic voting systems we evaluated, the findings of our analysis, our attacks, and the lessons we learned.

[1]  Moni Naor,et al.  Split-ballot voting: Everlasting privacy with distributed trust , 2007, TSEC.

[2]  Elfriede Dustin,et al.  The Art of Software Security Testing: Identifying Software Security Flaws , 2006 .

[3]  Matt Bishop,et al.  Fixing federal e-voting standards , 2007, Commun. ACM.

[4]  Naveen Sastry Designing Voting Machines for Verification , 2006, USENIX Security Symposium.

[5]  Ariel J. Feldman,et al.  Security Analysis of the Diebold AccuVote-TS Voting Machine , 2007, EVT.

[6]  David A. Wagner,et al.  Analyzing internet voting security , 2004, CACM.

[7]  David A. Wagner,et al.  Tamper-evident, history-independent, subliminal-free data structures on PROM storage -or- how to store ballots on a voting machine , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Roy G. Saltman Accuracy, integrity and security in computerized vote-tallying , 1988, CACM.

[9]  Thomas P. Ryan,et al.  GEMS Tabulation Database Design Issues in Relation to Voting Systems Certification Standards , 2007, EVT.

[10]  Aggelos Kiayias,et al.  Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[11]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes , 2008, EVT.

[12]  Giovanni Vigna,et al.  EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing , 2007 .

[13]  Sarah P. Everett The usability of electronic voting machines and how votes can be changed without detection , 2007 .

[14]  Dieter Gollmann,et al.  PC‐security Evaluation , 1992 .

[15]  Sujata Garera,et al.  An independent audit framework for software dependent voting systems , 2007, CCS '07.

[16]  Rop Gonggrijp,et al.  Studying the Nedap/Groenendaal ES3B Voting Computer: A Computer Security Perspective , 2007, EVT.

[17]  D. Jefferson,et al.  Security analysis of SERVE 1 A Security Analysis of the Secure Electronic Registration and Voting Experiment ( SERVE ) , 2004 .

[18]  Aggelos Kiayias,et al.  An Authentication and Ballot Layout Attack Against an Optical Scan Voting Terminal , 2007, EVT.

[19]  Joseph Lorenzo Hall Improving the Security, Transparency and Efficiency of California's 1% Manual Tally Procedures , 2008, EVT.

[20]  Ted Selker,et al.  An Active Approach to Voting Verification , 2005 .

[21]  Hovav Shacham,et al.  You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems , 2008, EVT.

[22]  Mark Gondree,et al.  A Critique of the 2002 FEC VSPT E-Voting Standards∗ , 2005 .

[23]  Aviel D. Rubin,et al.  Security considerations for remote electronic voting , 2002, CACM.

[24]  Marti A. Hearst,et al.  Building reliable voting machine software , 2007 .

[25]  Komminist Weldemariam,et al.  Modeling and Analysis of Procedural Security in (e)Voting: The Trentino's Approach and Experiences , 2008, EVT.

[26]  Patrick Traynor,et al.  Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections on Project EVEREST , 2008, EVT.

[27]  Pavol Cerný,et al.  Security Evaluation of ES&S Voting Machines and Election Management System , 2008, EVT.

[28]  R. C. Hite Elections: All levels of government are needed to address electronic voting system challenges , 2007 .

[29]  Sean Riddle,et al.  An Analysis of the Hart Intercivic DAU eSlate , 2007, EVT.

[30]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[31]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[32]  B. Harris,et al.  Black Box Voting: Ballot Tampering in the 21st Century , 2003 .

[33]  Brent Waters,et al.  Cryptographic Methods for Storing Ballots on a Voting Machine , 2007, NDSS.

[34]  David A. Wagner,et al.  Cryptographic Voting Protocols: A Systems Perspective , 2005, USENIX Security Symposium.

[35]  Giovanni Vigna,et al.  Security Evaluation of the Sequoia Voting System , 2007 .