Analysis of an electronic voting system

With significant U.S. federal funds now available to replace outdated punch-card and mechanical voting systems, municipalities and states throughout the U.S. are adopting paperless electronic voting systems from a number of different vendors. We present a security analysis of the source code to one such machine used in a significant share of the market. Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them. We conclude that this voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any certification it could have otherwise received. We suggest that the best solutions are voting systems having a voter-verifiable audit trail, where a computerized voting system might print a paper ballot that can be read and verified by the voter.

[1]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[2]  John Gilmore,et al.  Cracking DES - secrets of encryption research, wiretap politics and chip design: how federal agencies subvert privacy , 1998 .

[3]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[4]  Elaine B. Barker,et al.  Report on the Development of the Advanced Encryption Standard (AES) , 2001, Journal of research of the National Institute of Standards and Technology.

[5]  Aviel D. Rubin,et al.  Security considerations for remote electronic voting , 2002, CACM.

[6]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[7]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[8]  D RubinAviel Security considerations for remote electronic voting , 2002 .

[9]  David Chaum,et al.  Secret-ballot receipts: True voter-verifiable elections , 2004, IEEE Security & Privacy Magazine.

[10]  Bruce Schneier,et al.  Secrets and Lies , 2004 .

[11]  Rebecca T. Mercuri,et al.  Electronic vote tabulation checks and balances , 2001 .

[12]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[13]  Ralph Howard,et al.  Data encryption standard , 1987 .

[14]  Dimitris Gritzalis,et al.  Secure Electronic Voting , 2003, Advances in Information Security.

[15]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[16]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.