Breaking Story based on a Talk Nation Radio interview with Professor Alexander A. Shvartsman of the University of Connecticut’s Voting Technology Research Center.
Computer scientists at the University of Connecticut’s Voting Technology Research Center were able to hack into Diebold’s TSX machine undetected. They were using a machine submitted by Diebold in 2006 as required by a legal procurement process. The UConn team was able to swap votes from candidate A with candidate B and could even completely eliminate a candidate’s name from a ballot.
They found they could tamper with the votes in a machine easily and without benefit of Diebold’s carefully guarded source code.
If the (Diebold Election Systems Inc.) machine Connecticut received from Diebold in 2006 is identical to the Diebold TSX voting terminals in use in states like California and Ohio, a wider investigation is indicated.
Professor Alex Shvartsman explained that he and others on the UConn team could change the votes each and every time they tried using a lap top computer. And the process of vote swapping is exactly what it sounds like he said. “If there is a candidate X and candidate Y and ten people vote for x and five people for y, or so they think, in the result the votes are swapped so the first candidate gets five votes and the second candidate get’s ten votes.”
Not only is the process easy it is also fast. “If prior to the election somebody gains access to the machine and to the memory cards and understands how to make this change then it’s a matter of a very few minutes.” According to Shvartsman the hacking takes place so quickly and easily that even a voter could do it while casting a vote.
The State’s computer expert did not have an explanation for the failure but suggested it was probably an oversight by the company’s technical engineers. He said, “I cannot possibly think of anything other than perhaps people were trying to meet the deadlines and the system was not tested as it should have been.”
Adding, “It’s really an engineering oversight. It is clear that the engineers at Diebold tried to protect the data. They went through the motions certainly. But they did not complete the task of protecting the data.”
UConn’s team concluded that the root of the problem with Diebold’s TSX voting terminal lies in the cryptographic integrity checks. The TSX was promptly rejected in 2006 in favor of Diebold’s AccuVote Optical Scan model with a paper trail representing how each vote was cast. In what turned out to be a vindication of the views of Connecticut voting rights activists, Secretary of State Susan Bysiewicz ultimately agreed that DRE technology should be rejected.
UConn’s team has not spent a great deal of time with the Diebold TSX but readily found during basic tests that “not all of the machine’s integrity checks were performed and not all of them were performed correctly either,” explained Shvartsman.
“Ideally voting machines should be encrypted in such a way that it is extremely difficult for an attacker to understand what’s in the data, how to read it and consequently how to modify it,” he said.
He compared the process to email. “When we send secure encrypted email messages such messages cannot be very easily read by lets say somebody who is eavesdropping on the email communication. -However when the protection is weak it may be possible for an observer to read the data with relatively little effort and if they are able to read the data and understand the structure of the data then they can alter the data in such a way that the recipient of the data, in our case the voting machine, would not be able to distinguish between the original data and the tampered data. In the memory cards in the TSX machines the protection is incomplete so it is possible to alter parts of the data without the machine noticing that the data is not the original data, which leads to compromised elections.”
For Shvartsman the findings indicate that states must thoroughly and independently test all voting machines selected. He finds it remarkable that most states do not have sample voting machine technology to use in performing the kinds of tests the UConn voting integrity team ran.
Due to the timely nature of this story we decided to post our report prior to the broadcast of this interview.
Click here to pull down a copy of the University of Connecticut Voting Technology Research Center Report: Integrity Vulnerabilities in the Diebold TSX Voting Terminal July 2007.
See also: Bradblog.com for a national story ‘On the Last Throes and/or Last-Minute Compromise of the Holt Election Reform Bill’
Diebold’s TSX Voting Terminal Fails UCONN’s Integrity Test
Dori Smith, Talk Nation Radio July 20, 2007
An interview with Professor Alexander A. Shvartsman of the University of Connecticut’s Voting Technology Research Center
Professor Shvartsman welcome to Talk Nation Radio.
Yes, how are you?
Good thank you.
DS: This report has to do with Integrity Vulnerabilities in Diebold’s TSX Voting Terminal. Let me just ask you first, this is not Connecticut’s voting machine right now right?
AV: That is correct. The machines used in Connecticut are the optical scan machines which are quite different from the touch screen AV TSX machines.
OK. Was this in fact one of the machines that were at one time proposed for Connecticut by Diebold?
AV: That is correct.
DS: OK, rejected?
AV: They were not selected. Connecticut selected optical scan machines and I can explain some of the reasons why.
DS: That would be great. Why don’t you do so?
AV: One of the main advantages of the optical scan machines is that it provides by its very nature a voter verified paper trail. Essentially this means that the precise record as left by the voter on the ballot is preserved in the system and should there be any concerns about the validity of the count manual recounts can be done using voter verified ballots. With the touch screen machines there is no direct correspondence between the actions of the voter and the actions of the machine. And there is a limited ability to do recounts even if the machines contain internal printers.
AV: As this machine that you looked at exists, the Diebold TSX voting terminal, as it existed when you saw it it had no paper trail right?
DS: The machines are equipped with a printer. The difference is that what the machine prints is not directly related to what the voter touched on the display. So for example if a voter decides to change the information on the ballot then there is the issue of destroying previously printed ballots somehow internally to the machine and somehow separating the valid machine generated ballots from the invalid ones.
AV: It doesn’t represent an exact copy of the vote.
DS: Precisely. Yes.
DS: OK, and let’s start with your report. It does indicate that these Diebold TSX machines are flawed so you don’t need the source code in order to swap votes from one candidate to another or even erase a candidate from the roster? Just go over the essentials of these flaws that you found.
AV: Yes. This is correct. In fact in all of our work with voting machines from a variety of vendors we never use any internal documentation from the vendor. So far successfully, we are always able to attack the machine by observing its behavior and by reverse engineering protocols for example and the data formats used by the machines. Regarding the TSX machine that we have examined there were several vulnerabilities that were actually corrected from the previous versions of the machine but we still were able to detect that despite the cryptographic checks, integrity checks introduced in that version of the machine not all checks are performed and not all of them are performed correctly based on our findings and so that we were able to change data without the machine noticing it. In particular we were able to alter the data so that in fact two candidate votes would be swapped and also in some cases to completely eliminate a candidate’s name from the ballot.
DS: You were in possession of this machine but how is it that that is not always the case for states as they prepare for elections Professor?
AS: This is something that I really do not understand.
The best thing that a state can do in selecting voting machinery and voting technology is to obtain independent and as objective as possible evaluation of the technology which is what the State of Connecticut did when they asked us to be involved. I believe that we are in a somewhat unique situation. I really do not know whether there are more than five or six states in the nation where an independent uninvolved technical agency was able to examine the actual machines that are used in the elections. I believe this was very unique to the State of Connecticut and I wish that all states did what we are doing here and more.
DS: Why do you think that is I mean why wouldn’t they want independent verification of these brand new machines that are supposed to be so accurate and useful?
AS: My guess is that the selection processes do not involve substantial early technical participation so that when the government or political structures make a purchase then they feel that they need to protect the validity of their decision. And I think this is misguided. I think it is very important to say well yes this is what we have selected. Yes we do understand the vulnerabilities and yes we are working to correct these vulnerabilities.
DS: Why don’t you clarify exactly what your recommendation is in terms of these independent organizations like yours?
AV: I believe it is extremely important for a competent technical organization that has no commercial involvement in the process and that is not funded by the vendor certainly to be involved in evaluating emerging voting technology and to provide this independent information to the state to help them both in selecting the equipment and in administering the equipment once it is purchased and available to the state.
DS: Just explain the steps that you took. I know that you mentioned something called the PCM CIA card.
AV: Yes, so this is the card that is inserted in the machine and it contains information about the slates of the candidates and the configuration of the race. The overall information on this card is encrypted and there are certain integrity checks however they are not complete and they do not cover all of the cards so by altering data on the card it is possible to simply switch two candidate’s names.
DS: Now what about erasing a candidate?
AV: Now this seems to be a nasty little problem that if the machine finds something wrong with the data on the card it simply ignores the data. Instead of reporting it to either the voter or the voting official it simply ignores it. The end result was that if we tampered with a particular candidate’s data the candidate was simply eliminated from what was displayed to the voters. This seems to be a very basic kind of flaw that remains undetected.
DS: Now these machines have been used during elections in California right?
AV: I do not know exactly what version of the machine was used in California. As I understand currently there is a review in California that is in progress and we have been contacted by people working in that area and they do have our report. They also have their own findings and I believe they will be issuing their findings later this summer I’m not sure exactly when possibly early in August.
DS: Several other reports have been written about vulnerabilities with the Diebold TSX voting machine. These related to the memory card, the source card or the GEMS system. Is this the first report on this vulnerability to the machine itself?
AV: No there were previous reports that dealt with earlier versions of the machine. Now Diebold is obviously trying to improve the quality of their machine and in our reports we also indicate that certain vulnerabilities that were previously existing in older versions of the machines appeared to have been eliminated in the machine version that we have examined. At the same time we have reported a couple of additional vulnerabilities. Now we have previously also produced a report on the optical scan machines but we did not have as much time with the touch screen machine so our report is not as ambitious as we would like it to be ideally.
DS: You are talking about a machine that the State received in what year?
AV: About a year ago.
DS: So it’s a recent model. Would you comment on the sophistication of this technology? Is this flaw that you are finding with the integrity of this machine, it’s hackable, is this flaw so sophisticated that it’s understandable how it might have happened or is this something that you see as a big oversight?
AV: I believe it’s an engineering oversight. I think that an engineering effort exercising due diligence would not have left this door open.
DS: And the door is open. Who is it open to? Who would hack this machine and how?
AV: Well if somebody gains access to the machine at some point prior to the election and applies these changes, I want to note that all that is necessary is a lap top or a personal computer system that is able to mount this PCM CIA card file system that can be then played with by a malicious software written for that purpose so it doesn’t take that much time and removing these cards from the machines for a determined hacker is also not a big challenge. So basically if the chain of custody is broken at some point between the point when the machine is programmed and the start of the election then it’s conceivable that such an attack can be launched and executed successfully.
DS: The machine is it federally certified at this point?
AV: I am not an expert on federal certification on these machines so I will not be able to answer that.
DS: But the application process in CT would have required that it be certified right?
AV: I believe so. Yes. We were actually involved in the early stages of the request for proposals. We I mean the University of Connecticut and myself. But very soon in the process we determined that it is much better for us to be an independent third party; technical consulting research and not participate directly in the selection of this machinery.
DS: What are your recommendations for members of state agencies that oversee elections that are using these machines? What are the first steps they should be taking now?
AV: The technology is only now beginning to mature and I think that the selection that was made in the state of Connecticut was not to go with the latest and most advanced machine but with the safer technology meaning optical scan because optical scan provides verified, by voters, paper ballots that can be recounted if necessary. And I would find it difficult to recommend to the state to completely eliminate paper ballots which are marked by the voters.
DS: If the state doesn’t have trained staff to set up and handle these machines and carry out an election and deal with any problems that occur they bring in outside people perhaps right?
DS: So those people would have access to the machines and perhaps sophisticated information on just the kind of steps that you have described to hack the machine.
AS: Any computer system or any mechanical system is always vulnerable to an insider attack and voting machines are no exception. This is the inherent problem with any system. At the same time it is important to provide controls that attempt to eliminate attempted interference with the election processes. So in the State of Connecticut for example we instituted a fairly strict, well we advised that the state does it and the state did institute a very explicit policy about handling of these machines and the memory cards. I don’t believe we have the most perfect solution but each year that we go through this process the processes become more stable and more secure.
DS: State’s need to provide poll workers, they need to have people at the polls that oversee elections, but in some cases these private folks that come in that provide assistance lets say or training. That sort of thing. You are saying that in the case of this machine you are saying that access means vulnerability.
AS: I can actually, an anecdotal interesting event-I attended one of the training sessions in the State of Connecticut where the distributor of the machines was training poll workers in how to use the optical scan machine. And prior to that training session we had been consulting with the Secretary of the State and poll workers were already educated in the proper use, at least the chain of custody procedures, and when the trainer told everybody that if the machine misbehaves you shut it down and you use the next machine or you move the card.. one of the lady volunteers said no no no in the State of Connecticut we do not do this.
So I think there is a lot of enthusiasm and energy on the side of the poll workers and with sufficient guidance from the state I am not that much concerned that the training performed by the vendor would be somehow non constructive.
DS: In Connecticut it is LHS (the vendor) and we both know that they have a protocol where they open a machine, take out a memory card and put in a new one.
AS: This is in fact what we are not doing in the State of Connecticut. If a machine misbehaves in the middle of an election we are going to continue to collect ballots but not necessarily put (them) through the machine.
DS: I see so you are going to do it the old fashioned way?
AS: If the machine misbehaves yes.
DS: OK well it’s not that complicated. I voted last time around on a paper ballot inserted into one of the Diebold AccuVote OpScan machines and it didn’t seem to be that complex of a system in basic principle.
AS: Yes that’s true and there is an additional benefit in using optical scan actually in that the time that the voter spends with the machine is minimal. With the touch screen machines, first of all many more machines need to be provided and also the voter has to be with the machine one on one without being observed.—Which introduces really an immense opportunity for tampering on the side of a malicious voter. And that is not the case with the optical scan machine.
DS: Interesting and where the optical scan machines did have a vulnerability with the memory card that you did identify and talked about the exact chain of custody needing to be intact at all times.
DS: Just go over the protocol that you set up for Connecticut that you are going to be relying on next time we vote here.
AS: We advised the state on the protocol and the protocol that exists includes sealing the machines in carrying cases with tamper evident seals and with the precise logging of the possession of the machine each time it changes hands. And the seals are numbered and they are checked at each point where the machine needs to be unpacked and positioned into the ballot box for elections. Of course any procedure can be somehow compromised but these measures we believe substantially increase our certainty that the machine does not fall into inappropriate hands en route to the polling place.
DS: So the vendor won’t be able to open the machine and make a memory card swap again?
AS: Absolutely not. We’re still refining the procedures and for next year’s elections we are even considering performing at least random checks of the memory cards to see whether or not there are certain irregularities in the programming of the memory cards.
DS: The only way that anyone could tamper would be to program in advance something that changed during the election perhaps.
AS: In advance of the election yes. That’s the most vulnerable time. When the card’s already programmed then it’s extremely easy if one gains physical access to the machine it is extremely easy to tamper, well for us it was relatively easy to do that. This is why unbroken chain of custody is extremely important in this process.
The memory cards in the machine contain data files. The system is lacking in overall integrity checks on the contents of the cards. Parts of the files are obviously protected. We do not know exactly how and it is not really important because we did find that certain files are not as protected by integrity checks as they should be. We were able to identify several files that could be renamed or changed without the TSX voting terminals detecting this. In the case where the machine does detect it it simply ignores the data. This is the situation exactly that leads to one candidate’s name being eliminated. So instead of reporting that something is wrong with a certain candidate’s file the machine simply ignores the file thus taking the candidate out of the race.
DS: What is vote swapping exactly?
AS: If there is a candidate X and candidate Y and ten people vote for X and five people for Y- or so they think- in the result the votes are swapped so the first candidate gets five votes and the second candidate gets ten votes.
DS: Who would be able to do this? Which people and at which times?
AS: If prior to the election somebody gains access to the machine and to the memory card and understands how to make the change then it’s a matter of a very few minutes.
DS: Why do you think it is that the engineers missed this? How would you explain it if you had to try?
AS: I do not know. I cannot possibly think of anything other than perhaps people were trying to meet the deadlines and the system was not tested as it should have been. But it’s really an engineering oversight. It is clear that the engineers at Diebold tried to protect the data. They went through the motions certainly but they did not complete that task of protecting the integrity of the data.
DS: There has been a big push on and we’ve seen a bill proposed by Holt that has to do with voter verified paper audit trail systems and with DREs. Many people are concerned about voting machines now. Your efforts lie in the State of Connecticut. You are working with the Secretary of State’s office and with others to try to ensure Connecticut’s vote. What can be done to ensure the national election because when we vote here we are participating in a national process that we want to rely on too from our state?
AS: Well as I mentioned no technology is 100% fault free. Diligent independent efforts need to be performed in understanding the limitations of the technology and protecting the election result and the election processes from these vulnerabilities actually impacting the true events as they occur. No technology is 100% reliable and we need to understand the limitations and develop mitigation strategies for how to deal with these.
DS: So that would involve chain of custody. That would involve training programs for poll workers?
AS: Absolutely. Right now chain of custody is the most effective and the easiest means for substantially increasing our certainty in the integrity of the election processes.
DS: I want to have you just go through a couple of the terms you used in your report. Your report says there’s no cryptographic checks during bootstrapping. Technically speaking that may be complicated but can you simplify that for us?
AS: The data ideally should be encrypted in such a way that it is extremely difficult for an attacker to understand what’s in the data. -How to read it and consequently how to modify it.
When we send secure encrypted email messages such messages cannot be very easily read by let’s say somebody who is eavesdropping on the email communication. However when the protection is weak it may be possible for an observer to read the data with relatively little effort and if they are able to read the data and understand the structure of the data then they can alter the data in such a way that the recipient of the data, in our case the voting machine, would not be able to distinguish between the original data and the tampered data.
In the memory cards in the TSX machines the protection is incomplete so it is possible to alter parts of the data without the machine noticing that the data is not the original data, which leads to compromised elections.
DS: If you had to choose one voting machine for the United States of America which voting machine would that be Professor Shvartsman?
AS: I strongly believe that until the technology matures it is extremely important to go with a voter verified paper ballot and so this is one of the reasons why in Connecticut we chose optical scan machines.
DS: Again tell me a little bit finally about the University of Connecticut’s Voting Technology Research Center. How many people work there and what are your goals?
AS: We had been established with the help of the State of Connecticut about a year and a half ago. We have four faculty members including myself and several graduate assistants. As you know we are funded by the State of Connecticut currently. We find this to be an extremely rewarding effort because it supplements our sometimes fairly dry pure scientific research with something that’s relevant to everybody’s daily lives.
So we are quite excited about participating in this project. A couple of faculty members, actually all four of us are winners of National Science Foundation career awards. We have one expert in election systems in particular, Professor Kiayias (Aggelos Kiayias)—One expert in cryptography, Professor Alex Russell and one system’s expert, Professor Laurent Michel and myself.
DS: Professor Alex Shvartsman thank you so much for joining us.
AS: You are very welcome it’s a pleasure speaking with you.
Rush transcript, slight edits for clarity that will also be represented in audio that will air as Talk Nation Radio and will be available as usual online at Pacifica’s Audioport.org and Radio4all.net. Contact firstname.lastname@example.org
Editor’s note: Secretary of State Susan Bysiewicz announced that the state has finalized the switch from the old lever machines to the new scan optic technology in all 169 towns.