Why Your Vote Is Not Secure in Nevada County
In Nevada County, California, my wife and I are glad to have the option of receiving our ballot by mail, having about a month to study it and fill it out, then hand-delivering it ourselves directly to Clerk-Recorder Greg Diaz’s office at the Rood Center in Nevada City.
We delivered ours about a week ago.
We’ve had the impression that this is the most secure method of voting in this county.
But according to the information I found this morning on the Verified Voter website, our votes are still vulnerable in several serious ways, mostly related to the technology in use at the polling places and at the clerk-recorder’s office itself.
The technologies in use in California vary from county to county, with about a dozen counties using paper-only ballots, as the following map illustrates:
According to the California Secretary of State’s webpage, the technology in use in Nevada County is called the Hart Intercivic, and it is used statewide in only three other counties (Humboldt, San Mateo and Yolo). The Intercivic belongs to the class of voting technologies called “DREs” (Direct-Recording Electronic).
The Secretary of State’s webpage explains DREs this way:
All direct recording electronic (DRE) voting machines used after January 1, 2006, must have an accessible voter-verified paper audit trail, pursuant to California Elections Code Section 19250. All voters voting on an electronic voting machine should review and verify their ballot choices on this printed paper record, prior to finalizing and casting their ballot. Once the ballot is cast, this paper record of the ballot is retained inside the voting machine as part of the election audit trail to verify the accuracy of the votes recorded. In accordance with California law, voters do not get a printed paper record of their vote choices.
So, what’s the problem?
Here’s what Verified Voter has to say about the Hart Intercivic eScan in use in Nevada County:
Security Concerns1
Unsecured network interfaces Network interfaces in the Hart system are not secured against direct attack. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more units in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.
Vulnerability to malicious inputs Because networked devices may be connected to other, potentially malicious devices, they must be prepared to accept robustly any input provided by such devices. The Hart software routinely fails to check the correctness of inputs from other components, and then proceeds to use those inputs in unsafe ways. The most damaging example of this is that SERVO, which is used to back up and verify the correctness of polling place devices can itself be compromised from those same devices. This implies that an attacker could subvert a single polling place device, through it subvert SERVO, and then use SERVO to reprogram every polling place device in the county. Although we have tested some individual components of this attack, we did not have time to confirm it in an end-to-end test.
No or insecure use of cryptography The standard method for securing network communication of the type in use in the Hart system is to use a cryptographic security protocol. However, we iound a notable lack of such techniques in Hart’s system. Instead, communications between devices generally happen in the clear, making attack far easier. Cryptography is used for MBBs, but the key management involves a single county-wide symmetric key that, if revealed, would allow an attacker to forge ballot information and election results. This key is stored insecurely in vulnerable polling-place devices, with the result that compromise of a single polling place device enables an attacker to forge election MBBs carrying election results for any device in the county.
Failure to protect ballot secrecy Hart’s system fails to adequately protect ballot secrecy. A poll worker or election official with access to the raw ballot records can reconstruct the order in which those votes were cast. Combined with information about the order in which voters cast their votes, this can be used to reconstruct how each voter voted.
- Hart Red Team Penetration Report, California Secretary of State Top to Bottom Review (2007) ↩
Conclusion
All electronic voting technologies statewide and nationwide share one pernicious feature: they are all proprietary.
How has it come to pass that our vote — what Thom Hartmann calls “the beating heart of democracy” — has been privatized?
A national DRE standard should be implemented and include the requirement that all electronic voting machines will be open-source (the internal hardware design and software program should be freely available for public inspection and review).
In truth, voting technology nationwide should be part of the publicly-owned and regulated commons.
Additional Resources
- “How IHacked an Electronic Voting Machine“
- “Argonne National Lab Vulnerability Assessment Team“
- How Hart Intercivic is Connected to Bain Capital:
3 thoughts on “Why Your Vote Is Not Secure in Nevada County”
One would hope Mr. Diaz, who I have no qualms with nor his office staff, might want to consider bring these issues to the County Big Wigs (Civil Service AND Elected types), immediately after this election’s final totals are verified in accordance with Secretary of State requirements. Start immediately action to fix these problems including the paper trail. How about hand counts of pieces of paper?
All of the connections are done by two people, and numbered seals are checked as the are removed and then replaced with new seals with new numbers as they are connected or disconnected. Having been a poll worker, I think it would be very difficult to get two like-minded individuals to try and jigger anything. Possible, yes, practically doable, I doubt it. As for a voter themselves doing it, even less likely, as we sit 6 feet away from the machines, and one person has the responsibility for nothing but the machine, and would surely notice.and efforts at tampering, which would require the removal of a non replaceable seals.
Doug:
Thanks for your interesting and reassuring comments based on your own personal experience.
I’m really glad to hear that.
So, is there some sort of chain of custody of the machine itself after the poll closes?
Or, is the data moved immediately to a server somewhere? (I suppose I could look up the answer to some of these questions online).
I’m still amazed that the network ports aren’t managed by protocols that include encryption. That just seems prudent.
In general, I prefer technologies in which security does not overly depend on human virtue.
And beyond that, as I said in my post, these machines should all be publicly-owner and regulated open-source (I know, dream on).