Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine AndrewW.Appel∗ MaiaGinsburg HarriHursti PrincetonUniversity PrincetonUniversity BrianW.Kernighan ChristopherD.Richards GangTan PrincetonUniversity PrincetonUniversity LehighUniversity October17,2008 ExecutiveSummary. TheSequoiaAVCAdvantageisadirect-recordingelec- tronic(DRE)votingmachineusedinNewJersey,Pennsylvania,andotherstates. I.TheAVCAdvantage9.00iseasily“hacked,”bytheinstallationoffraudulent firmware. This is done by prying just one ROM chip from its socket and pushing anewonein,orbyreplacementoftheZ80processorchip. Wehavedemonstrated thatthis“hack”takesjust7minutestoperform. Thefraudulentfirmwarecanstealvotesduringanelection,justasitscriminal designer programs it to do. The fraud cannot practically be detected. There is ∗ThisresearchwassupportedinpartbyNationalScienceFoundationawardCNS-0627650.Any opinions,findings,andconclusionsorrecommendationsexpressedinthismaterialarethoseofthe authorsanddonotnecessarilyreflecttheviewsoftheNationalScienceFoundation. 1 no paper audit trail on this machine; all electronic records of the votes are under controlofthefirmware,whichcanmanipulatethemallsimultaneously. II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDSsoftwaretotallyvotesinaccurately. III. Design flaws in the user interface of the AVC Advantage disenfranchise voters,orviolatevoterprivacy,bycausingvotesnottobecounted,andbyallowing pollworkerstocommitfraud. IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cu- mulatedtogether. V.Sequoia’ssloppysoftwarepracticescanleadtoerrorandinsecurity. Wyle’s ITA reports are not rigorous, and are inadequate to detect security vulnerabilities. Programmingerrorsthatslipthroughtheseprocessescanmiscountvotesandper- mitfraud. VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential PrimarywerecausedbytwodifferentprogrammingerrorsonthepartofSequoia, andhadtheeffectofdisenfranchisingvoters. VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with theassistanceofskilledcomputer-securityexperts. VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scanvotingequipment. NOTEREGARDINGREDACTIONS.Asparagraph1.1andAppendixLex- plain, this research was conducted pursuant to a Court Order by the Hon. Linda FeinbergoftheNewJerseySuperiorCourt. SequoiaVotingSystemsfiledamotion alleging that certain parts of this report contain protected trade secrets. Plaintiffs dispute Sequoia’s contentions. Judge Feinberg has expressed her intention to pre- serve Plaintiffs’ objections until the time of the hearing when she will rule on the meritsofSequoia’sclaimsoftradesecret. WeareconfidentthattheCourtwillthen permit release of the full, unredacted report. In the interim, the Court encouraged us to release the report with redactions. Paragraphs 19.8, 19.9, 21.3, and 21.5, as wellasAppendicesB–G,areredactedinthisrelease. 2 Contents 1 Introduction 8 2 DescriptionoftheAVCAdvantage 10 I Fraudulentfirmwarecanstealvotes 15 3 Vote-stealingfirmwarecanbeinstalledintheAVCAdvantage 16 4 Wedemonstratevote-stealingfirmwareinanAVCAdvantage 17 5 InstallingfraudulentsoftwareintoZ80ProgramROM 22 6 Vote-stealingfirmwarecanavoiddetection 24 7 Thetechnicalknowledgetowritevote-stealingprogramsisbasiccomputer science,widespreadinoursociety 27 8 ItiseasyinNewJerseytogainunsupervisedaccesstoanAVCAdvantage, inordertoreplaceROMchips 28 9 PickingthelockontheAVCAdvantagecabinettakesonlyseconds 30 10 ThesealsintheAVCAdvantagedonotprovidetamper-evidence 33 11 Reverseengineeringallowsconstructionoffraudulentfirmwareevenwith- outaccesstotrade-secretsourcecode 40 12 FraudulentfirmwarecanbeinstalledinsidetheZ80processorchip 46 13 Wouldanyonegototheselengths? 49 14 There is no means to reliably detect fraudulent firmware in AVC Advan- tages 50 15 ManyinsidershaveaccesssufficienttotamperwithAVCAdvantagevoting machines 51 16 Thedangeroffraudulentfirmwareiswidelyrecognizedbyexperts 52 17 ConclusionofPartI 55 II DaughterboardandWinEDSvirusescandisenfranchisevoters 56 18 Theaudio-kitdaughterboardisasecondcomputerintheAVCAdvantage 57 19 Onecaninstallfraudulentdaughterboardfirmwarebyinsertingacartridge— evenunwittingly 58 20 Vote-stealingcomputervirusescaninfectAVCAdvantageandWinEDS 61 21 VirusescanpropagatethroughtheAVCAdvantage 63 22 VirusescanpropagatethroughWinEDScomputers 64 23 WinEDS computers have severe security vulnerabilies and are routinely connectedtotheInternet 67 24 Thedaughterboardcanstealvotesorselectivelydisablevotingmachines 71 25 Nogeniusrequiredfordaughterboardattacks 72 3 26 Themotherboardisvulnerabletomaliciousdaughterboardfirmware 73 27 SecurityvulnerabilitiesinWinEDS3.1 74 28 ConclusionofPartII 75 III User-interfaceinaccuraciesandinsecuritiescandisenfranchise voters 77 29 HowwevoteinNewJersey 77 30 AVCAdvantagefalselyindicatesvotesarerecorded,whentheyarenot 80 31 Pressing an option switch deactivates the Advantage so that no votes are recorded 82 32 Sound on activation is not an effective signal for voter, pollworkers, or witnessestodeterminewhenvotesarecast 83 33 TheAVCAdvantage’slackoffeedbackleadsvoterstoundervote 85 34 Votercan’ttellwhichprimaryisactivated 86 35 Pollworkercanseewhothevotervotesfor 86 36 Can’tundowrite-invote,inviolationofFECguidelines 88 37 Proceduresforfleeingvoterleaveopportunitiesforviolatingtheprivacyor integrityoftheballot 88 38 ConclusionofPartIII 89 IV Design errors and programming bugs make the AVC Advan- tageinsecure 90 39 Vote data is not electronically authenticated, making it vulnerable to tam- pering 90 40 ManipulatingResultsCartridges 92 41 SomeNJCountyClerksusethelesstrustworthysourceofdataintabulating officialelectionresults 94 42 TheAdvantagecanprintapaperreportfromafraudulentResultsCartridge 95 43 OnecanconfusetheAVCAdvantagewithafraudulentballotdefinitionthat yieldstwovotesforonebutton 96 44 Results Cartridges can be easily converted into other kinds of cartridges andusedforfraud 98 45 EarlyVotingCartridgespermitfraudinStatesthatusethem 99 46 ManipulatingConsolidationCartridges 99 47 WirelessaccesstoResultsCartridgesopensavenuestomanipulation 101 48 FraudulentintelligentResultsCartridgescouldstealvotes 103 49 Electronicallystored“ballotimages”compromiseprivacyoftheballot 104 50 ConclusionofPartIV 106 4 V Insufficiently rigorous design and certification processes leave thefirmwarevulnerable 108 51 Sequoia’ssloppysoftwarepracticescanleadtoerrorandinsecurity 108 52 WyleLaboratoriesexaminesfirmwareonlysuperficially 110 53 New Jersey officials neglected to read the ITA reports, and thus had no opportunitytonoticehowtheirinadequacies 112 54 SequoiadoesnotkeeptrackofwhatfirmwareisinstalledinitsDREs 113 55 ConclusionofPartV 116 VI Computer-programming errors have actually disenfranchised NJvoters 117 56 Primaryelectionparty-affiliationbugdisenfranchisedvoters 117 57 Hardwaremalfunctionscandisenfranchisevoters 123 58 ConclusionofPartVI 130 VII Different versions of the AVC Advantage have different vul- nerabilities 131 59 Advantageversions9.00Gand9.00Hhaveidenticalvulnerabilities 131 60 TheAVCAdvantagehaschangedagreatdealinsuccessiveversions 132 61 Version10AVCAdvantageisextremelyvulnerabletofraud 134 62 Version8AVCAdvantageisvulnerabletofraudinsomewaysthatversion 9isnot 137 63 ConclusionofPartVII 139 VIII Conclusionsandrecommendations 140 64 NewJerseyshouldnotcontinuetousetheAVCAdvantage9.00,becauseit isinsecure 140 65 NewJerseyshouldimmediatelyremovetheAudioKits 140 66 Thereisawaytosafelyusecomputerstocountvotes 141 67 Formsofvoter-verifiedpaperballots 142 68 SUMMARYOFCONCLUSIONSREACHEDINTHISREPORT 145 IX Appendices 147 A MemoryDevices 147 B Bufferoverrunreadingmessagesfromdaughterboard 148 5 C Technical details of the option-switch bug that disenfranchised some pri- maryvoters 149 D Howtheballotimagescanbeunshuffled,therebyviolatingvoterprivacy 149 E The Source Code violates the FEC’s software-engineering guidelines for voting-machinefirmware 149 F InstallingfraudulentsoftwareintoZ80ProgramRAM 149 G ThesecuritymeasuresinTechnicianCartridgesareeasilydefeated 149 H Printerinaccuracycanchangevotetotalsinresultsreport 150 I Inadequateindicationsofundervotes 151 J Cumbersomeprocedurefordealingwithfleeingvoters 153 K BuginWinEDScausesballotprogrammingtobeextremelyslow 156 L TheCourtOrder 157 List of Figures 1 TheAVCAdvantage,fromthefront. . . . . . . . . . . . . . . . . 9 2 AVCAdvantagevoterpanelcoveredbyaprintedpaperballot . . . 11 3 ExcerptfromResultsReport . . . . . . . . . . . . . . . . . . . . 13 4 ResultsCartridge . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5 InsidetheAVCAdvantagecabinet,fromtherear. . . . . . . . . . 20 6 ThemotherboardoftheAVCAdvantage . . . . . . . . . . . . . . 21 7 Z80andROMchipsonthemotherboard . . . . . . . . . . . . . . 21 8 ROMreader/programmer . . . . . . . . . . . . . . . . . . . . . . 23 9 Unattendedvotingmachinesinpublicplaces . . . . . . . . . . . 29 10 KeysforanAVCAdvantage . . . . . . . . . . . . . . . . . . . . 31 11 PickingthelockofanAVCAdvantage . . . . . . . . . . . . . . . 32 12 Plasticstrapseal . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 13 Plastic-strapsealasinstalledbyUnionCounty . . . . . . . . . . . 34 14 DONOTREMOVEsticker . . . . . . . . . . . . . . . . . . . . . 36 15 Resultsreporttapewithsealnumbernotfilledin . . . . . . . . . 38 16 ListofAVCAdvantagevotingmachinessoldbyGovdeals.com . . 42 17 DescriptionoftheAVCAdvantagemachinessoldbyGovdeals.com 43 18 Desolderingtool. . . . . . . . . . . . . . . . . . . . . . . . . . . 48 19 Audioballotcartridge,frontandback . . . . . . . . . . . . . . . 58 20 WinEDScomputer . . . . . . . . . . . . . . . . . . . . . . . . . 65 21 Close-upofvoterpanelwithpaper-ballotoverlay . . . . . . . . . 78 22 GreenXappearsbyselectedcandidate . . . . . . . . . . . . . . . 79 23 CastVotebutton . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 24 VOTERECORDEDTHANKYOU . . . . . . . . . . . . . . . . 80 6 25 OperatorPanel . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 26 Peekingthroughtheslot . . . . . . . . . . . . . . . . . . . . . . 87 27 Tinycomputerforhackingresultscartridges . . . . . . . . . . . . 92 28 Cigarette-packhackingdevice . . . . . . . . . . . . . . . . . . . 93 29 HackingaResultsCartridge . . . . . . . . . . . . . . . . . . . . 93 30 Buttonsbehindpaperballotonvoterpanel . . . . . . . . . . . . . 97 31 Eye-ficardforwirelessaccesstocartridge . . . . . . . . . . . . . 101 32 Digitalvoicerecorder . . . . . . . . . . . . . . . . . . . . . . . . 105 33 OperatorPanel . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 34 Resultsreporttapedemonstratingoption-switchbug . . . . . . . 121 35 Threeresults-reportprintoutsdemonstratinginconsistencies . . . 126 36 InconsistentdatafromPennsauken6,inCamdenCounty. . . . . . 129 37 Version10ResultsCartridge . . . . . . . . . . . . . . . . . . . . 136 7 1 Introduction 1.1 In 2004 a group of public-interest plaintiffs, represented by Professor Penny Venetis of the Rutgers Law School, sued the State of New Jersey over the State’s use of direct-recording electronic (DRE) voting machines. Most of New Jersey’s countieshadadoptedtheSequoiaAVCAdvantagefull-faceDRE. The plaintiffs argued that the use of DRE voting machines is illegal and un- constitutional. Illegal, becausetheyviolateNewJerseyelectionlawsrequiringall votes be counted accurately and that voting machines be thoroughly tested accu- rate, andreliable. Unconstitutional, becausetheyviolatetheNewJerseyconstitu- tion’s requirement that all votes count. The plaintiffs argued that one cannot trust apaperlessDREmachinetocountthevote. The case was dismissed by the trial court in January 2005. The dismissal was appealed. While the appeal was pending, in the summer of 2005 the New Jersey legislaturepassed(andthegovernorsigned)abillrequiringthat,nolaterthanJan- uary1,2008,anyvotingsysteminNewJerseymustproduceavoter-verifiedpaper ballot. In2006theAppellateCourtreinstatedthelawsuit,andinstructedthetrialjudge tomonitortheprogressofStateelectionofficialsinmeetingthelegislature’sdead- line. In 2008, when the executive branch twice requested that the deadline be extended,thelegislatureobliged,eachtimewithasix-monthextension. Basedon an Appellate Division’s decision of June 2006, expressing concern that the State would not meet the legislature’s January 2008 deadline, the trial judge, the Hon. Linda Feinberg, ordered a trial to proceed on the constitutional issue. The case is Gusciora et al. v. Corzine et al., Docket No. MER-L-2691-04, Superior Court of NewJersey. JudgeFeinbergorderedthattheStateprovidetoPlaintiffs’expertwitness, for examination, AVC Advantage voting machines complete with their source code. AppendixLshowsthetermsoftheCourtOrder. Theauthorsofthisreportexam- inedvotingmachinesandsourcecodeduringJulyandAugust2008,anddelivered our report to the Court on September 2. The Court Order permits us to make our findingsavailabletothepublic30dayslater. 1.2 Based on our examination of the AVC Advantage voting machine, it is our opinionthat: 1. TheAVCAdvantagecanbe“hacked”tostealvotesbyreplacingitsfirmware; 2. The “hack” can be perpetrated by a person with only ordinary training in computerscience; 8 Figure1: TheAVCAdvantage,fromthefront. The large full-face voter panel (white) is visible. In normal use it would be covered by a printed ballot sheet, which is not present in this photo. An array of buttons,12acrossby42down,isvisible;wheninuse,thesearehiddenbehindthe printed sheet. Below the voter panel is the write-in keyboard. To the left of the write-inkeyboardisanLCDdisplay,andtotheright(notquitevisible)istheCast Votebutton. ThismachineisownedbyAndrewAppel; thephotographwastakenin2007at PrincetonUniversity. 9 3. A person can easily gain enough access to voting machines to install this hack; 4. Onceinstalled,thefraudulentfirmwareispracticallyimpossibletodetect; 5. Onceinstalledonavotingmachine, thefraudulentfirmwarecanstealvotes inelectionafterelectionwithoutanyadditionaleffort; 6. The AVC Advantage is vulnerable to hacks (fraudulent manipulations) in severaldifferentways; 7. Some of these hacks take the form of viruses that can automatically propa- gatethemselvesfromonevotingmachinetoanother; 8. Evenwhennot“hacked,”theAVCAdvantage(initsnormalstate)hasdesign flaws that can cause votes to be lost, or cause voters to be given the wrong primaryballottovote; 9. Evenwhennot“hacked,”theAVCAdvantageinitsnormalstatehasdesign flawsthatencouragevotererrorandpollworkererror,andpermitfraud. 1.3 Aspartofthisreport,wehavepreparedavideodemonstratingseveralof thesevulnerabilitiesandinaccuracies. Thisvideowillbeavailableat http://citp.princeton.edu/advantage 2 Description of the AVC Advantage 2.1 TheAVCAdvantageisa“direct-recordingelectronic”(DRE)votingcomputer. That is, thevoter indicates aselection of candidatesvia a user-interfaceto a com- puter; the program in the computer stores data in its memory that (are supposed to) correspond to the indicated votes; and at the close of the polls, the computer outputs(whataresupposedtobe)thenumberofvotesforeachcandidate. 2.2 InthecaseoftheAVCAdvantage, theprimaryinputdeviceusedbythevoter isalargepanel,containingatwo-dimensionalarrayofbuttonsandlights(seeFig- ure 1). This panel is covered by a sheet of paper on which contests and candidate names are printed (see Figure 2). Markings on the paper are placed over the but- tonsthataretobepressedforthecorrespondingcandidates;thelightsonthepanel, whenlit,arevisibleshiningthroughthepaper. Onthesideofthemachine,an“op- erator panel” contains additional buttons and an LCD alphanumeric display with two rows of 24 characters each. During an election, before each voter can vote, a 10
Description: