$82 Buys E-Voting Secrets
Wired
Thu February 15, 2007
For a mere $82 a computer scientist and electronic voting critic managed to purchase five $5,000 Sequoia electronic voting machines over the internet last month from a government auction site. And now he's taking them apart.
Princeton computer science professor Andrew Appel and his students have begun reverse-engineering the software embedded in the machines' ROM chips to determine if it has any security holes. But Appel says the ease with which he and his students opened the machines and removed the chips already demonstrates that the voting machines are vulnerable to unauthorized modification.
Their analysis appears to mark the first time that someone who hasn't signed a non-disclosure agreement with Sequoia Voting Systems has examined one of its machine's internals.
Appel bought the machines from election officials in Buncombe County, North Carolina, who offered them for sale at GovDeals.com, a site for government agencies to buy and sell surplus and confiscated equipment. The county sold 144 machines in lots of varying amounts. It paid $5,200 for each machine in 1997. To buy the machines, Appel had to pay $82 and only needed to provide a name, address, phone number and e-mail address.
Sequoia and other voting machine companies have long resisted calls from voting activists to make their proprietary software transparent to the public, because they say it would allow hackers to study the software and devise ways to plant malicious code in it. But Appel says his purchase of the machines shows how easy it is for hackers to obtain and study the software anyway.
"There are hundreds of counties in the country that have had these machines for 20 years," Appel says. "To assume that nobody could have ever had access to those machines to fool around with them in the last 20 years ... that's a stretch. And now it's certainly not true."
The AVC Advantage machines were first manufactured in the late 1980s. Appel says the ROM chips inside are in sockets -- not soldered to the board -- and can be replaced in ten minutes by opening a door on the back of the machines and unscrewing a metal cover. With new chips, the machines could be reprogrammed to misreport votes, he says.
But Sequoia spokeswoman Michelle Shafer says that manipulating an election wouldn't be as easy or undetectable as Appel claims. In practice, the machines are supposed to have tamper-evident seals on them to help authorities detect if someone has accessed the CPU (there were none on the machines that Appel purchased). Moreover, she claims the voting system can detect if the firmware has been replaced.
"There are controls inside the machine that recognize what is supposed to be on there," Shafer says. "(And) the election management software and tally software that is on the computers at the county headquarters would recognize (if the software changed). You just couldn't put just any type of software on there."
Appel is skeptical about Sequoia's claim that changing the ROMs would set off an alarm. He says the only communication between the voting terminal and the county server is through a cartridge where the vote totals for each machine are collected.
It's possible that the voting machine cryptographically signs information recorded to the cartridge. But he says the cryptographic signature would have to be stored in the machine's ROM, and a hacker could simply use the same cryptographic key to authenticate his fraudulent chip.
"Whatever the legitimate software does to take checksums of itself can all be simulated by the fraudulent software," he says. "And there's certainly enough information (contained) in the legitimate software to (figure out how to) do that simulation."
Appel says he opened the machines with a key that came with them, and was able to easily access the machines' motherboards and memory chips to swap them out. But even without the key, a student of his was able to pick the lock in seven seconds. He says that even seals wouldn't thwart a hacker because they're easily counterfeited, and many counties fail to use and track them properly -- as evidenced by recent reports out of Cuyahoga County, Ohio.
Despite the ease in doing this, Appel said the Sequoia machines he bought so far seem to be more secure than a Diebold voting machine that Princeton colleague Ed Felten and others examined last year. Felton discovered that he could inject subversive software into the Diebold machine through the removable memory cards on which it stores votes. He could even produce a virus that would spread automatically from one Diebold machine to another.
The AVC Advantage machines are used throughout Louisiana, and in varying numbers in Colorado, New Jersey and Pennsylvania. Unlike touch-screen machines that use an LCD display, the older Advantage machines rely on push-buttons and lamps, overlaid with a large paper ballot.
Appel acknowledges that to throw an election a hacker would need to have access to dozens or even hundreds of machines to switch out the chips, but points out that thousands of voting machines are stored in warehouses for months each year before elections. Many of them also sit unattended in church basements and school gymnasiums in the days before an election.
Share your thoughts in the Forum
