Insecurities and Inaccuracies of the 
Sequoia AVC Advantage 9.00H DRE Voting Machine


by Andrew W. Appel1, Maia Ginsburg1, Harri Hursti, 
Brian W. Kernighan1, Christopher D. Richards1, and Gang Tan2.
1Princeton University     2Lehigh University

The AVC Advantage voting machine is made by Sequoia Voting Systems 
and has been used in New Jersey, Pennsylvania, Louisiana, and other 
states. Pursuant to a Court Order in New Jersey Superior Court, we 
examined this voting machine as well as its computer program code. On 
October 17, 2008 the Court permitted us to release to the public a 
redacted version of our report.

Public 
Report: 
<http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/advantage-insecurities-redacted.pdf>Insecurities
 
and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting 
Machine (click here)
This report was originally submitted to the Court on September 2 in 
the form of an expert-witness report by Andrew W. Appel. The Court 
has 
released 
<http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/expert-redacted.pdf>this
 
redacted version to the public. The version we release here, linked 
in boldface above, is the same as the Court's redacted version, but 
with a few introductory paragraphs about the court case, Gusciora v. 
Corzine.

<x-msg://65/video.html>Videos: click here. We can now release the 
90-minute evidentiary video that we submitted to the Court on 
September 2nd. We are seeking the Court's permission to release a 
much shorter video which demonstrates the most important points much 
more succinctly.

<x-msg://65/faq.html>Frequently Asked Questions ("Why are you 
releasing this just 3 weeks before the election?" etc.)

What you need to know:

The AVC Advantage contains a computer. If someone installs a 
different computer program for that computer to run, it can 
deliberately add up the votes wrong. It's easy to make a computer 
program that steals votes from one party's candidates, and gives them 
to another, while taking care to make the total number of votes come 
out right. It's easy to make this program take care to cheat only on 
election day when hundreds of ballots are cast, and not cheat when 
the machine is being tested for accuracy. This kind of fraudulent 
computer program can modify every electronic "audit trail" in the 
computer. Without voter-verified paper ballots, it's extremely hard 
to know whether a voting machine (such as the AVC Advantage) is 
running the right program.

It takes about 7 minutes, using simple tools, to replace the computer 
program in the AVC Advantage with a fraudulent program that cheats. 
We demonstrate this on the video.

Even when it's not hacked to deliberately steal votes, the AVC 
Advantage has a few user-interface flaws. Therefore, sometimes the 
AVC Advantage does not properly record the intent of the 
voter. All known voting technologies have imperfect user interfaces, 
although some are worse than others. The public should beware of the 
argument that some people make, that "we should not replace the AVC 
Advantage with voting method X, because X is imperfect." The AVC 
Advantage's susceptibility to installation of a fraudulent 
vote-counting program is far more than an imperfection: it is a fatal 
flaw.

What should be done? Most technology experts who study the security 
of voting methods recommend precinct-count optical-scan voting, with 
by-hand audits of the optical-scan ballots from randomly selected 
precincts. We agree with this consensus. In fact, most states are 
moving in the right direction: 32 states now vote with voter-verified 
paper ballots (mostly optical-scan, some with DRE+VVPAT). Only a 
minority of states are still using paperless DRE voting machines such 
as the AVC Advantage. We recommend that those states adopt 
precinct-count optical scan.

Executive Summary of the Report


I. The AVC Advantage 9.00 is easily ``hacked,'' by the installation 
of fraudulent firmware. This is done by prying just one ROM chip from 
its socket and pushing a new one in, or by replacement of the Z80 
processor chip. We have demonstrated that this ``hack'' takes just 7 
minutes to perform.

The fraudulent firmware can steal votes during an election, just as 
its criminal designer programs it to do. The fraud cannot practically 
be detected. There is no paper audit trail on this machine; all 
electronic records of the votes are under control of the firmware, 
which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can 
install fraudulent firmware into many AVC Advantage machines by viral 
propagation through audio-ballot cartridges. The virus can steal the 
votes of blind voters, can cause AVC Advantages in targeted precincts 
to fail to operate; or can cause WinEDS software to tally votes 
inaccurately. (WinEDS is the program, sold by Sequoia, that each 
County's Board of Elections uses to add up votes from all the 
different precincts.)

III. Design flaws in the user interface of the AVC Advantage 
disenfranchise voters, or violate voter privacy, by causing votes not 
to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to 
change votes, after the polls are closed but before results from 
different precincts are cumulated together.

V. Sequoia's sloppy software practices can lead to error and 
insecurity. Wyle's ITA reports are not rigorous, and are inadequate 
to detect security vulnerabilities. Programming errors that slip 
through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 
Presidential Primary were caused by two different programming errors 
on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact 
that one version may have been examined for certification does not 
give grounds for confidence in the security and accuracy of a 
different version. New Jersey should not use any version of the AVC 
Advantage that it has not actually examined with the assistance of 
skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New 
Jersey should immediately implement the 2005 law passed by the 
Legislature, requiring an individual voter-verified record of each 
vote cast, by adopting precinct-count optical-scan voting equipment.

<http://citp.princeton.edu/studies/voting>More Princeton e-voting research



<http://www.princeton.edu/>Princeton 
University - <http://www.princeton.edu/~seasweb/>School of 
Engineering and Applied Science - <http://wws.princeton.edu/>Woodrow 
Wilson School



--~--~---------~--~----~------------~-------~--~----~
To post, send email 
to <mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED] 
Please review the  "Posting Guidelines" page. 

Please forward EI messages widely and invite members to join the 
group 
at 
<http://groups.google.com/group/ElectionIntegrity/members_invite>http://groups.google.com/group/ElectionIntegrity/members_invite.
 

If you're not a member and would like to join, go 
to 
<http://groups.google.com/group/ElectionIntegrity>http://groups.google.com/group/ElectionIntegrity
 and 
click on the "join" link at right. For delivery and suspension 
options, use the "Edit my membership" link.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to Mark Crispin Miller's 
"News From Underground" newsgroup.

To unsubscribe, send a blank email to [EMAIL PROTECTED] OR go to 
http://groups.google.com/group/newsfromunderground and click on the 
"Unsubscribe or change membership" link in the yellow bar at the top of the 
page, then click the "Unsubscribe" button on the next page. 

For more News From Underground, visit http://markcrispinmiller.com
-~----------~----~----~----~------~----~------~--~---

Reply via email to