Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine
by Andrew W. Appel1, Maia Ginsburg1, Harri Hursti, Brian W. Kernighan1, Christopher D. Richards1, and Gang Tan2. 1Princeton University 2Lehigh University The AVC Advantage voting machine is made by Sequoia Voting Systems and has been used in New Jersey, Pennsylvania, Louisiana, and other states. Pursuant to a Court Order in New Jersey Superior Court, we examined this voting machine as well as its computer program code. On October 17, 2008 the Court permitted us to release to the public a redacted version of our report. Public Report: <http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/advantage-insecurities-redacted.pdf>Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine (click here) This report was originally submitted to the Court on September 2 in the form of an expert-witness report by Andrew W. Appel. The Court has released <http://coblitz.codeen.org/citp.princeton.edu/voting/advantage/expert-redacted.pdf>this redacted version to the public. The version we release here, linked in boldface above, is the same as the Court's redacted version, but with a few introductory paragraphs about the court case, Gusciora v. Corzine. <x-msg://65/video.html>Videos: click here. We can now release the 90-minute evidentiary video that we submitted to the Court on September 2nd. We are seeking the Court's permission to release a much shorter video which demonstrates the most important points much more succinctly. <x-msg://65/faq.html>Frequently Asked Questions ("Why are you releasing this just 3 weeks before the election?" etc.) What you need to know: The AVC Advantage contains a computer. If someone installs a different computer program for that computer to run, it can deliberately add up the votes wrong. It's easy to make a computer program that steals votes from one party's candidates, and gives them to another, while taking care to make the total number of votes come out right. It's easy to make this program take care to cheat only on election day when hundreds of ballots are cast, and not cheat when the machine is being tested for accuracy. This kind of fraudulent computer program can modify every electronic "audit trail" in the computer. Without voter-verified paper ballots, it's extremely hard to know whether a voting machine (such as the AVC Advantage) is running the right program. It takes about 7 minutes, using simple tools, to replace the computer program in the AVC Advantage with a fraudulent program that cheats. We demonstrate this on the video. Even when it's not hacked to deliberately steal votes, the AVC Advantage has a few user-interface flaws. Therefore, sometimes the AVC Advantage does not properly record the intent of the voter. All known voting technologies have imperfect user interfaces, although some are worse than others. The public should beware of the argument that some people make, that "we should not replace the AVC Advantage with voting method X, because X is imperfect." The AVC Advantage's susceptibility to installation of a fraudulent vote-counting program is far more than an imperfection: it is a fatal flaw. What should be done? Most technology experts who study the security of voting methods recommend precinct-count optical-scan voting, with by-hand audits of the optical-scan ballots from randomly selected precincts. We agree with this consensus. In fact, most states are moving in the right direction: 32 states now vote with voter-verified paper ballots (mostly optical-scan, some with DRE+VVPAT). Only a minority of states are still using paperless DRE voting machines such as the AVC Advantage. We recommend that those states adopt precinct-count optical scan. Executive Summary of the Report I. The AVC Advantage 9.00 is easily ``hacked,'' by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this ``hack'' takes just 7 minutes to perform. The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously. II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County's Board of Elections uses to add up votes from all the different precincts.) III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud. IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together. V. Sequoia's sloppy software practices can lead to error and insecurity. Wyle's ITA reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud. VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters. VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts. VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment. <http://citp.princeton.edu/studies/voting>More Princeton e-voting research <http://www.princeton.edu/>Princeton University - <http://www.princeton.edu/~seasweb/>School of Engineering and Applied Science - <http://wws.princeton.edu/>Woodrow Wilson School --~--~---------~--~----~------------~-------~--~----~ To post, send email to <mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED] Please review the "Posting Guidelines" page. Please forward EI messages widely and invite members to join the group at <http://groups.google.com/group/ElectionIntegrity/members_invite>http://groups.google.com/group/ElectionIntegrity/members_invite. If you're not a member and would like to join, go to <http://groups.google.com/group/ElectionIntegrity>http://groups.google.com/group/ElectionIntegrity and click on the "join" link at right. For delivery and suspension options, use the "Edit my membership" link. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to Mark Crispin Miller's "News From Underground" newsgroup. To unsubscribe, send a blank email to [EMAIL PROTECTED] OR go to http://groups.google.com/group/newsfromunderground and click on the "Unsubscribe or change membership" link in the yellow bar at the top of the page, then click the "Unsubscribe" button on the next page. For more News From Underground, visit http://markcrispinmiller.com -~----------~----~----~----~------~----~------~--~---