Update [2007-12-19 18:50:26 by Midwest Millian]: Ed Felten, computer scientist at Princeton, has an interesting post on the iVotronic and the Ohio findings at his blog, Freedom to Tinker.
“It’s worse than I thought.” Those are the words of Ohio Secretary of State Jennifer Brunner used to describe the security of voting systems in her state, following a top-to-bottom review by a corporate-academic team. Brunner has recommended that Ohio scrap all direct-recording electronic touch screen systems.
Brunner’s review included the the ES&S iVotronic, the same system that will be used statewide in the South Carolina primaries on January 19 and January 26.
In a recent diary, I noted that South Carolina’s primary will depend on the reliability of the less than reliable iVotronic. Ohio’s review team confirms Brunner’s statement: the system is worse than we thought.
The academic team found that the iVotronic’s internal memory can be accessed, and its firmware compromised, by a person using magnet and personal digital assistant – see page 69 of the pdf (page 51 of the physical document):
Anyone with physical access to polling station PEBs can easily extract or alter their memory. This requires only a small magnet and a conventional IrDA-based palmtop computer (exactly the same kind of readilyavailable hardware that can be used to emulate a PEB to an iVotronic terminal). Because PEBs themselves enforce no passwords or access control features, physical contact with a PEB (or sufficient proximity to activate its magnetic switch and IR window) is sufficient to allow reading or writing of its memory. The ease of reading and altering PEB memory facilitates a number of powerful attacks against a precinct’s results and even against county-wide results. An attacker who extracts the correct EQC, cryptographic key, and ballot definition can perform any election function on a corresponding iVotronic terminal, including enabling voting, closing the terminal, loading firmware, and so on.
How difficult would potential attackers find it to actually do this?
Page 22 of the academic report pdf (document page 4):
“The review teams were able to subvert every voting system we were provided in ways that would often lead to undetectable manipulation of election results. We were able to develop this knowledge within a few weeks. However, most of the problems that we found could have been identified with only limited access to voting equipment. Thus, it is safe to assume that motivated attackers will quickly identify – or already have- these and many other issues in these systems. Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact.”
Yesterday, Colorado’s Republican Secretary of State decertified the iVotronic for use in the 2008 elections.
This is the machine that will count the votes in primary that will be make or break for as much as a majority of the candidates in both parties.
The South Carolina situation cannot go unchallenged. It is almost certainly too late for South Carolina to purchase new voting equipment. But the state does require emergency paper ballots in case of equipment failure. The state can simply decide that in light of new evidence, the iVotronic is not appropriate for use in a Presidential primary.
What can you do? Contact the Presidential candidates and educate them. Call on them to ask South Carolina not to use the iVotronic in the primary. Show them the New York Times article linked at the beginning of the story. Show them the Ohio report.
Who wants to see a candidate either on the ropes or triumphant after the iVotronic primary?
Presidential Campaign Contact Information:
Joe Biden
Hillary Clinton
Chris Dodd
John Edwards
Dennis Kucinich
Barack Obama ’08
Bill Richardson
