The election is behind us, so let’s talk about the reports that came out just before the election. On October 30th, UConn released a report on weaknesses in the Diebold Accuvote Optical Scan.
I have a beef with the timing of the release of UConn’s voting report: one week before the election. This is no way to be taken seriously by election officials. Of course, every security expert agrees that open auditing should happen, that sunlight is the best disinfectant, that security through obscurity is bad, etc… BUT, anyone who’s actually run a large operation like an election also knows that revealing a whole slew of weaknesses one week prior to an election only helps the adversary. By that point, election officials are so busy teaching and enforcing existing procedures, they don’t even have time to read the report. So on the timing of the report, UConn’s approach was not great. They’re not alone: other folks linked to this report before election day, praised it, and never pointed out the awful timing. A few months before the election, absolutely. A day after the election, absolutely. A week before, with enough detail to provide an attack blueprint? No, that’s not the responsible thing to do.
Okay, now that I got that off my chest, let’s look at the content of the report, which is quite good.
In the first part of the paper, the UConn team explains how, with access to the serial port for 5 minutes, they can effectively turn the voting machine into our worst nightmare: ignore votes for a candidate, swap votes, etc. They even beat the typical pre-election tests by reporting the correct results when the vote count is low (which is usually the case during pre-election tests). Very cleverly done, and very carefully described. This is an important contribution, because it shows, in very clear terms, the danger of elections whose correctness is based on enforcing a chain of custody. Even a small break in the chain can seriously compromise the result.
One important point: the attack described is a deep insider attack. From my day as an election warden, I can say with certainty that none of my poll workers, not even I, would have been able to hook something into the machine’s serial port without raising a lot of eyebrows. Only the vendor, or folks working closely with the election department, would be able to perform this attack. This may not be the case everywhere, but certainly there are procedural ways to ensure that only a small circle of folks ever has access to the serial port.
That’s not meant to be reassuring, because we should be worried about insider attacks. But it’s important to be precise and to know exactly what kind of attack we’re dealing with. For example, as a result, the easiest counter-measures would then fail: adding an extra authentication layer to the serial communication would likely not prevent a deep insider from carrying out this attack.
In the second part of the paper, the UConn team describes a clever mechanical attack—involving Post-Its, kudos for style, that’s up there with the minibar key attack—that allows a voter to insert, withdraw, and insert his ballot again, thereby double-counting his ballot. This is interesting in theory, but I cannot imagine that this would happen without poll workers noticing. At our precinct, we noticed when a voter tried to scan in a third sheet (the ballot was two sheets long), which was in fact our mistake: we’d given him 3 sheets instead of 2 at the check-in counter. We would have noticed someone re-scanning a ballot with a weird contraption attached. But it’s still important to know about this attack, and potentially to warn poll workers.
Timing aside, this is a good paper. It shows with clarity that relying on a chain of custody for voting is a dangerous thing, even when you have paper ballots, because you can’t always expect a recount of the paper if there’s no red flag. Importantly, we can’t assume that these problems are specific to Diebold’s Accuvote OS. Any machine has code and a diagnostic mode. Precautions can be taken, but, if the process requires an unbroken chain of custody, even a 5-minute lapse is generally going to be dramatically bad.