Source Code Review of the Hart InterCivic Voting System

By Srinivas Inguva, Eric Rescorla, Hovav Shacham, and Dan Wallach.

Part of California Secretary of State Debra Bowen’s “Top-to-Bottom” Review of the voting machines used in California, 2007.

Executive Summary

This report considers security issues in Hart InterCivic’s voting suite, version 6.2.1. This report was prepared at the request of the California Secretary of State, as part of a “top-to-bottom” review of the state’s electronic voting systems. This document is the final report of the team that examined the Hart voting system source code. Hart’s system consists of back-office election management components (SERVO, Rally, Tally, eCM Manager, BOSS, Ballot Now) which are used to configure and collect data from precinct devices (eScan, eSlate, Judge’s Booth Controller). The election management software runs on ordinary Windows machines whereas the precinct devices are embedded programs running on specialized hardware.

Component-to-component networks are pervasive in Hart’s architecture. A JBC and one or more eSlates are networked together at polling place for voting. JBCs, eSlates, and eScans are networked with SERVO for pre- and post-election setup, auditing, and reset. Rally and Tally communicate over a modem (or leased line) to transmit remote voting records. In addition, the other components communicate indirectly through PCMCIA memory cards called “Mobile Ballot Boxes” (MBBs). Building a secure networked system of this type requires adopting an attitude of defense in depth: it must be designed and implemented in such a way that a compromised component cannot induce misbehavior in other components that communicate with it.

Our examination indicates that Hart’s system is not designed along these lines. Instead, the design of the components mostly assumes that any other component of the Hart system (or anything that appears to be one) is trustable:

Unsecured network interfaces

Network interfaces in the Hart system are not secured against direct attack. Voters can connect to unsecured network links in a polling place to subvert eSlates, as well as to eavesdrop on cast votes and to inject new votes. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more eSlates in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.

Vulnerability to malicious inputs

Because networked devices may be connected to other, potentially malicious devices, they must be prepared to accept robustly any input provided by such devices. The Hart software routinely fails to check the correctness of inputs from other components, and then proceeds to use those inputs in unsafe ways. The most damaging example of this is that SERVO, which is used to back up and verify the correctness of polling place devices can itself be compromised from those same devices. This implies that an attacker could subvert a single polling place device, through it subvert SERVO, and then use SERVO to reprogram every polling place device in the county. Although we have tested some individual components of this attack, we did not have time to confirm it in an end-to-end test.

No or insecure use of cryptography

The standard method for securing network communication of the type in use in the Hart system is to use a cryptographic security protocol. However, we found a notable lack of such techniques in Hart’s system. Instead, communications between devices generally happen in the clear, making attack far easier. Cryptography is used for MBBs, but the key management involves a single county-wide symmetric key that, if revealed, would allow an attacker to forge ballot information and election results. This key is stored insecurely in vulnerable polling-place devices, with the result that compromise of a single polling place device enables an attacker to forge election MBBs carrying election results for any device in the county.

Failure to protect ballot secrecy

Hart’s system fails to adequately protect ballot secrecy. A poll worker or election official with access to the raw ballot records can reconstruct the order in which those votes were cast. Combined with information about the order in which voters cast their votes, this can be used to reconstruct how each voter voted. In the case of the DRE, it is also possible to reconstruct, for each vote, the order in which the votes were authorized. Combined with information about the order in which voters were authorized, this can likewise be used to reconstruct how each voter voted. Furthermore, a voter who has temporary access to an eSlate device can extract and reconstruct all the votes cast on that device up to that point in time. He may be able to similarly reconstruct all votes cast on any other eSlate connected to the same JBC.

Many of these attacks can be mounted in a manner that makes them extremely hard to detect and correct. We expect that many of them could be carried out in the field by a single individual, without extensive effort, and without long-term access to the equipment.

A manual examination of the paper trail would act as a defense against some of our attacks; others may be mitigated by new or existing procedural controls by election officials, or by changes to the Hart system. Where reasonable, we attempted to identify such mitigations and to assess their effectiveness. In some cases, there may be no simple, effective fixes.

We have deliberately avoided addressing the broader issue of whether or how this system should be used for voting in California. Making that judgement requires assessing not only the technical issues described in this report but also the procedures and policies with which the system is used.

Material

• source code review team report (PDF)
• Secretary of State decision, revised version of December 6, 2007 (PDF).
• News Coverage: Nature, The New York Times, The Onion.

Reference

Navigation: Hovav Shacham // Publications // [IRSW07]