Hacker News new | ask | show | jobs
by s_q_b 3483 days ago
These are the certified electronic voting machines (DREs) for Pennsylvania:

http://www.dos.pa.gov/VotingElections/OtherServicesEvents/Pa...

The Android device in use is the EA Tablet. The certification tests are listed in "EA TABLET FOR ANDROID WITH JELLYBEAN 4.2.1 ELECTRONIC Test Report," dating from 2013.

To be fair, it's probably the best of the horrible lot in security, but that ain't saying much.

For example, the iVotronic systems contain a readily accessible compact flash card right on the top, which stores the election returns. Demonstration machines are set up in each county, so I went to see one in person. Unsurprisingly, the demo machine's card wasn't even covered with a tamper-evident seal.

The devices, including the compact flash cards and the PEBs, are reused from year to year because the legally required certification for the device is very narrow. As the demo machine compact flash cards and PEBs are re-used in each election, at any time prior to the election, infecting the demo machine can be used as a vector to attack the entire county voting total.

Since the demo machine is not sealed, its compact flash can be accessed. If the compact flash card is compromised, the system can be quickly owned. From there, the malware can spread rather trivially to the PEB unit used as a secure token by the election workers, and from there to the county's Unity system at Election Central, allowing the entire county's vote to be altered. So instead of the 4,500 machine compromises PA is claiming would be necessary to influence a state election, it would probably only take 6-7 people any time in the past ten years planting their malware in a few key counties.

All one would need to do to untraceably change the vote totals would be walk in to the county election commission, swap the compact flash out for your malware, and leave. If you do this at any point prior to the election, the malware can spread from the demo machine, to a live voting machine, and finally, when the compact flash cards are entered into the Unity system for final tally, the malware can compromise the whole lot. Then the malware would self-delete, leaving no reliable paper audit record.

Interestingly, from a legal perspective, the Secretary of the Commonwealth's certification for these machines is contingent upon the locking mechanism preventing access to the compact flash card. The machine that I saw, the most common model in use in the state, physically could not be secured that way. The plastic cover mechanism to which the lock is affixed simply doesn't cover the flash card slot well enough.

Under the PA election code, if a specific requirement of the Secretary's certification is not met, the law would invalidate the votes cast through all the iVotronics as a matter of law. As the machines were not configured as approved, they aren't approved for casting ballots, which would throw the PA recount into chaos. It's probably the only judicial avenue left to sue for a state-wide recount that might actually have a chance of being considered.

Nobody tell Jill Stein. In all liklihood, the PA legislature would just send the current electors anyway, as is their prerogative.
2 comments
zardeh 3481 days ago
Now I really want to post this to /r/politics or one of the jill stein subs, with a title like "PENN VOTING MACHINES COULD HAVE EASILY BEEN HACKED, THE VOTES ARE INVALID".

It would get upvoted, perhaps to the front page, and then news outlets would likely pick up the story.

link
s_q_b 3481 days ago
The iVotronics hacking part is very public. The legal aspect may not be as well-known.

The iVotronics vulnerabilities were documented in a lawsuit joined by the Commonwealth's own Deputy Commissioner of Elections. See Banfield v. Cortes [0]

The Election Code specifies that the Secretary of the Commonwealth shall certify electionic voting systems, and issue directives and instructions upon which such approval is conditioned, with which counties are required to comply.

§ 3031.5. Examination and approval of electronic voting systems by the Secretary of the Commonwealth

(a) The Secretary of the Commonwealth may issue directives or instructions for implementation of electronic voting procedures and for the operation of electronic voting systems....

The county board shall comply with the requirements for the use of the electronic voting system as set forth in the report by the Secretary of the Commonwealth...

(c) No electronic voting system not so approved shall be used at any election... [1]

The Secretary alone determines the method of certification.

While the Legislature mandated that an electronic voting system must comply with specific federal testing and performance standards and the requirements set forth in the Election Code, it does not prescribe a particular testing procedure to govern the manner in which the Secretary is to perform the examination, but ultimately left this discretion to the expertise of the Secretary, who is tasked with implementing the Election Code. [0]

However, counties must still comply with the implementation "directives and instructions" issued by the Secretary.

Section 1105-A of the Election Code, 25 P.S. § 3031.5 requires that the Secretary of the Commonwealth examine all electronic voting system used in any election in Pennsylvania and that the Secretary make and file a report stating whether, in her opinion, the electronic voting system can safely be used by voters and meets all of the applicable requirements of the Election Code...

The Secretary of the Commonwealth certifies the iVotronic Voting System in accordance with the conditions detailed in the reports... and the following conditions. [2]

The certification of the iVotronics system implemenation directives and instructions include a the specific provision that counties "must install the locking mechanism over the serial port and compact flash memory in a manner to prevent access to the compact flash card."

3. Pennsylvania counties using the iVotronic Voting System must install the locking mechanism over the serial port and compact flash memory in a manner to prevent access to the compact flash card. [ibid.]

As the construction of the locking mechanism itself renders the compact flash accessible regardless of the physical lock used, as determined by multiple audits in academia as well as other states, the iVotronics system in question was not certified in accordance with the requirements of the statute.

The Secretary put a caveat on the certification of the iVotronics with which the counties did not comply. This is physically analogous to requiring that a tenant "must install a lock on this door which prevents access to the inside of this room," but the door cannot latch no matter which lock is used. If instead of repairing the latching mechanism, the tenant merely replaces the lock, he would not be in compliance with the directive.

Rather than work with the manufacturers to create a locking mechanism that complied with the Secretary's directive (changing the latch), the counties merely changed the locks used. These locks do not prevent access to the compact flash card, and thus Secretary's implementation requirements were not met by the counties which used them. The counties failure to meet these directives was not due to lack of ability, as the requirements of the iVotronics maintenance contracts include modifications necessary to comply with state law, or lack of knowledge, as they were disclosed during Banfield, cited by the certification report itself.

The counties simply failed to ensure that the locking mechanisms were updated subsequent to the Secretary's report. Each county board is required to submit their vote totals to the Commonwealth in accordance with the Election Code. As the Election Code requires counties to comply with the Election Code, a county's failure to meet the Secretary's certification requirements disqualifies its reported vote totals.

It's pretty telling about the seriousness of the recount effort that nobody has even bothered to sue a county that used these machines. The Commonwealth's Election Code is not a mere recommendation to the county. Its provisions regarding DREs are specifically intended to punish counties that do not comply with the Secretary's requirements for certification, which many did not.

But please don't cross post me. You won't accomplish anything, except maybe landing me in DHS lockup for ten days for no reason.

[0] http://caselaw.findlaw.com/pa-supreme-court/1692529.html

[1] https://govt.westlaw.com/pac/Document/NE9287BF0343011DA8A989...

[2] http://www.dos.pa.gov/VotingElections/Documents/Voting%20Sys...

link
matt_wulfeck 3482 days ago
That sounds so... horrendously awful.
link