How I bought used voting machines on the Internet

Andrew W. Appel

Recently I bought some used AVC Advantage voting machines, made by Sequoia Voting Systems in 1997. I've been studying voting technology and policy for some time, and it will be interesting to perform experiments on these machines.

In early January 2007, the county of Buncombe in North Carolina advertised for sale on the Internet auction site govdeals.com several Sequoia AVC Advantage voting machines. There were 136 machines sold, in lots of 10 machines, 4 machines, and 5 machines, for a total of 18 lots. The auctions closed on January 16 and January 26, depending on the lots. The auction site govdeals.com is, apparently, meant for federal, state, and local governments to sell surplus equipment. Any person can qualify to bid on and purchase equipment through this site.

I purchased one lot of 5 machines, for a price of $82 for the lot. Registering to bid at govdeals.com is just like registering to bid on e-bay--no questions asked except name, address, e-mail, and telephone number. The government had no information about me or my motives in obtaining the voting machines at any time before or after the auction and delivery of the voting machines to me. I paid for the machines by cashier's check. I had these machines shipped to me in Princeton by commercial carrier, where they arrived on February 2, 2007.

On February 3, 2007 I examined the machines. The machines arrived in operating order. The machines, originally sold to Buncombe County in 1997 for $5200 each, appear to be almost identical to machines used in Mercer County, New Jersey, where I vote. The only difference that I discerned is that instead of a green "x" to indicate a vote, there is a green arrow. This difference is very minor and does not, for example, mean that the internal software is different.

To get to the motherboard of the machine, I just opened the back door with the key (that came with the machine) and unscrewed 10 screws that hold in place a sheet-metal panel. Although I used a key to open the lock, the lock itself is a fairly simple one: I watched a Princeton University student pick the lock of my machine in about 7 seconds.

I was surprised at how simple it was for me to access the ROM memory chips containing the firmware that controls the vote-counting. Contrary to Sequoia's assertions in their promotional literature, there were no security seals protecting the ROMs. Indeed, I found that certain information in the "AVC Advantage Security Overview" (from Sequoia Voting Systems, Inc., 2004) was untrue with respect to my machine. Sequoia's document states,

The vote counting instructions in each voting machine are written into integrated circuit chips during the manufacturing process. These chips are incorporated into each machine's circuit boards. Access to the machine should be limited by administrative procedures and is also limited by the physical design of the machines. Design features include door locks and a numbered seal on the CPU cover.

I found this to be incorrect, with respect to the machines delivered to me. I did not have to remove any seals, whether of tape, plastic, or wire. The sheet-metal panel covering the computer circuit board is the only component I found that could possibly be described as a "CPU cover", and it had no numbered seal. (If there ever was a numbered seal holding the CPU cover down, then Buncombe County's technicians would have to remove it and replace it every time they change the four AA batteries on the motherboard!)

The AVC Advantage can be easily manipulated to throw an election because the chips which control the vote-counting are not soldered on to the circuit board of the DRE. This means the vote-counting firmware can be removed and replace with fraudulent firmware. Under the sheet-metal panel (the "CPU cover"), I found the circuit board containing computer chips, other electronic chips, and four chips that--unlike most of the chips on the circuit board which are soldered in place--are mounted in sockets so that they can be removed and replaced. These are ROM (read-only memory) chips that hold the computer program (firmware) that operates the voting logic. These chips are not held in place by any seals. They can be removed using an ordinary screwdriver and they (or other ROM chips containing other firmware) can be replaced simply by pressing them into place. You can see the ROM chips in the picture above; they have the white labels pasted onto them, and you can see me in the process of prying one loose with a screwdriver.

Like the purchasers of all the other lots sold by Buncombe County, I am now at leisure to examine the contents of the firmware on the ROM chips, and to modify it. If I had the inclination to cheat in an election (which I do not) I could prepare a modified version of the firmware that subtly alters votes as the votes are cast, with no indication of the alteration made visible to the voter. I would write this modified firmware onto new ROM chips. Then, if I had access to one of New Jersey's voting machines (for example, in an elementary school or firehouse where it is left unattended the night before an election), I could open the door of the machine, unscrew 10 screws, replace the legitimate ROM chips with my own fraudulent ones, reinstall the cover panel with its 10 screws, and close the door of the machine.

Here is the affadavit that I wrote, describing my purchase of these machines, for the Superior Court of New Jersey in the New Jersey Voting Machines Lawsuit.

Alex Halderman and Ariel Feldman, graduate students in the Department of Computer Science, have begun work on the analysis of the firmware in the AVC Advantage's ROM chips. Here's a screenshot they gave me of some of the formatted-output ("printf") program, that's used for (among other things) printing vote totals on the internal printer.



February 13, 2007: The New York Times