The Princeton University Center for Information Technology Policy has published a report disclosing security vulnerabilities that researchers have detected in Sequoia's AVC Advantage voting machine. According to the researchers, the machine can be completely compromised by replacing a single ROM chip—a task that they were able to complete in only seven minutes.

The study was commissioned by the state of New Jersey following a lawsuit brought against the state by public-interest groups. The suit alleged that the voting machines failed to meet the standards set by New Jersey law, which requires election official to ensure that all votes are fairly counted. Critics contend that Sequoia's direct-recording electronic (DRE) machine can't be trusted because it doesn't generate a paper trail for auditing. The suit dismissed and then appealed in 2005, but was put on hold when the state legislature passed a law that would require voting machines to emit paper records by 2008.

After the deadline was extended by a year to accommodate the state, the court agreed to let the lawsuit go forward and ordered the state to supply the Princeton researchers with full access to the voting machines and source code. Sequoia vigorously attempted to block the review and threatened the state with legal action, but the judge allowed the research to proceed despite Sequoia's threats.

The study was completed last month but wasn't immediately made available to the public because of security concerns. The redacted version, which is now published on the Center for Information Technology Policy web site, provides descriptions of several attack vectors.

"We have found that the Advantage AVC firmware has errors. We have also found that it is easy to replace firmware in the AVC Advantage with fraudulent firmware that can undetectably steal votes and thus change the outcomes of elections," the report says. "Furthermore, some kinds of fraudulent firmware can automatically virally propagate themselves from one AVC Advantage voting machine to another, without the attacker being physically present. Once fraudulent firmware is installed in the AVC Advantage, it can steal votes in election after election without any additional effort by the attacker."

The researchers developed a program that switches votes from one candidate to another. The program, which took two days to write and is only 122 lines of code, was specifically designed to obscure the aberrant behavior when it detects that voting machine officials are running diagnostic software to test the machine. The way that the hacked firmware manipulates the vote tallying mechanism also ensures that the internal electronic audit trails generated by the machine will be consistent with the doctored vote counts. This means that the hack is virtually undetectable. The researchers burned the hacked firmware on a ROM chip which they were then able to install in the voting machine.

They were able to gain physical access by using little more than a screwdriver. The machines are protected by locks and supposedly tamper-proof straps, but the researchers found that these were easy to bypass without detection. Lead researcher Andrew Appel was able to pick the lock in only 13 seconds using a cheap set of $40 lock-picking tools. He had no previous experience with lock-picking apart from a bit of basic training from a grad student who was familiar with the art.

The researchers also found that the seal was so flexible that they could remove the circuit-board cover without having to break it. Further, they cite a study conducted by Dr. Roger Johnston of the Los Alamos National Laboratory which reveals that the vast majority of plastic anti-tamper seals can be trivially circumvented with cheap low-tech materials.

On top of all of that, the researchers point out that New Jersey's physical security for the machines is poor and that it is easy to gain sufficient access to unattended voting machines. To demonstrate this point, the report includes photographs that were taken prior to the primary elections that show unattended Sequoia voting machines at four separate polling places.

The voting machine vendors often attack these studies and claim that hacks conducted by expert researchers in laboratory environments with full access to the source code don't truly reflect real-world scenarios. The report, however, asserts that the skills required to perpetrate an election hack on the Sequioa machine are anything but rare. Anyone with undergraduate training in computer science could do it, they say, and it's no more difficult than writing malware. They also claim that it could be done by reverse-engineering the firmware and that a hacker need not have full access to the source code to do so.

Much like the red team testing that was conducted in California on products from Sequoia and other vendors, this new study conducted by the Princeton researchers demonstrates that DRE machines are unquestionably unfit for use in elections. Unfortunately, with only a few weeks left until the elections in New Jersey, it might be too late for the state to take the necessary actions.

Further reading