is the conclusion of the most review review of the security of the
Dielbold voting machines in California. Most damning is the
finding that many of the previously-reported vulnerabilities have not
face="Helvetica, Arial, sans-serif">…Although we present
several previously unpublished vulnerabilities, many of the weaknesses
that we describe were first identified in previous studies of the
Diebold system (e. g., , , , , , , and
). Our report confirms that many of the most serious flaws that
these studies uncovered have not been fixed in the versions of the
software that we studied.
Since many of the vulnerabilities in the Diebold system result from
deep architectural flaws, fixing individual defects piecemeal without
addressing their underlying causes is unlikely to render the system
secure. Systems that are architecturally unsound tend to exhibit
“weaknessin- depth”—even as known flaws
in them are fixed, new ones tend to be discovered. In this sense, the
Diebold software is fragile.
Due to these shortcomings, the security of elections conducted with the
Diebold system depends almost entirely on the effectiveness of election
procedures. Improvements to existing procedures may mitigate some
threats in part, but others would be difficult, if not impossible, to
remedy procedurally. Consequently, we conclude that the safest way to
repair the Diebold system is to reengineer it so that it is secure by
The Hart machines fare no better. The vulnerabilities include
the only feature-not-a-bug problem:
face="Helvetica, Arial, sans-serif">…Network interfaces in
the Hart system are not secured against direct attack. Voters can
connect to unsecured network links in a polling place to subvert
eSlates, as well as to eavesdrop on cast votes and to inject new votes.
Poll workers can connect to JBCs or eScans over the management
interfaces and perform back-office functions such as modifying the
device software. The impact of this is that a malicious voter could
potentially take over one or more eSlates in a precinct and a malicious
poll worker could potentially take over all the devices in a precinct.
The subverted machines could then be used to produce any results of the
attacker’s choice, regardless of voter input. We emphasize
that these are not bugs in the Hart software, but rather features
intentionally designed into the system which can be used in a fashion
for which they were never intended.
Addintionally, the Hart InterCivic system uses some unsecured network
connections. Those that are secured, use a single symmetric
cryptographic key that is itself not secured.
The Sequoia systems are just as bad:
face="Helvetica, Arial, sans-serif">…We found significant
security weaknesses throughout the Sequoia system. The nature of these
weaknesses raises serious questions as to whether the Sequoia software
can be relied upon to protect the integrity of elections. Every
software mechanism for transmitting election results and every software
mechanism for updating software lacks reliable measures to detect or
prevent tampering. We detail these weaknesses, and their implications,
in Chapters 3 and 4.
In certain cases, audit mechanisms may be able to detect and recover
from some attacks, depending on county-specific procedures; other
attacks may be more difficult to detect after-thefact even with very
There were numerous programming, logic, and architectural errors
present in the software we reviewed.
Sequoia’s problems include the following:
in every case we examined the cryptography is easily
circumvented. Many cryptographic functions are implemented incorrectly,
based on weak algorithms with known flaws, or used in an ineffective or
access control and other computer security mechanisms that protect
against unauthorized use of central vote counting computers and polling
place equipment are easily circumvented.
software suffers from numerous programming errors, many of which have a
high potential to introduce or exacerbate security weaknesses. These
include buffer overflows, format string vulnerabilities, and type
mismatch errors. In general, the software does not reflect defensive
software engineering practices normally associated with high-assurance
Many of the problems with Sequoia machines were first published in
2006, and have not been fixed.
Box Voting. Source material is from the href="http://www.sos.ca.gov/elections/elections_vsr.htm">California
Secretary of State.