The Corpus Callosum

...Although we present several previously unpublished vulnerabilities, many of the weaknesses that we describe were first identified in previous studies of the Diebold system (e. g., [26], [17], [18], [19], [33], [23], and [14]). Our report confirms that many of the most serious flaws that these studies uncovered have not been fixed in the versions of the software that we studied.

Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit “weaknessin- depth”—even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.

Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design.

...Network interfaces in the Hart system are not secured against direct attack. Voters can connect to unsecured network links in a polling place to subvert eSlates, as well as to eavesdrop on cast votes and to inject new votes. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more eSlates in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.

...We found significant security weaknesses throughout the Sequoia system. The nature of these weaknesses raises serious questions as to whether the Sequoia software can be relied upon to protect the integrity of elections. Every software mechanism for transmitting election results and every software mechanism for updating software lacks reliable measures to detect or prevent tampering. We detail these weaknesses, and their implications, in Chapters 3 and 4.

In certain cases, audit mechanisms may be able to detect and recover from some attacks, depending on county-specific procedures; other attacks may be more difficult to detect after-thefact even with very rigorous audits.

There were numerous programming, logic, and architectural errors present in the software we reviewed.

• Unfortunately, in  every case we examined the cryptography is easily circumvented. Many cryptographic functions are implemented incorrectly, based on weak algorithms with known flaws, or used in an ineffective or insecure manner.
• The access control and other computer security mechanisms that protect against unauthorized use of central vote counting computers and polling place equipment are easily circumvented.
• The software suffers from numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses. These include buffer overflows, format string vulnerabilities, and type mismatch errors. In general, the software does not reflect defensive software engineering practices normally associated with high-assurance critical systems.