[New post] Dominion Voting Machines, Insecure by Design – by Francis Turner
accordingtohoyt posted: " Dominion Voting Machines, Insecure by Design - by Francis Turner Sufficiently advanced incompetence is indistinguishable from malice Required reading for all Dominion engineers and product managers I have, from time to time, been interested " According To Hoyt
Dominion Voting Machines, Insecure by Design - by Francis Turner
Sufficiently advanced incompetence is indistinguishable from malice
Required reading for all Dominion engineers and product managers
I have, from time to time, been interested in the question of trust in voting machines and processes. That goes all the way back to the early 2000s and the sloppy Diebold machines in use then. At that time it was notable that Diebold, who also made (make?) ATMs, seemed to have invested a lot more time and effort into making their ATMs secure than making their voting machines secure.
Well anyway there's only so many hours in a day and only so much outrage I can summon up for sloppy work so I moved on to other things like glowball worming. Anyway given the US 2020 elections and now the 2022 elections have been rife with allegations of vote rigging and other shenanigans I've started to renew my interest in the current state of the art.
Let me start with the most basic. In Georgia always, in other states under certain circumstances, voters use a machine to make select their voting choices and these choices are then printed onto a paper ballot that is then sent to another machine for counting. That ballot has a QR code (the box of dots like the one above) which contains the choices the voter made and some checksum for integrity. That QR code cannot be read easily by the voter (you don't just need a smartphone with a QR code reader, you need some special software to read it and then you need to be able to map the docoded output to your choices) so the machine also prints a human readable version. However there is no checking anywhere that the QR code corresponds to the human readable version and the QR code is what the voting tabulators use to count.
Does the QR code match the text? how can you tell?
Halderman's report notes both that it would be easy to have the QR code be different to the human readable part because there are no audits done that check that they correspond and that it would also be easy to change the output of both the QR code and the human readable print out on the assumption that most people will not check the print out.
The first case requires special audit equipment to detect and you would need to be very sure that you could actually trust that equipment so getting it from Dominion would be contra-indicated. The latter case would make it impossible to detect vote rigging via audit if the voter failed to raise the alarm at the polling station.
If you look at the sample above the human readable printout does not seem like a model of clarity (all the extra "vote for"s which add verbiage without adding clarity for example) making it easier to hide a fraudulent entry. Of course voters are likely to check the top of the ballot (i.e. their presidential vote) so changing that might be risky, but changing the votes lower down in the more obscure county level races is much more likely to escape notice. You have to wonder why they made it hard to read.
But that's not all. Similar QR codes seem to be generated by other voting methods too such as the vote by mail web app which voters then have to print out themselves and mail to the county. What this means is that the 2000 mules sort of vote by mail fraud is made extremely easy.
And it gets worse.
Despite claims that the QR code data is encrypted, it isn't. Once you know the proprietary format you can decode the data and see what choices the voter made. But wait there's more. There is a checksum created using a shared key to detect accidental tampering/misprints etc. but that shared key turns out to be very easy to obtain and each vote from a particular county (or possibly multiple counties or part of a county depending on implementation) is indistinguishable from any other vote from that county/region no matter which voting machine (or vote by mail method) was used.
The consequences of a lack of encryption or serial number
This makes printing a few thousand additional votes very, very easy and almost impossible to catch. Halderman discusses a number of ways to modify or print additional votes including sticking a raspberry pi in the printer, but these are kind of incidental, the key point is that there is a clear weakness in the vote printing process that can be exploited in all sorts of ways; these ways would be hard to detect and once detected it would be impossible to detect which ballots where illegitimate so the only recourse would be to run the election again.
Moreover, as he explains later, in the tabulator (ImageCast Precinct or ICP) the scanned images of the votes counted are stored. Gaining access to the tabulator (running an embedded linux version dating from 2007!) means you can simply edit the counts and put the correct number of images in the directory to match. Short of hand checking all the actual print outs with all of the images the machine has stored it is impossible to confirm that the machine's tally is correct. The only way to detect that the tabulator is lying is to build your own trusted one and rescan all the ballots.
Halderman did not spend much time looking at the tabulator but he identified that the tamper evident shields to block access to USB and Ethernet ports seemed to be easy to bypass in the unit he was provided with. What he doesn't directly point out is that if an authorized person opens up the machine and installs malware the tamper evident seal can easily be replaced by another one. Even better, if the malware install is part of a scheduled firmware update the tamper evident seal is completely pointless because there need be no detectable difference between a USB stick containing a legitimate firmware update and one containing malware.
In summary
This design choice, with a machine readable QR code that is not readable by a human, seems to be a deliberate choice to make voter self-validation hard. The lack of public/private key encryption and a unique serial number per vote makes adding or replacing votes completely untrackable once they have been inserted into the system somehow because there is no audit trail possible.
The CEO of Dominion recently whined to TIME that even though Fox settled rather than going to trial, Dominion was likely to go out of business because their brand was irredeemably tarnished. I found this quote from the article to be deeply ironic:
As for Dominion's future, Poulos is taking it one day at a time. The company is still focused on providing trusted voting systems to clients, with Poulos emphasizing that Americans do not have to trust Dominion blindly because of its commitment to transparency and its existing capability of producing paper ballots. But that defense may come too late.
Given the design decisions it made I find it hard to read "Americans do not have to trust Dominion blindly because of its commitment to transparency " without laughing. The QR code is anything but transparent to the voter while being exceedingly transparent to the knowledgeable fraudster and the lack of easily verifiable audit trail is disturbing if you assume that the company wanted to make a "transparent" and trustworthy system.
The interesting questions though are
whether the sub-optimal design choices were made from incompetence or malice?
how many other voting solutions are as bad?
So how would you fix it?
I thought about ending the post there, but then I figured that opens me up to the charge of complaining without coming up with an alternate solution.
So what would I do instead. Obviously junk the QR code. But more importantly I'd want to come up with a system that allowed for a couple of basic validation checks
First voters have to be able to read what the machine outputs and confirm that it is what they voted for. That means no QR code. It also means a form with a more easy to understand output. Something like this:
The Checksum would be the data of all the other fields encrypted using the private key that is the pair to the public key in the document. The tabulator and any auditor could use the public key to decrypt the checksum and confirm that it matched the ballot.
Since no ballot could be made at the same time from the same machine the checksums would be almost certainly unique (there is a very slight chance of a collision but it's extremely small) and in the case of a collision it would be possible to decrypt the two checksums with the different keys to confirm that they were in fact unique.
The private/public key pair would be created on the voting machine in a secure subsystem that would never reveal the private key but would encrypt anything passed to it with that key (this is a standard piece of hardware). In order to make some attacks difficult I suspect the secure subsystem would need its own clock and it would need to print out the date / time when it made an encryption as well as, of course, using that date/time as part of the data encrypted. That would make it easy to detect anomalously fast voting.
This checksum would absolutely stop the replay and copy attacks that the Dominion system allows. The human visible table allows the voter to do verification and in fact the voter could be given a copy of the checksum (and public key) so that if desired the voter can confirm on a different machine that the votes were cast as intended.
By doing this it becomes possible to create an auditable system that is much harder to fraud. There is probably a way to make it work for mail in ballots too (a browser session or smartphone app would create the page which could then be printed off and mailed back) and in fact it might allow for remote electronic voting because all that happens in that case is that the app prints off the vote in a central precinct instead of at the voters computer.
There may well be additional lacunae that I haven't thought of. I can see, for example, that the desire for a private confirmation number would make it possible for others to see how you had voted (great for audits, not great in terms of voting privacy/secret ballots) and I'm not entirely sure how to fix that - though I guess making keeping the number optional would do. Perhaps an abbreviated "Proof of voting" checksum could be created that didn't include all your votes.
No comments:
Post a Comment