Hacking Democracy: An In Depth Analysis Of The Es&S Voting Systems presented at The Last HOPE 2008

by Sandy Clark, Matt Blaze, Eric Cronin, Gaurav Shah, Micah Sherr, Pavol Cerny, Adam Aviv,

Tags: Security Analysis

Summary : Last Fall, Ohio Secretary of State Jennifer Brunner commissioned Project EVEREST, a comprehensive security review of the electronic voting technology used in her state. The project contracted several academic teams and others to examine the election procedures, equipment, and source code used in that state, with the aim of identifying any problems that might render elections vulnerable to tampering under operational conditions. The ten-week project examined in detail the touch-screen, optical scan, and election management technology from e-voting vendors ES&S, Hart InterCivic, and Premier Election Systems (formerly Diebold). Penn led the analysis of the ES&S system source code, which is also used by voters in 42 other U.S. states besides Ohio.
This talk will outline the U. Penn team's findings, which included the discovery of exploitable security vulnerabilities in almost every hardware and software component of the ES&S touch-screen and optical scan systems. Some of these flaws could allow a single malicious voter or poll worker to alter countywide election results, possibly without detection. The team will discuss their findings and will also describe more generally the process of analyzing 700,000 lines of unfamiliar source code in less than ten weeks under highly constrained conditions.
The full 334 page report (which also includes analysis of the Hart and Premier systems done at Penn State and WebWise Security) can be downloaded from the Ohio Secretary of State's web site at http://www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf