Are There Sufficient Procedures in Place to Guard against Physical Tampering with Electronic Voting Machines?
The Maryland State Board of Elections released a report on July 22, 2004 titled “Progress Report: Department of Legislative Services’ Trusted Agent Report on Diebold AccuVote-TS Voting System” as a follow-up to the RABA Technologies report Trusted Agent Report: Diebold AccuVote-TS Voting System. The Maryland State Board of Elections report stated:
“Attempts to tamper with terminals, via privacy security screen removal and unlocking of bay doors, would be quickly noticed by the diligent, trained Election Judge and others in the polling place. The Election Judge’s duty is to support the apprehension of the individual for this felony criminal activity by contacting police authorities and escalating the issue via established protocols.
SBE [State Board of Elections] has instructed the LBE [Local Board of Elections] to apply tamper tape over the locked bay doors of the Accu-Vote TS [a model of electronic voting machine] terminals and record the serial numbers during the Logic and Accuracy tests…Election Judges verify the serial numbers and apply new tamper tape after the units are activated on Election Day. Protocols for monitoring the tamper tape and escalating the issue if evidence of tampering is identified have been established and incorporated into Election Judge training.”July 22, 2004
Dana DeBeauvoir, Travis County (Texas) Clerk, submitted a paper titled “Prevention of Attack, Not Detection After the Fact: A Note on Risk Assessment and Risk Mitigation” in conjunction with her public testimony before the U.S. Election Assistance Commission on May 4, 2004, which stated:
“Using proper locks and seals on the hardware, and a tracking system, usually bar coding, increases the probability of proving any tampering or lack thereof. Other controls include procedures that do not allow (maintenance) work to be performed by a single person. With segregation of duties, all work is done in teams and supervised.”May 4, 2004
Diebold Election Systems, Inc. released a paper titled “Checks and Balances in Elections Equipment and Procedures Prevent Alleged Fraud Scenarios” on July 30, 2003 on its website. The paper described the following physical security procedures:
“Each piece of equipment is prepared for the election by election staff…Before this process, all equipment is sealed and secured until delivery at the polling location…
The machine judge monitors the voting process, and identifies and removes any voter who attempts to tamper with the voting equipment…
The election data is stored on memory cards only (not floppy disks), which are locked inside the physical Ballot Station behind a tamper-proof label and continuously controlled by local election officials…Voters have no access to the storage cards at all. Poll workers have access to the card after polls close, but (like a classic paper ballot box) only under the observation of their peer poll workers.”July 30, 2003
Dawn Roberts, Director of the Division of Elections for the state of Florida, sent a Mar. 3, 2006 Technical Advisory Memorandum detailing the new guidelines intended to enhance voting system security in Florida. The guidelines specifically address attacks to physical elements of an electronic voting system:
“For each election, the supervisor of elections shall seal each election media [memory cards, voter card encoders, voter and administrator card readers] in its relevant voting device [electronic voting machine] or container utilizing one or more uniquely identified tamper-resistant or tamper-evident seals. A combined master identification of the voting device, the election media, and the seal(s) must be created and maintained…
The supervisor of elections shall create and maintain a secured location for storing and transporting voting devices once the election parameters are loaded. This shall include procedures that are to be used at locations outside the direct control of the supervisor of elections, such as overnight storage at a polling location…
The chain of custody must utilize two or more individuals to perform a check and verification check whenever a transfer of custody takes place or where the voting devices have been left unattended for any length of time. Particular attention must be given to the integrity of the tamper-resistant or tamper-evident seals.”Mar. 3, 2006
RABA Technologies, at the request of the State of Maryland, prepared a Jan. 20, 2004 report titled “Trusted Agent Report: Diebold AccuVote-TS Voting System,” which stated:
“Maryland has ordered approximately 16,000 AccuVote-TS [a model of electronic voting machine] terminals, each equipped with two locking bays and supplied with two keys accounting for 32,000 locks and keys. Surprisingly, each lock is identical and can be opened by any one of the 32,000 keys. Furthermore, team members [of RABA’s security assessment team] were able to have duplicates made at local hardware stores. It is a reasonable scenario to assume that a working key is available to an attacker.
To make matters worse, using a commonly available lock pick set, one team member picked the lock in approximately 10 seconds. Individuals with no experience were able to pick the lock in approximately 1 minute…
Other mischief-makers demonstrated the ability to physically tilt the monitor of the AccuVote-TS forward to expose the connecting wires. They were then able to disconnect these wires without causing any damage. To reconnect the wires into their harness requires opening up the terminal – a procedure that is not allowed during an election.”Jan. 20, 2004
The Government Accountability Office (GAO) 2005 report “Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, But Key Activities Need to Be Completed,” stated:
“Regarding physical hardware controls…many of the DRE [direct recording electronic voting machine] models under examination contained weaknesses in controls designed to protect the system…
All the locks on a particular DRE model were easily picked, and were all controlled by the same keys…Another particular model of DRE was linked together with others to form a rudimentary network. If one of these machines were accidentally or intentionally unplugged from the others, voting functions on the other machines in the network would be disrupted. In addition, reviewers found that switches used to turn a DRE system on or off, as well as those used to close the polls on a particular DRE terminal, were not protected.”2005
Rebecca Mercuri, PhD, President of Notable Software, Inc., in her Oct. 2002 IEEE Spectrum article “A Better Ballot Box,” wrote:
“Sequoia Edge [a model of electronic voting machine] can be reprogrammed through a port on the voting machine kiosk. Although this port is ‘secured’ during the voting session by a flimsy, numbered, plastic tab, it is exposed after the election, providing essentially no protection against reprogramming.”Oct. 2002
Pamela Smith, nationwide coordinator of the Verified Voting Foundation, wrote a newspaper commentary titled “Electronic Voting Was A Fiasco,” which appeared in North County Times on Mar. 15, 2004 and stated:
“In spite of the vulnerability of Diebold’s electronic voting system, the [San Diego County] registrar sent computerized voting machines, cards, keys and card encoders to be stored in poll workers’ homes before the election, secured only by easily removed stickers and flimsy plastic-zip ties.
In one precinct observed by SAVE-Democracy’s poll watchers, these security stickers had never even been placed over the memory card ports, where votes are stored, as they should have been.
Poll workers were given extra zip-ties to hold the machines and key-card pouches closed. These were not inventoried and apparently were not even inspected, so no one knows if machines were tampered with.”Mar. 15, 2004