March 20th, 2008

eVoting systems come under fire

Posted by Nathan McFeters @ 10:12 pm

Categories: Data theft, Exploit code, Governments, Hackers, Privacy, United States of America, Zero-day attacks

Tags: Sequoia Software, New Jersey, Sequoia Voting Systems, E-voting, Intellectual Property, Government, Research & Development, Business Operations, Nathan McFeters

As reported by Robert McMillan and Elizabeth Montalbano at IDG News Service, Sequoia voting systems web site has been hacked and subsequently taken down.

Sequoia and its voting system is not new to the news, as it was recently investigated by the Attorney General of New Jersey for “voting discrepancies” in last months primaries. As stated in a separate story by McMillan, the state of New Jersey was going to conduct a third-party assessment:

“Clerks from a half-dozen New Jersey counties reported discrepancies in the voting tallies generated by approximately 60 of the state’s Sequoia Voting Systems AVC Advantage e-voting machines during last month’s election. In most cases the discrepancy involved a one- or two-vote difference between the paper tape logged by the machine and the number of votes stored in the computer’s memory cartridges.

Sequoia blamed the discrepancy on poll worker error and said the problem could be fixed with a software update, but state clerks wanted a third-party investigation.”

The hack was originally discovered and reported to IDG news by Ed Felten of the University of Princeton. Felten had recently been asked by the state of New Jersey to review the Sequoia systems; however, Sequoia threatened legal action against Felten. The following e-mail was sent to Felten and subsequently posted to his “Freedom to Tinker Blog” threatening legal action if he reviewed the system:

“A copy of an email I received has been passed around on various mailing lists. Several people, including reporters, have asked me to confirm its authenticity. Since everyone seems to have read it already, I might as well publish it here. Yes, it is genuine.

====

Sender: Smith, Ed [address redacted]@sequoiavote.com
To: felten@cs.princeton.edu, appel@princeton.edu
Subject: Sequoia Advantage voting machines from New Jersey
Date: Fri, Mar 14, 2008 at 6:16 PM

Dear Professors Felten and Appel:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Very truly yours,
Edwin Smith
VP, Compliance/Quality/Certification
Sequoia Voting Systems

[contact information and boilerplate redacted]“

Due to this, Felten did not perform the assessment; however, as mentioned on News.com by Robert Vamosi, Sequoia appears to be feeling the pressure to perform an outside assessment as Vamosi states:

“On the resurrected Ballot Blog site on Thursday, Sequoia Voting Systems announced that it had initiated its own external review of the New Jersey voting systems. The external review, the company said, would be conducted by independent parties including Kwaidan Consulting of Houston, Texas; an Election Assistance Commission (EAC)-accredited Voting System Test Lab (VSTL)–Wyle Laboratories of Huntsville, Ala., and possibly another VSTL; and an academic institution.”

I think at this point Sequoia owes explanation to the American people. What sort of testing will they have these outside firms conduct? I don’t mean to imply that these companies aren’t great at what they do, I would just think that a bit of transparency from Sequoia as to what they are trying to accomplish is important. One would think that an attack and penetration assessment would be of key concern for these types of systems.

This all comes in a week that has been extremely bad for eVoting, as one can clearly see from our previous blog posting about the hack that occurred on the State of Pennsylvania eVoting site. It appears clear that if American voters ever had much in the way of confidence in these systems, it must be dwindling at this point. I firmly believe that it is time the government (the federal government that is) take a stand on this, regulate voting across states (both paper and the online version), and get some testing done on these online voting systems. I know we are big on keeping a good chunk of power and freedom in the state governments, and that’s fine, but how about a federal mandate to at least have your systems undergo rigorous testing by multiple vendors?

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.