Update 10/28: The Secretary of the State’s Office has taken action to mitigate these concerns by requiring three additional tamper evident seals to indicate when the case has been open and to protect the ports. <read the details>
Our democracy hangs, literally, by a vulnerable plastic thread – that can be compromised with a few $, in a few seconds.
Background: The recent story in New Britain started curiosity for information on the actual security of the canvas bag and the tamper-evident seal that are required to protect the AccuVote-OS optical scanners in Connecticut. By fortunate coincidence I had just started reading the CA Top-To-Bottom Source Code Review of the Diebold Voting System which also led to an article, Tamper-Indicting Seals in American Scientist by Roger G. Johnson, head of the Vulnerability Assessment Team at Los Alamos National Laboratory. (I will post a review of the CA Source Code Review in the near future)
Even though there is a tamper-evident seal over the memory card in the optical scanner, that alone would be insufficient to protect the memory card from unauthorized changes for two reasons: 1) Despite the recommendations of the University of Connecticut, the parallel port remains operational and exposed to provide access to compromise the scanner’s software and/or the memory card. 2) Four screws can be removed to provide access to the memory card and other parts for alteration/replacement without without disturbing the seal. The employed solution is a canvass bag matched with a tamper-evident seal enclosing the entire optical scanner.
Recent news articles in Connecticut indicate we should have no concerns because the optical scan is in the bag and sealed. However, I was skeptical. Could the seal be glued back together? Could one official at the audit put their fingers over a re-taped seal, show the number for verification to a couple of other officials, and then fake a re-cutting of the seal? Late on election night after a long day, could one official write down the number and show it to others and have them sign the paper work, but purposely use the wrong number – a number of a seal in their pocket to be used after tampering? Or the same thing accomplished in a busy pre-election test session? These all seemed possible to me.
Conclusions: Referencing the American Scientist report, the CA Top-To-Bottom Review states:
We do not expect the tamper-evident seals will be effective at detecting tampering with voting equipment while it has been left unattended…the Diebold polling place equipment does not appear to have been designed to meet this threat model…most if not all, tamper-evident seals have know vulnerabilities that could allow an attacker to break them and then replace them or restore them…it is challenging to devise protocols that make it likely that poll workers will detect and respond appropriately to tampering…it would not be practical to provide the kind of training that would be needed
Going to the American Scientist article, we find that this is not a crazy, contrived, convoluted, conspiracy theory:
There are at least 105 different general ways to defeat, or spoof seals. By “defeat”, I mean t0 remove the seal, then re-apply in or replace it with a counterfeit, without detection…My Los Alamos colleagues and I have analyzed hundreds of government and commercials seals, from low-tech mechanical varieties through high-tech electronic ones…
We have demonstrated how all these seals can be defeated quickly and easily using basic tools, supplies, methods, and skills, resources that are available to almost anyone…
….average attack time 1.4 minutes, with a median value of only 43 seconds…Tools and supplies for the first attack ran a mean average of $78 and a median of $5….we needed an average of only 2.3 hours (12 minutes median) to devise what ultimately proved to be a successful incursion.
So, its much worse than I could imagine. Our democracy hangs, literally, by a vulnerable plastic thread.
