Exposing voting machine vulnerabilities

Cylance announced the successful exploitation of critical vulnerabilities in a common model of voting machine. The exploitation of these vulnerabilities was previously thought to only be theoretical in nature prior to this revelation. The compromise techniques are relatively simple to undertake, but do require physical access to the voting machine.

To help understand the risk to election integrity, the researchers produced a demonstration video of the techniques used to compromise the Sequoia AVC Edge Mk1 voting machine.

The video below shows how they were able to reflash the firmware with a PCMCIA card, directly manipulate the voting tallies in memory, and cause a vote for one candidate to be credited to another by altering elements of the device’s screen display.

Additionally, the video demonstrates how tallies can be manipulated on both the Public Counter and the Protective Counter, which was designed to act as a redundant verification system to ensure results are valid.

Similar methods of exploitation have been proposed on a theoretical basis by other researchers such as those in 2007 with the paper “Source Code Review of the Sequoia Voting System”, and then later discussed in the Politico article “How to Hack an Election in 7 Minutes”, but Cylance is the first to successfully demonstrate any exploitation in the real world.

Additional information on the vulnerabilities and the exploit cannot be released publicly for election integrity reasons, but the researchers have provided details of the techniques to both Sequoia and government authorities, as well as providing suggestions for mitigation.

Where are these voting machines used?

The units in question are known to be in use in numerous polling locations across the United States.

According to the VerifiedVoting.org website, the DRE-Touchscreen system manufactured by Sequoia will be used by 8,170,477 registered voters in 22,368 precincts.

“We believe that both the public and the appropriate regulatory agencies needed to be made aware of these issues immediately so that appropriate measures could be taken to better secure these voting machines,” said Cylance CEO and President Stuart McClure. “We also hope that the information we provided to the manufacturer will assist them in developing better devices moving forward so that we can ensure a secure election process.”

How to mitigate these voting machine vulnerabilities

Cylance recommends increased supervision/monitoring of physical access to electronic voting machines, especially as it pertains to any interfaces or ports except for the Voter Activation Card slot (typically on the front); Frequent verification of hardware or software errors, such as those displayed on operator screens (e.g. the LCD on the back of a Sequoia; Monitoring and verification of tamper-proof and/or tamper-evident seals (typically used to prevent or at least indicate tampering) surrounding the devices, ports, latches, etc.

For mitigation in the long term, the researchers recommend phasing out and replacing deprecated, insecure machines (namely those without robust, hardware-based firmware and data verification mechanisms).

Additional due diligence of polling place volunteers/workers/officers may help mitigate possible collusion for tampering by these groups.