VotersUnite.Org presented this information to the Election Assistance Commission, but they declined to inform the election officials using the systems, even though they were aware of the excellent credentials of the author. So, we are providing it here as a public service.
Now that discussion over the CD-13 controversy has died down for a day or two, I wanted to highlight one finding in the FSU report on the ES&S iVotronic and its impact on other jurisdictions. The FSU report revealed a serious security vulnerability in the iVotronic: it is vulnerable to viruses that could be introduced by a single outsider and that could spread throughout a county. This means that a single outsider in a county that uses the iVotronic with firmware version 8 could potentially steal all the votes in that county, without being detected. In my opinion, the severity of this security hole is roughly comparable to that of the Hursti II / Princeton virus - which is to say that it needs to be taken very seriously. This risk is especially significant for folks using the iVotronic without a VVPAT.
One consequence for advocates is that this is further evidence that it's not just one vendor who has serious security problems; it's a second instance this sort of virus vulnerability. Don't let anyone tell you that if we just "kick Diebold off the island" all of the security problems will go away.
For folks in jurisdictions that are using the ES&S iVotronic, here are some concrete suggestions and recommendations that you could use for responding to this security issue.
For folks using the iVotronic with firmware version 8:
|
|
Demand that ES&S fix the security problems, at their expense.
|
|
After they are fixed, demand that an independent security evaluation be performed to see whether these problems - and others like them - have all been fixed.
|
|
Don't use the iVotronic in major elections until the security problems have been verified to be fixed.
|
|
Religiously apply all of the procedural mitigations described in Section 7.9 of our report in all elections, minor or major.
|
|
Consider de-certifying the iVotronic until its security problems have been verified to be fixed.
|
|
Consider buying VVPAT attachments and instituting routine manual audits of the VVPAT records.
|
|
Pay special attention to the security and control over Supervisor terminals.
|
Note that the FSU report analyzed only version 8 of the iVotronic. The FSU team did not analyze version 9 and so there is no publicly available evidence about whether version 9 contains the same vulnerabilities. Knowing as I do how software tends to get written, though, I would be concerned that version 9 could easily have the same or similar vulnerabilities.
For folks using the iVotronic with firmware version 9, without a VVPAT:
|
|
Demand that ES&S warrant publicly whether the iVotronic 9 has any similar vulnerabilities. If it does, demand that ES&S fix them, at their expense.
|
|
Demand an independent security evaluation to see whether these problems - and others like them - are present in the iVotronic 9.
|
|
Consider not using the iVotronic in major elections until such an independent security evaluation has been performed.
|
|
Consider applying all of the procedural mitigations described in Section 7.9 of our report in all elections.
|
|
Consider requesting that the state and/or EAC re-examine the iVotronic, in light of the problems in the iVotronic 8.
|
|
Consider buying VVPAT attachments and instituting routine manual audits of the VVPAT records.
|
|
Pay special attention to the security and control over Supervisor terminals.
|
For folks using the iVotronic with firmware version 9, with a VVPAT (the "RTAL" attachment):
|
|
Demand that ES&S warrant publicly whether the iVotronic 9 has any similar vulnerabilities. If it does, demand that ES&S fix them, at their expense.
|
|
Consider introducing routine manual audits, if they are not already done, or making them more rigorous, if they are.
|
|
Consider requiring an independent security evaluation to see whether these problems - and others like them - are present in the iVotronic 9.
|
|
Consider not using the iVotronic in major elections until such an independent security evaluation has been performed.
|
|
Consider applying all of the procedural mitigations described in Section 7.9 of our report in all elections.
|
|
Consider requesting that the state and/or EAC re-examine the iVotronic, in light of the problems in the iVotronic 8.
|
Be aware that the history of the software industry suggests that many software vendors will only respond to security issues in a timely fashion if their customers demand it. Because making these kinds of changes to a voting system and getting approval from testing labs and certification authorities is a lengthy process, if we are to fix this problem before the 2008 primary, it is important to get this process underway immediately.
If ES&S claimed that their system was secure when your jurisdiction bought ES&S machines, it may be possible for jurisdictions to demand that ES&S fix the problems at ES&S's expense. I'm not a lawyer or procurement expert; talk to someone who can interpret the contract your jurisdiction signed with ES&S.
The FSU report also revealed other security issues with the ES&S iVotronic; if you're interested in the security of the iVotronic, you may want to review relevant sections of the report, even if you don't care about the CD-13 race.
|