marco

projects::e-voting security::TTBR

Menu:

• home
• publications
• service
• projects
• blog

Description

I was a member of the UCSB Security Group that completed an analysis of the Sequoia electronic voting system as part of a Top-to-Bottom Review of the electronic voting systems used in California. The study was commissioned by California Secretary of State Debra Bowen. As a result of the review, the Secretary of State decertified the current systems and recertified them on condition of use of stricter procedures and security measures.

We acted as a "Red Team" and performed a series of security tests of both the hardware and the software that are part of the Sequoia system to identify possible security problems that could lead to a compromise.

We were able to expose a number of serious security issues. We were able to bypass both the physical and the software security protections of the Sequoia system, and we demonstrated how these vulnerabilities could be exploited by a determined attacker to modify (or invalidate) the results of an election.

Our team was led by Giovanni Vigna and Richard Kemmerer, and, besides me, included Davide Balzarotti, Greg Banks, Viktoria Felmetsger, William Robertson, and Fredrik Valeur.

Publications

We published our findings in a technical report. The Secretary of State released the public version of our report on July 27th, 2007. We also published a rebuttal of the vendor response to our report.

• Security Evaluation of the Sequoia Voting System UCSB Computer Security Group Technical Report for the California Top-To-Bottom Review, July 27, 2007, Sacramento, CA, USA [PDF] [California SoS]
• Rebuttal of Sequoia Voting Systems' Response to the UCSB Red Team Report UCSB Computer Security Group Technical Report for the California Top-To-Bottom Review, July 31, 2007, Sacramento, CA, USA [PDF]

Press

The Top-To-Bottom Review received considerable attention in the media. Here are the references to some of the articles, videos, and radio programs that covered the topic.

TVs

• Computer Hackers Breach California Voting Machines, KCRA 3, July 27, 2007
• D. Villalon, Experts Able To Hack California Voting Machines, abc7, July 27, 2007
• B. Todd, E-voting vulnerabilities, CNN, July 31, 2007
• K. Pritchett, BERKELEY: Ken Pritchett Reports As Local Computer Scientists Deem Electronic Voting As Unsafe, KTVU
• The ghosts in the voting machines, BBC, August 7, 2007
• S. Michels, California Experiences Problems with Voting Machines, PBS NewsHour, January 16, 2008

Radios

• Talk of the Nation, Hackers Test California Voting Machines, NPR, August 3, 2007
• Forum by M. Krasny, Voting Machines, KQED, August 7, 2007

Newspapers

• J. Wildermuth, Most vote machines lose test to hackers, San Francisco Chronicle, July 28, 2007
• S. Rosenblatt, 3 voting systems faulted, Los Angeles Times, July 28, 2007
• S. Harmon, E-voting fails hasty state review, SiliconValley.com, July 28, 2007
• S. Lawrence, Companies say California voting-machine review is unrealistic, San Diego Union-Tribune, July 30, 2007
• K. Yamamura, Elections officials blast vote-hacking research, Sacramento Bee, July 31, 2007
• J. Wildermuth, Makers of voting machines battle critics over UC study, San Francisco Chronicle, July 31, 2007
• How safe is your vote?, Editorial, San Francisco Chronicle, July 31, 2007
• D. Weintraub, Daniel Weintraub: Bowen weighs future of 'black box' voting in state, Sacramento Bee, August 2, 2007
• C. Bagley, Elections officials await orders; Secretary of State expected to rule on counties' voting systems by midnight, North County Times, August 4, 2007
• C. Bagley, Restrictions set for voting machines, North County Times, August 5, 2007
• C. Drew, California Restricts Machines For Voting, New York Times, August 6, 2007
• S. Stone, Hack the vote!, Nevada NewsMakers, 7 August, 2007
• Editorial: Vote absentee to avoid aftermath of e-vote ruling, Editorial, Mercury News, August 8, 2007
• J. Woolfolk, Santa Clara County considers suit over voting decision, Mercury News, August 9, 2007
• S. Harmon, Critics question election officials links to vendors, Inside Bay Area, August 19, 2007
• T. Risen, AS EASY AS ONE-TWO-THREE: UCSB computer experts have no problem hacking into voting machines, Santa Barbara News-Press, August 20, 2007
• S. Nellis, Voting machine hackers: UCSB team breaks into counting device, Pacific Coast Business Times, August 20, 2007

Magazines and Journals

• K. Zetter, CA Releases Results of Red-Team Investigation of Voting Machines: All Three Systems Could Be Compromised, Wired, July 27, 2007
• R. McMillan, California Report Slams E-Voting System Security, PC World, July 27, 2007
• L. Vaas, What is the U.S. Is Doing Wrong with E-Voting, eWeek.com, July 30, 2007
• Ergebnisse des größten "Hacker"-Tests für US-Wahlmaschinen liegen v, heise, July 30, 2007
• O. Rafal, Les systèmes de vote électronique perforés par les chercheurs californiens, Le Monde Informatique, July 30, 2007
• F. Washkuch, California finds three electronic voting systems vulnerable to hackers, SC Magazine, July 30, 2007
• D. Goodin, California e-voting machines have more holes than Swiss cheese, The Register, July 30, 2007
• R. McMillan, California report slams e-voting system security, ComputerworldUK
• R. Paul, California to recertify insecure voting machines, ars technica, August 6, 2007
• California Voting Machines Hacked, The Onion, August 6, 2007
• D. Goodin, E-voting gets bitch-slapped in Calfornia, The Register, August 8, 2007
• J.M., Numerous media outlets publish misleading attacks on decision to limit electronic voting, Media Matters, August 9, 2007
• UCSB's Security Group Finds Flaws in Voting Machines, Santa Barbara Independent, August 16, 2007
• California is right to sound a cautionary note on electronic voting, Editorial, Nature 448, 840, August 22, 2007
• S. Levy, Securing (Or Not) Your Right to Vote, Newsweek, September 10, 2007
• M. Bishop, D. Wagner, Risks of e-voting, Communications of the ACM, 50(11):128, November 2007

Blogs and Web Sites

• B. Friedman, CA SoS Bowen: 'Analysts Able to Bypass Both Physical and Software Security for Every System They Reviewed'in Landmark Independent 'Top-to-Bottom Review' of CA Voting Systems, The Brad Blog, July 27, 2007
• A. Rubin, California Top to Bottom results, Avi Rubin's Blog, July 27, 2007
• ewhac, Researchers Crack Every Certified CA Voting Machine, Slashdot, July 28, 2007
• J. Topolsky, California white hat hackers: 3, Diebold and friends: 0, Engadget, July 29, 2007
• E. Felten, California Study: Voting Machines Vulnerable; Worse to Come?, Freedom to Tinker, July 30, 2007
• S. M. Fulton, Three E-Voting Systems Susceptible to Attack, California Team Find, Beta News, July 30, 2007
• B. Krebs, Report: E-Voting Systems Hackable, Security Fix, July 30, 2007
• J. Washburn, Public Comments on Top to Bottom Review of Voting Systems Used in California, VoteTrustUSA, July 31, 2007
• H. Cheung, Hackers find serious problems in California voting machines, LXer, July 31, 2007
• B. Schneier, California Voting Machine Audit Results, Schneier on Security, July 31, 2007