As part of its bottom-up review of electronic voting systems source codes, the California Secretary of State issues a revised version of its withdrawal of approval of Sequoia Voting Systems.

The problem, as described below in a lengthy certification and separate report, is the Smartmatic software.

The de-certification itemizes fundamental flaws in the software, which it says permits extensive tampering, manipulation, forgery, and other disruption of tabulation, printed ballots, and hardware. It does not mention Smartmatic by name but does specify the names of the systems, software, and hardware.

The link to the original source is here. Main points follow, with emphasis added:

  • “I have undertaken such a review of voting systems approved for use in California, including the Sequoia Voting Systems, Inc., WinEDS v. 3.1.012lAVC Edge/Insight/Optech 400-C voting system, pursuant to a contract with the Regents of the University of California and conducted by experts selected and supervised by principal investigators from the computer science faculties of the Berkeley and Davis campuses, to determine if the voting systems are defective, obsolete, or otherwise unacceptable for use in the February 5, 2008, Presidential Primary Election and subsequent elections in California”;
  • “the expert reviewers demonstrated that the physical and technological security mechanisms provided by the vendors for each of the voting systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results;”
  • “the expert reviewers reported that all of the voting systems studied contain serious design flaws that have led directly to specific vulnerabilities, which attackers could exploit to affect election outcomes”;
  • “the Sequoia Source Code Review Team found significant security weaknesses throughout the Sequoia system, the nature of which raise serious questions as to whether the Sequoia software can be relied upon to protect the integrity of elections“;
  • “the Sequoia Source Code Review Team found that software mechanisms for transmitting election results and software mechanisms for updating software lack reliable measures to detect or prevent tampering“;
  • “the Sequoia Source Code Review Team found that the Sequoia system lacks effective safeguards against corrupted or malicious data injected into removable media, especially for devices entrusted to poll workers and other temporary staff with limited authority, with potentially serious consequences including alteration of recorded votes, adding false results, and, under some conditions, causing damage to the election management system when the corrupted or malicious data is loaded for vote counting“;
  • “the Sequoia Source Code Review Team found that the Sequoia system’s cryptography used to protect the integrity of precinct results can be easily circumvented and appears to be identical to cryptography key material in all Sequoia hardware, meaning an individual who gains temporary unauthorized access to one county’s Sequoia voting system has effectively gained access to all Sequoia voting systems used in other counties, provided that person can gain physical access to those systems”;
  • “the Sequoia Source Code Review Team found that Sequoia’s access controls and other computer security measures that are supposed to protect against unauthorized use of the Sequoia voting system’s central vote counting computers and polling place equipment are easily circumvented“;
  • “the Sequoia Source Code Review Team found that the Sequoia voting system software suffers from numerous programming errors, which have the potential to introduce or exacerbate security weaknesses“;
  • “the Sequoia Source Code Review Team found that while in certain cases, audit mechanisms may be able to detect and recover from some attacks, depending on county-specific procedures, other attacks may be difficult or impossible to detect after the fact, even through very rigorous audits, and even with procedural safeguards in place and strictly observed“;
  • “the Sequoia Source Code Review Team found that many voting system attacks are hard to detect and correct, defying development and implementation of simple, effective countermeasures“;
  • “the Sequoia Red Team, in its penetration testing of the Sequoia voting system, discovered multiple vulnerabilities”;
  • “Sequoia Red Team members developed a working exploit of the Sequoia voting system that allowed the system’s firmware to be overwritten with a malicious version“;
  • “the Sequoia Red Team members discovered that the Sequoia Edge direct recording electronic voting machine is designed to conduct Logic and Accuracy testing in a mode distinct from Election Day mode, which enables malicious firmware to detect when the Logic and Accuracy testing, meant as a check on the correct operation of the system on Election Day, is being conducted, and to avoid operating in an incorrect manner while in testing mode“;
  • an attack could therefore be carried out on Election Day without being detected during the Logic and Accuracy testing“;
  • “the Sequoia Red Team members found that there is no secure, hardware-based mechanism to ensure that the voting system is running on the certified version of the firmware, which creates the potential for corrupted firmware to be loaded and executed without being detected“;
  • “the Sequoia Red Team members found a shell-like scripting language in the firmware of the Edge direct recording electronic voting machine that could be coerced into performing malicious actions, in apparent violation of 2002 Voting System Standards that prohibit ‘self-modifling, dynamically loaded or interpreted code'”;
  • “the scripting language includes, among others, a command to set the protective counter of the machine, which Sequoia representatives had described to the team as tamper-proof; a command to set the machine’s serial number; a command that can be used to overwrite arbitrary files on the internal compact flash drive, including the system firmware or audit trail; and a command to reboot the machine at will“;
  • “the Sequoia Red Team members found that the host operating system of the Sequoia voting system it tested was configured so that it will execute an ‘autorun’ file whenever removable media is inserted, which could allow the insertion of a Trojan program via a malicious USB removable storage media device that could modify ballot definitions and results and could also infect other components of the voting system”;
  • “the Sequoia Red Team members report that malicious firmware installed in such a manner could persist in a Sequoia Edge notwithstanding efforts to re-install certified software that would be believed to be uncorrupted“;
  • “the Sequoia Red Team members were able to bypass Sequoia voting system election management system controls to compromise the server host, despite vendor assurances to the contrary, because access controls could be bypassed and arbitrary commands could be executed”;
  • “the Sequoia Red Team members were able to create a working exploit on the Sequoia Edge that shifted votes from one candidate to another and was not detectable on the voter verifiable paper audit trail (VVPAT)“;
  • “the Sequoia Red Team members found that forging cartridges used to update the Sequoia voting system was possible for multiple reasons”;
  • “the Sequoia Red Team members determined that physical security devices, such as seals, used on the Sequoia voting system could be easily bypassed in a manner that was undetectable, and that all components (Optech 400-C, Edge, HAAT and Card Activator, Insight Optical Scanner, and Memory Packs) are vulnerable to these attacks“;
  • tampering with optical scan equipment such as the Optech 400-C and Insight Optical Scanner can be readily detected and corrected through hand counting of the optical scan paper ballots marked and directly verified by voters“;
  • “voted and unvoted optical scan paper ballots can be secured through well developed and tested physical security policies and procedures”;
  • tampering with direct recording electronic voting machines such as the Edge can be difficult or impossible to detect, and is also difficult or impossible to correct through hand counting of VVPAT records, particularly when combined with successful attacks on VVPAT printing systems such as the VeriVote printer”;
  • “studies have shown that many voters do not review VVPAT records and that test voters who do review VVPAT records do not detect many discrepancies that have been intentionally introduced between selections shown on the paper record and selections shown on the review screen of a direct recording electronic voting machine”;
  • “on July 30,2007, a duly noticed public hearing was held to give interested persons an opportunity to express their views regarding the review of various voting systems, including the Sequoia Voting Systems, Inc., WinEDS v. 3.1.0 12lAVC Edge/insight/Optech 400-C voting system. At this hearing, approximately 60 individuals testified. Many more submitted comments by letter, facsimile transmission, and electronic mail”;
  • “pursuant to Elections Code section 19222, I, as Secretary of State, am authorized to withdraw approval previously granted of any voting system or part of a voting system if I determine that voting system or any part of that voting system to be defective or otherwise unacceptable”;
  • “I have reviewed the Sequoia Voting Systems, Inc., WinEDS v. 3.1.0121AVC Edge/Insight/Optech 400-C voting system and I have reviewed and considered several reports regarding the use of this voting system; the public testimony presented at the duly noticed public hearing held on July 30, 2007”;
  • “For the reasons set forth above, the Sequoia Voting Systems, Inc., voting system, comprised of WinEDS, version 3.1.012, AVC Edge Model I, firmware version 5.0.24, AVC Edge Model 11, firmware version 5.0.24, VeriVote Printer, Optech 400-CIWinETP, firmware version 1.12.4, Optech Insight, APX K2.10, HPX K1.42, Optech Insight Plus, APX K2.10, HPX K1.42, Card Activator, version 5.0.21, HAAT Model 50, version 1.0.69L, Memory Pack Reader (MPR), firmware version 2.15, which was previously approved, is found and determined to be defective or unacceptable and its certification and approval for use in subsequent elections in California is withdrawn effective August 3, 2007 ….”

Source:
1. votingsystems.cdn.sos.ca.gov/oversight/ttbr/sequoia-102507.pdf

1. What does this de-certification say about the source code in the Sequoia machines?

2. How does that source code relate to Smartmatic?

3. What did the Sequoia Source Code Review Team mean when finding the software mechanisms “lack reliable measures to detect or prevent tampering”?

4. What could those “potentially serious consequences” be that would include “alteration of recorded vote, adding false results,” and damaging the election management system?

5. When were the problematic source code, software, and hardware re-submitted for independent audit and certification?

6. Did California maintain those 2007 standards for independent audit and certification?

7. If not, who removed those standards and why?

8. What could those “potentially serious consequences” be that would include “alteration of recorded vote, adding false results,” and damaging the election management system?