中文 English

Election Security At The Chip Level

RISC-V-based solution under development, but the very nature of a voting system raises issues.

popularity

Technological advances have changed every facet of our lives, from reading to driving to cooking, but one task remains firmly rooted in 20th-century technology — voting.

Electronic voting remains doggedly unavailable to most, and almost always unusable to those who have it. For more than a decade, it seems every election is accompanied by numerous reports of voting machine problems. The most common issue involves machines changing votes. It has happened in numerous states, and even to Ellen Swenson, chief analyst for the Election Integrity Project, a non-partisan California group seeking to preserve election integrity. It’s not easy when two separate voting machines in Riverside County, where Swenson resides, recorded incorrect votes.

At least that machine worked. “So many have said they’ve gone to polls and the machines break down. That’s another thing that hurt the subject. There were so many broken machines across [Los Angeles] County in 2018 and none were fixed, so LA had to use paper ballots,” she said.

For some people, the old paper punch ballot is actually preferable, said Swenson. “There is a whole set of challenges, philosophically and psychologically. The idea of connecting to the Internet scares some people, their fear of the privacy of their vote being compromised, or hacking it and changing the results. There’s a real psychological wall to climb,” she said.

Solutions are in development to make this this whole process work better and securely, using both open-source chip hardware and software. But how effectively this can be implemented remains in question, particularly in light of previous failures.

The worst business to be in
Things got so bad in Georgia, for example, that a federal judge ordered the state to stop using its antiquated electronic voting machines by 2020 and go to paper ballots. Georgia was using Diebold Accuvote TSX touchscreen machines with hardware and software that dates back to around 2005. In 2006 and 2007, security researchers discovered numerous security flaws in those machines, which prompted California to stop using them.

Therein lies the biggest issue. You would be hard-pressed to find a state that didn’t have budget challenges, and they certainly don’t have the spare millions to buy new voting machines. So they continue to use antiquated machines that can barely read a voter’s touch.

“The voting machine marketplace is a really miserable market to be in,” said Alex Halderman, a professor of computer science at the University of Michigan, who served as the star witness for the plaintiffs in the Georgia case. “If you are a sophisticated company you will make more money on virtually anything but voting machines. Why go into a marketplace where your customers have hardly any money to spend on it about once a decade or so, and everyone needs technical support on the same day? It’s not where I would decide to do a startup.”

Others agree. “Voting machine companies are undercapitalized and have maybe a handful of skilled programmers,” said Doug Jones, a computer science professor at the University of Iowa. “We’re dealing with a niche market that is strapped for resources. Their customers are government and government is poor, especially at the county level. Elections are at the bottom of the list of priorities, below roads and schools. This has been a problem since the dawn of e-voting machines.”

And that’s why Diebold, which was one of the major e-voting machine makers along with Election Systems & Software (ES&S), Clear Ballot, and InterCivic, sold the business to Canada’s Dominion Voting Systems. A representative, who spoke on condition he not be named, said the reasons cited by Halderman and Jones were exactly why it dumped the business.

Failure of leadership
Experts cite a failure of leadership at both the federal and state levels, but for different reasons. The federal government is largely hands-off and leaves it to the states, in an another example of federal vs. states rights that goes back to the founding of the nation. The transience of government workers and elected officials doesn’t help.

“Governments have people making decisions who may not be there five years from now and people running equipment who may not be here two years from now,” said Winn Maddrey, a former software sales and marketing executive for electronic poll books. “It has to be at the federal and state level because you’ve got to run local elections and the feds can’t tell a city how to run their mayoral race. To me, the federal government should lay out minimal levels of quality processes and testing processes so the states can say they meet minimum standards.”

The problem is no one has consistent standards. Everything is different in every state. Some allow provisional ballots, while others do not. Some say you can vote on Sunday, others do not. In California, it gets even more bifurcated. Each county has been responsible for its own tabulating equipment. That means 57 different entities trying to maintain their own voting equipment, and each county has different equipment.

But Swenson defends this, saying the diversity secures the machines. “When you have all the same systems, there is more likely to be issues that can affect all if you have a problem. There is some sort of safety in that diversity in terms of hacking rather than in a homogenous situation,” she said.

Technological issues
There are multiple problems with using voting machines that date back to early 2000s. Touch screens were yet to take a serious jump in quality (thanks to the iPhone). No operating system was able to support touch. Windows 7, released in 2009, was the first Windows OS to support it. The Linux kernel gained touch with version 3.8 in 2009. Anything prior to that was a home brew, which at least partially explains why these 15-year-old machines can’t count a vote properly.

The obvious comparison for voting machines would be ATM machines, but not necessarily, argue a number of experts interviewed by Semiconductor Engineering. The nature of an ATM transaction is very different from a vote. A bank transaction follows your every move, whereas your vote should be known only to you.

“Private ballot is a critical aspect of our elections,” said Joey Dodds, co-founder of Free & Fair, a developer of a variety of secure systems, one of them being electronic voting machines. “It lets people vote without fear of consequence of their vote and keeps people from selling their vote. It also makes security particularly hard.”

If a thousand dollars disappears from your bank account, you can see that and the bank can see where it went because there is a record every step of the way. But in an election, if votes appear or disappear there is no way to determine where they came from or went because of privacy.

“For every bank transaction, you have a record and the bank has a record. Those records can be reconciled if there is a contested charge,” said Jones. “You can’t do that with votes. Doing that requires abandoning the concept of a secret ballot.”

We can do one thing ATMs do, and that’s give a paper printout of the individual’s vote to compare with what is on the screen. The best we can do today with available technology and limits of regulations is to use machines with a physical backup of every vote in the form of a paper backup. Most, if not all, of the new machines deployed for this month’s election gave the voter a printed copy of their vote.

To connect or not to connect
And while touchscreen technology has made significant advancements in the last 15 years, another thorny issue remains — Internet connections. Should e-voting machines be connected and transmitting results back to a central vote counting facility?

They are not supposed to, but earlier this year Vice reported it happened in multiple states. Voting machines are supposed to be disconnected to prevent hacking. Pulling the Ethernet wire is called air gapping, and most of those interviewed are all for it.

“Most tabulation equipment should not be Internet-enabled,” said Maddrey. “Certainly not optical scanning equipment. But from a standpoint of concern over hacking, no Internet connection would be a safety precaution.”

Dodds added, “We’d rather not have machines connected to the Internet. Connecting a machine to the Internet opens it up to the whole world, so limiting that is a wise thing to do.”

Swenson was open to the idea of end-to-end encryption via VPN. “It may need a level of hardware VPN to secure the connection, that’s doable,” she said. But then there’s the case of ES&S admitting it installed pcAnywhere on some voting systems, once again dashing trust and faith in the voting machine vendors.

“A VPN implies systems on both sides are connected to the Internet and it’s not a silver bullet to attacks to break into end points. [NSA whistleblower Edward] Snowden showed the government could break VPN software 10 years ago,” said Halderman.

Voting machines could use a trusted platform module (TPM) to encrypt their data, but again comes the issue of trust. “TPMs are great if you trust the vendor. If I ran elections with a TPM-based machine, I’d be giving the vendor the trust. And I’d have to ask, do I trust this office?” said Jones.

Microsoft to the rescue?
Free & Fair has a research project with Microsoft that it believes is the answer. The project is called ElectionGuard, a free and open-source SDK from Microsoft’s Defending Democracy Program, a comprehensive effort on Microsoft’s part that includes providing tools for building electronic voting systems.

In ElectionGuard, every ballot is encrypted and a hash generated and printed for the user. They can then verify online that their vote was received at the central polling places and counted. However, the machines are still not Internet-connected.

“The best practice would be to not connect them to the Internet. One of the things that the higher assurance election systems have done is it’s reasonable to have local network where they talk to each other but not connected to the Internet. I don’t see the inconvenience of slower and higher effort reporting to be worth the risk of opening machines up to the Internet,” said Dodds.

RISC-V project
There is another Free & Fair project in the works, called BESSPIN. This is F&F’s entry in DARPA’s System Security Integration Through Hardware and Firmware (SSITH) program, which aims to develop hardware security architectures and associated design tools to protect systems against classes of hardware vulnerabilities. Voting systems were chosen to be a part of the project because if anything could use secure hardware, voting systems are it.

Source: DARPA

Source: DARPA

The goal of the program is to develop ideas and design tools that will enable system-on-chip (SoC) designers to safeguard hardware against all known classes of hardware vulnerabilities that can be exploited through software.

Joe Kiniry, CEO and chief scientist for Free & Fair, said the BESSPIN project chose RISC-V because it is an open ISA, unencumbered by IP concerns. “Anyone in the world can create, learn from, extend a RISC-V design. One simply cannot do this kind of thing with other ISAs,” he said.

He added the RISC-V ISA was designed explicitly by analyzing the successes and failures of past ISAs and their implementations, so it is clean, parametrized, decomposable, and easy to use and extend. “Therefore, even in the earliest days of implementation work, the community has created dozens of designs realized via simulation in FPGAs, as well as dozens of test ASICs. And some of those designs are formally verified, even by hobbyists—a result never before seen in the x86 and Arm worlds,” he said.

The system is entirely open source, which he believes has an enormous impact on the claimed quality, correctness, and security of a product. “After all, its creators have nothing to hide if they open source,” he said.

Kiniry said there is no estimated time for delivery because it is a research project, but if a vendor becomes enamored with some of the technologies created in the BESSPIN project for the DARPA SSITH program, “they could work with us to integrate it into their current products and re-certify a new version of their system in a few short months.”

Going forward
So similar to ATM transactions, it seems electronic voting will involve a printed copy to verify the transaction. New voting machines were rolled out around the country for the most recent election to generally positive reviews, although the news out of Austin, Texas was mixed with good and bad.

The question now is whether those areas be using the same machines in the 2032 election.



3 comments

Mark Grossman says:

This article leaves the impression that open source HW and printed receipts will solve the voting security problem. By themselves THEY WILL NOT. There must be full non-partisan chain of custody security of the hardware, software, and voting results. What % of counties in the country can handle that? HAND-MARKED PAPER BALLOTS with chain of custody security is the best and most affordable voting system.

Doug Golde says:

NY state does very few things right, but their voting machines are an isolated example. You fill out a paper bubble sheet ballot with a pen and then feed it into a scanner. The scanner retains your sheet. The process provides the speed of digital with paper backup. Security, redundancy, the ability to do audits, and its fast.

M. Fioretti says:

Good article, thanks. But just another one that confirms my belief that e-voting is a such a dumb idea in itself, that it shouldn’t exist, period.

Leave a Reply


(Note: This name will be displayed publicly)