Iowans have to step up to protect the South Carolina primary. Most do not know it, but the primary will be conducted on a statewide touch screen system without a paper trail. And not just any touch screen: South Carolina uses an extremely insecure system that Ohio’s Secretary of State recommended scrapping just last week, and which Colorado’s Secretary of State decertified on Monday. Iowans should educate the Presidential candidates, and call on them to act.
“It’s worse than I anticipated.” Those are the words of Ohio Secretary of State Jennifer Brunner used to describe the security of voting systems in her state, following a top-to-bottom review by a corporate-academic team. Brunner has recommended that Ohio scrap all direct-recording electronic touch screen systems.
Brunner’s review included the iVotronic, the statewide system to be used in the South Carolina primaries on January 19 and January 26.
In a recent article, I wrote that South Carolina’s primary will depend on the reliability of the less than reliable iVotronic. Ohio’s review team confirms Brunner’s statement: the system is worse than we thought.
In the wake of the Ohio findings, Ed Felten, who is head of the Center for Information Technology Policy at Princeton wrote of the iVotronic:
Even if you don’t think anyone would try to steal an election, this should still scare you. A machine with so many design errors must also be susceptible to misrecording or miscounting votes due to the ordinary glitches and errors that always plague computer systems. Even if all poll workers and voters were angels, this machine would be too risky to use.
What did the Ohio reviewers find? The Ohio academic team found that the iVotronic’s internal memory can be accessed, and its firmware compromised, by a person using magnet and personal digital assistant – see page 69 of the pdf (page 51 of the physical document):
Anyone with physical access to polling station PEBs can easily extract or alter their memory. This requires only a small magnet and a conventional IrDA-based palmtop computer (exactly the same kind of readilyavailable hardware that can be used to emulate a PEB to an iVotronic terminal). Because PEBs themselves enforce no passwords or access control features, physical contact with a PEB (or sufficient proximity to activate its magnetic switch and IR window) is sufficient to allow reading or writing of its memory. The ease of reading and altering PEB memory facilitates a number of powerful attacks against a precinct’s results and even against county-wide results. An attacker who extracts the correct EQC, cryptographic key, and ballot definition can perform any election function on a corresponding iVotronic terminal, including enabling voting, closing the terminal, loading firmware, and so on.
How difficult would potential attackers find it to actually do this?
Page 22 of the academic report pdf (document page 4):
“The review teams were able to subvert every voting system we were provided in ways that would often lead to undetectable manipulation of election results. We were able to develop this knowledge within a few weeks. However, most of the problems that we found could have been identified with only limited access to voting equipment. Thus, it is safe to assume that motivated attackers will quickly identify – or already have- these and many other issues in these systems. Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact.”
This is the machine that will count the votes in primary that will be make or break for as much as a majority of the candidates in both parties.
The South Carolina situation cannot go unchallenged. It is almost certainly too late for South Carolina to purchase new voting equipment. But the state does require emergency paper ballots in case of equipment failure. The state can simply decide that in light of new evidence, the iVotronic is not appropriate for use in a Presidential primary. Many counties have central-count scanners for absentee ballots, so there would be options short of a hand count. Update: If paper ballots are counted with central-count scanners, there must also be a random hand audit to check the electronic tallies.
What can you do? Contact the Presidential candidates and educate them.The candidates may be the only people who can turn this situation around. If the South Carolina Electoral Commission feels pressure from them, they may do the responsible thing. So call on your candidate to ask South Carolina not to use the iVotronic in the primary, and if they use computer tabulation of paper ballots, to do a random, transparent hand audit of the ballots. Download a flyer on the iVotronic. Show them Professor Felten’s blog post linked above. Show them the Ohio report.
Contact the Democratic and Republican candidates.
Who wants to see any candidates find themselves unable to raise money, drop out, or emerge triumphant after the iVotronic primary?