Eight Clay County, Kentucky election officials were charged last week with conspiring to alter ballots cast on electronic voting machines in several recent elections. The story was first reported on a local TV station and was featured on the election integrity site BradBlog. According to the indictment [pdf], the conspiracy allegedly included, among other things, altering ballots cast on the county's ES&S iVotronic touchscreen voting machines.
So how could this have happened?
The iVotronic is a popular Direct Recording Electronic (DRE) voting machine. It displays the ballot on a computer screen and records voters' choices in internal memory. Voting officials and machine manufacturers cite the user interface as a major selling point for DRE machines -- it's already familiar to voters used to navigating touchscreen ATMs, computerized gas pumps, and so on, and thus should avoid problems like the infamous "butterfly ballot". Voters interact with the iVotronic primarily by touching the display screen itself. But there's an important exception: above the display is an illuminated red button labeled "VOTE" (see photo at right). Pressing the VOTE button is supposed to be the final step of a voter's session; it adds their selections to their candidates' totals and resets the machine for the next voter.
The Kentucky officials are accused of taking advantage of a somewhat confusing aspect of the way the iVotronic interface was implemented. In particular, the behavior (as described in the indictment) of the version of the iVotronic used in Clay County apparently differs a bit from the behavior described in ES&S's standard instruction sheet for voters [pdf - see page 2]. A flash-based iVotronic demo available from ES&S here shows the same procedure, with the VOTE button as the last step. But evidently there's another version of the iVotronic interface in which pressing the VOTE button is only the second to last step. In those machines, pressing VOTE invokes an extra "confirmation" screen. The vote is only actually finalized after a "confirm vote" box is touched on that screen. (A different flash demo that shows this behavior with the version of the iVotronic equipped with a printer is available from ES&S here). So the iVotronic VOTE button doesn't necessarily work the way a voter who read the standard instructions might expect it to.
The indictment describes a conspiracy to exploit this ambiguity in the iVotronic user interface by having pollworkers systematically (and incorrectly) tell voters that pressing the VOTE button is the last step. When a misled voter would leave the machine with the extra "confirm vote" screen still displayed, a pollworker would quietly "correct" the not-yet-finalized ballot before casting it. It's a pretty elegant attack, exploiting little more than a poorly designed, ambiguous user interface, printed instructions that conflict with actual machine behavior, and public unfamiliarity with equipment that most citizens use at most once or twice each year. And once done, it leaves behind little forensic evidence to expose the deed.
Current electronic voting systems have been widely -- and justifiably -- criticized for being insufficiently secure against vote tampering and other kinds of election fraud. I led the team at U. Penn that examined the ES&S iVotronic -- the same machine used in Kentucky -- as part of the Ohio EVEREST voting systems study in 2007. We found numerous exploitable security weaknesses in these machines, many of which would make it easy for a corrupt voter, pollworker, or election official to tamper with election results (see our report [pdf] for details). Other studies have reached similarly grim conclusions about most of the other e-voting products used in the US and elsewhere. But these results, alarming as they are, also raise a perplexing question: if the technology is so vulnerable, why have there been so few (if any) substantiated cases of these systems being attacked and manipulated in actual elections?
A plausible explanation is simply that the bad guys haven't yet caught up with the rich opportunities for mischief that these systems provide. It takes time for attackers to recognize and learn to exploit security weaknesses in new devices, and touchscreen voting machines have been in wide use for only a few years (most US counties purchased their current systems after 2002, with funding from the Help America Vote Act). For example, the computers connected to the Internet were for a long time largely vulnerable to network-based attack, but it took several years before viruses, worms, and botnets became serious threats in practice. In other words, new technologies sometimes enjoy an initial relatively crime-free "attack honeymoon" in which even very weak defenses seem to be sufficient. But eventually, the criminals arrive, and, once they climb the learning curve, the world becomes a much more hostile place very quickly.
We might ask, then, what the (alleged) Kentucky conspiracy tells us about the e-voting attack honeymoon. Are the bad guys catching up? On the one hand, we might be comforted by the relatively "low tech" nature of the attack -- no software modifications, altered electronic records, or buffer overflow exploits were involved, even though the machines are, in fact, quite vulnerable to such things. But a close examination of the timeline in the indictment suggests that even these "simple" user interface exploits might well portend more technically sophisticated attacks sooner, rather than later.
Count 9 of the Kentucky indictment alleges that the Clay County officials first discovered and conspired to exploit the iVotronic "confirm screen" ambiguity around June 2004. But Kentucky didn't get iVotronics until at the earliest late 2003; according to the state's 2003 HAVA Compliance Plan [pdf], no Kentucky county used the machines as of mid-2003. That means that the officials involved in the conspiracy managed to discover and work out the operational details of the attack soon after first getting the machines, and were able to use it to alter votes in the next election.
Yes, the technique is low-tech, but it's also very clever, and not at all obvious. The only way for them to have discovered it would have been to think hard and long about how the machines work, how voters would use them, and how they could subvert the process with the access they had. And that's just what they did. They found the leverage they needed quickly, succeeding at using their discovery to steal real votes, and apparently went for several years without getting caught. It seems reasonable to suspect that if a user interface ambiguity couldn't have been exploited, they would have looked for -- and perhaps found -- one of the many other exploitable weaknesses present in the ES&S system.
But that's not the worst news in this story. Even more unsettling is the fact that none of the published security analyses of the iVotronic -- including the one we did at Penn -- had noticed the user interface weakness. The first people to have discovered this flaw, it seems, didn't publish or report it. Instead, they kept it to themselves and used it to steal votes.