The final reports of California's "Top to Bottom Review" of its voting systems are in, and the results aren't pretty. Yesterday, the other shoe dropped. Secretary of State Debra Bowen, who as a candidate promised to radically overhaul California's election technology and related procedures, did just that. In a statement made literally at the 11th hour -- minutes before an impending statutory deadline expired -- Bowen announced that all of the voting equipment analyzed in the Top to Bottom Review would be prohibited from further use in the state unless dramatically improved security requirements were met. EFF applauds Secretary of State Bowen's courageous decision. We sincerely hope that other jurisdictions will promptly follow California's lead.

Highlights of the additional requirements imposed on the previously approved equipment of vendors Diebold and Sequoia Systems:

* Only one DRE may be used per precinct in order to satisfy federal accessibility requirements. DREs may still be used in early voting.
* Improved audit requirements for all vote tallies, including increased manual sample counts in close elections and escalation requirements if discrepancies are found.
* A 100% manual count audit requirement for each DRE.
* All increased audit requirements must be paid for by the vendor.
* Elections officials must reset default passwords and encryption keys prior to each election.
* Prior to the February primaries, all voting system software and firmware must be reinstalled using certified versions stored with federal testing labs.
* All use of wireless components is prohibited.
* Upon request, members of the public must be permitted to inspect the integrity of hardware security seals.
* Election officials must create detailed logs of all voting equipment problems, logs which must be made publicly available for inspection.
* Any voting device that crashes must be pulled from service. All votes cast on that device are subject to a 100% manual audit requirement. In addition, all software and firmware must be reinstalled from approved sources before that device can subsequently be used again.

Hart InterCivic's DREs, which the Secretary of State found to be similarly "defective or unacceptable" although less vulnerable in some ways than either Diebold's or Sequoia's systems, are subject to similar security restrictions with some notable exceptions including less-stringent auditing requirements and no limitation on the number of DREs used in future elections.

California's Top to Bottom Review, which included "red team" attacks on all certified systems to uncover vulnerabilities as well as an analysis of system source code and documentation, began on May 31, 2007. Despite the short review period, the respective teams identified a wide range of critical vulnerabilities and other design problems, discoveries that bolstered the criticisms levied by EFF and others that the country's voting technology needs a massive overhaul if it is to earn the legitimate trust of the voting public.

Among the findings in the source code review reports, released to the public on August 2nd:

Sequoia Systems (Final Source Code Review Report:
* "Every software mechanism for transmitting election results and every software mechanism for updating software [in Sequoia's voting system] lacks reliable measures to detect or prevent tampering."
* "We found pervasive security weaknesses throughout the Sequoia software. Virtually every important software security mechanism is vulnerable to circumvention."
* "[W]e are not optimistic that acceptable practical and secure mitigation procedures are even possible for some of the Sequoia system?s components and features, at least in the absence of a comprehensive re-engineering of the system itself."

Diebold (Final Source Code Review Report:
* "Our analysis shows that the technological controls in the Diebold software do not provide sufficient security to guarantee a trustworthy election. The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes."
* "Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit ?weakness-in-depth? ? even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile. Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design."

Hart InterCivic (Final Source Code Review Report:
* "Building a secure networked system of this type requires adopting an attitude of defense in depth: it must be designed and implemented in such a way that a compromised component cannot induce misbehavior in other components that communicate with it. Our examination indicates that Hart?s system is not designed along these lines."
* "Although we had only limited time to review the source code of the system, our review nevertheless uncovered what we believe to be a number of significant security issues. In many cases the Hart system does not incorporate defense-in-depth principles, which may allow individual attacks
to be escalated up to much broader attacks. ... Some of these issues can be mitigated with stricter polling place procedures. Others may be
repaired with minor modifications to Hart?s systems, while yet others may require significant re-design."

Related Issues