Voting plays a fundamental role in a free society. In recent years, there has been a growing movement towards electronic voting, where some or all of the vote casting and tallying process is handled by computers. Reports of voting irregularities, allegations of vulnerabilities in leaked voting machine source code, and reasoned criticism of the role computers should play in the voting process led to an intense interest in vetting the security of the available electronic voting systems.

A number of academic studies have been conducted on electronic voting security, but I was lucky enough to participate in two rather unique state-sponsored efforts: the California TTBR and Ohio EVEREST projects. Our team's experiences in analyzing electronic voting systems were eventually published at ISSTA and in IEEE TSE.

California TTBR

In 2007, California Secretary of State Debra Bowen fulfilled a campaign promise to evaluate the security of electronic voting machines used in California elections by asking the University of California to conduct a comprehensive review of those systems. This effort became known as the California Top-to-Bottom-Review (TTBR) of electronic voting systems. Under this rubric, separate source code, red team, documentation review, and accessibility investigations were conducted by academic teams from around the nation. I participated in the review as a “red team” penetration tester from UC Santa Barbara for the Sequoia electronic voting system.

During the course of the study, our team was able to demonstrate a number of serious security vulnerabilities in the Sequoia system, ranging from physical attacks against the supposedly tamper-evident seals to the ability to inject arbitrary code into voting terminals that could silently and undetectably subvert the integrity of an election.

As a result of our efforts, the Sequoia DRE was disqualified from use in the State of California (with a limited exception for accessibility reasons). The academic report to the CA Secretary of State contains more details on our conclusions.

Ohio EVEREST

• 

  Information flows between voting system components.

Due in part to well-publicized electronic voting machine malfunctions, Ohio Secretary of State Jennifer Brunner soon organized a similar effort to audit the security of electronic voting systems in the State of Ohio. This project involved teams from the University of Pennsylvania, Pennsylvania State University, UC Berkeley, and UC Santa Barbara, and came to be known as the Ohio EVEREST voting system review.

I played a similar role in this project, but the target of our investigations was instead the ES&S electronic voting system. Our findings for the ES&S system were as serious as those that we found for the Sequoia system. Again, it was trivial for a skilled attacker to execute arbitrary malicious code on the DREs. In addition, our team was able to demonstrate a proof-of-concept persistent voting worm, a self-replicating piece of malware that could spread from multiple infection vectors throughout the entire ES&S voting system. Such a worm could compromise election integrity at multiple points—e.g., at the voting terminals or at centralized tallying machines.

The academic report submitted to the Ohio Secretary of State contains a full exposition of our findings.