mosShowVIMenu( $params );
Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine
| Print |
By Andrew W. Appel, Maia Ginsburg, Harri Hursti, Brian W. Kernighan, Christopher Richards,Gang Tan
October 18, 2008
The AVC Advantage voting machine is made by Sequoia Voting Systems and
has been used in New Jersey, Pennsylvania, Louisiana, and other states.
Pursuant to a Court Order in New Jersey Superior Court, we examined this
voting machine as well as its computer program code.
On October 17, 2008 the
Court permitted us to release to the public a redacted
version of our report.
Insecurities and Inaccuracies of the
Sequoia AVC Advantage 9.00H
DRE Voting Machine (click here) This report
was originally submitted to the Court on September 2 in the form
of an expert-witness report by Andrew W. Appel.
The Court has released this redacted
version to the public. The version we release here,
linked in boldface above, is the same as the Court's redacted version,
but with a few introductory paragraphs about the court case,
Gusciora v. Corzine.
Videos will be available soon, pending approval by the Court.
Frequently Asked Questions
It takes about 7 minutes, using simple tools, to replace the computer
program in the AVC Advantage with a fraudulent program that cheats.
We demonstrate this on the video.
What you need to know:
The AVC Advantage contains a computer. If someone installs a
different computer program for that computer to run, it can
deliberately add up the votes wrong. It's easy to make a computer
program that steals votes from one party's candidates, and gives them
to another, while taking care to make the total number of votes come
out right. It's easy to make this program take care to cheat only on
election day when hundreds of ballots are cast, and not cheat when the
machine is being tested for accuracy. This kind of fraudulent
computer program can modify every electronic "audit trail" in the
computer. Without voter-verified paper ballots, it's extremely hard
to know whether a voting machine (such as the AVC Advantage) is
running the right program.
Even when it's not hacked to deliberately steal votes, the AVC
Advantage has a few user-interface flaws. Therefore, sometimes the
AVC Advantage does not properly record the intent of the voter.
All known voting technologies have imperfect user interfaces, although
some are worse than others.
The public should beware of the argument that some people make, that
"we should not replace the AVC Advantage with
voting method X, because X is imperfect."
The AVC Advantage's susceptibility to installation of a fraudulent
vote-counting program is far more than an imperfection:
it is a fatal flaw.
What should be done? Most technology experts who
study the security of voting methods recommend precinct-count
optical-scan voting, with by-hand audits of the optical-scan
ballots from randomly selected precincts. We agree with this
consensus. In fact, most states are moving in the right direction: 32
states now vote with voter-verified paper ballots (mostly
optical-scan, some with DRE+VVPAT). Only a minority of states are
still using paperless DRE voting machines such as the AVC Advantage.
We recommend that those states adopt precinct-count optical scan.
Executive Summary of the Report
The AVC Advantage 9.00 is easily ``hacked,''
by the installation of fraudulent firmware.
This is done by prying just one ROM chip from its socket and
pushing a new one in, or by replacement of the Z80 processor
chip. We have demonstrated
that this ``hack'' takes just 7 minutes to perform.
The fraudulent firmware can
steal votes during an election, just as its criminal designer
programs it to do. The fraud cannot practically be detected.
There is no paper audit trail on this machine; all electronic records
of the votes are under control of the firmware, which
can manipulate them all simultaneously.
Without even touching a single AVC Advantage, an attacker
can install fraudulent firmware into many AVC Advantage machines
by viral propagation through audio-ballot cartridges.
The virus can steal the votes of blind voters,
can cause AVC Advantages in targeted precincts to fail to operate;
or can cause WinEDS software to tally votes inaccurately.
(WinEDS is the program, sold by Sequoia, that each County's
Board of Elections uses to
add up votes from all the different precincts.)
Design flaws in the user interface of the AVC Advantage
disenfranchise voters, or violate voter privacy,
by causing votes not to be counted,
and by allowing pollworkers to commit fraud.
AVC Advantage Results Cartridges can be easily manipulated
to change votes, after the polls are closed but before results
from different precincts are cumulated together.
Sequoia's sloppy software practices can lead to error and insecurity.
Wyle's ITA reports are not rigorous, and are inadequate to detect security vulnerabilities.
Programming errors that slip through these processes can miscount votes
and permit fraud.
Anomalies noticed by County Clerks in the New Jersey 2008 Presidential
Primary were caused by two different programming errors on the part
of Sequoia, and had the effect of disenfranchising voters.
The AVC Advantage has been produced in many versions.
The fact that one version may have been examined for certification
does not give grounds for confidence in the security and accuracy
of a different version. New Jersey should not use any version
of the AVC Advantage that it has not actually examined
with the assistance of skilled computer-security experts.
The AVC Advantage is too insecure to use in New Jersey.
New Jersey should immediately implement the 2005 law
passed by the Legislature, requiring an individual voter-verified record
of each vote cast, by adopting precinct-count optical-scan voting
Comment on This Article
You must login to leave comments...
Other Visitors Comments
You must login to see comments...
mosShowVIMenu( $params );