VoteTrustUSA - Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine

The image “http://www.votetrustusa.org/images/votetrust-small2.jpg” cannot be displayed, because it contains errors.

ElectionAudits.org

The nation's clearinghouse for election audit information!

General Resources

VotersUnite: Mythbreakers

Operation Ballot Integrity - Fairfax Co. Republicans (PDF)

NIST - Threats to Voting Systems

Overview of The Election Industry

OpScans vs. DREs

Survey of Florida Costs

Miami-Dade County Report on DREs

Voting System Security

GAO Report on Election Security 10/05

DNC: Democracy at Risk 6/05 (PDF)

DNC: Electronic Voting (PDF)

CRS Report 2003

Accessibilty

Vote-PAD: Accessible Voting Without Computers

VV Accessibility Survey

Tactile Ballots

: mosShowVIMenu( $params ); break; } ?>

Vendors

Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine

By Andrew W. Appel, Maia Ginsburg, Harri Hursti, Brian W. Kernighan, Christopher Richards,Gang Tan

October 18, 2008

The AVC Advantage voting machine is made by Sequoia Voting Systems and has been used in New Jersey, Pennsylvania, Louisiana, and other states. Pursuant to a Court Order in New Jersey Superior Court, we examined this voting machine as well as its computer program code. On October 17, 2008 the Court permitted us to release to the public a redacted version of our report.

Public Report: Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine (click here) This report was originally submitted to the Court on September 2 in the form of an expert-witness report by Andrew W. Appel. The Court has released this redacted version to the public. The version we release here, linked in boldface above, is the same as the Court's redacted version, but with a few introductory paragraphs about the court case, Gusciora v. Corzine.

Videos: Videos will be available soon, pending approval by the Court.

Frequently Asked Questions

What you need to know:

The AVC Advantage contains a computer. If someone installs a different computer program for that computer to run, it can deliberately add up the votes wrong. It's easy to make a computer program that steals votes from one party's candidates, and gives them to another, while taking care to make the total number of votes come out right. It's easy to make this program take care to cheat only on election day when hundreds of ballots are cast, and not cheat when the machine is being tested for accuracy. This kind of fraudulent computer program can modify every electronic "audit trail" in the computer. Without voter-verified paper ballots, it's extremely hard to know whether a voting machine (such as the AVC Advantage) is running the right program.

It takes about 7 minutes, using simple tools, to replace the computer program in the AVC Advantage with a fraudulent program that cheats. We demonstrate this on the video.

Even when it's not hacked to deliberately steal votes, the AVC Advantage has a few user-interface flaws. Therefore, sometimes the AVC Advantage does not properly record the intent of the voter. All known voting technologies have imperfect user interfaces, although some are worse than others. The public should beware of the argument that some people make, that "we should not replace the AVC Advantage with voting method X, because X is imperfect." The AVC Advantage's susceptibility to installation of a fraudulent vote-counting program is far more than an imperfection: it is a fatal flaw.

What should be done? Most technology experts who study the security of voting methods recommend precinct-count optical-scan voting, with by-hand audits of the optical-scan ballots from randomly selected precincts. We agree with this consensus. In fact, most states are moving in the right direction: 32 states now vote with voter-verified paper ballots (mostly optical-scan, some with DRE+VVPAT). Only a minority of states are still using paperless DRE voting machines such as the AVC Advantage. We recommend that those states adopt precinct-count optical scan.

Executive Summary of the Report

I. The AVC Advantage 9.00 is easily ``hacked,'' by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this ``hack'' takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County's Board of Elections uses to add up votes from all the different precincts.)

III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

V. Sequoia's sloppy software practices can lead to error and insecurity. Wyle's ITA reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.

Comment on This Article

You must login to leave comments...

Other Visitors Comments

There are no comments currently....