Matt Blaze's
EXHAUSTIVE SEARCH
Science, Security, Curiosity
3 November 2008
Vote Flipping and Touchscreens

There have been a number of recent reports of touchscreen voting machines "flipping" voters' choices in early voting in the US Presidential election. If true, that's a very serious problem, apparently confirming everyone's worst fears about the reliability and security of the technology. So what should we make of these reports, and what should we do?

In technical terms, many of the problems being reported may be related to mis-calibrated touch input sensors. Touchscreen voting machines have to be adjusted from time to time so that the input sensors on the screen correspond accurately to the places where the candidate choices are displayed. Over time and in different environments, these analog sensors can drift away from their proper settings, and so touchscreen devices generally have a corrective "calibration" maintenance procedure that can be performed as needed. If a touchscreen is not properly accepting votes for a particular candidate, there's a good chance that it needs to be re-calibrated. In most cases, this can be done right at the precinct by the poll workers, and takes only a few minutes. Dan Wallach has an excellent summary (written in 2006) of calibration issues on the ACCURATE web site. The bottom line is that voters should not hesitate to report to poll workers any problems they have with a touchscreen machine -- there's a good chance it can be fixed right then and there.

Unfortunately, the ability to re-calibrate these machines in the field is a double edged sword from a security point of view. The calibration procedure, if misused, can be manipulated to create exactly the same problems that it is intended to solve. It's therefore extremely important that access to the calibration function be carefully controlled, and that screen calibration be verified as accurate. Otherwise, a machine could be deliberately (and surreptitiously) mis-calibrated to make it difficult or impossible to vote for particular candidates.

Is this actually happening? There's no way to know for sure at this point, and it's likely that most of the problems that have been reported in the current election have innocent explanations. But at least one widely used touchscreen voting machine, the ES&S iVotronic, has security problems that make partisan re-calibration attacks a plausible potential scenario.  

I led the team that examined the security of the iVotronic (and the rest of the ES&S system) at Penn for the State of Ohio last year. Among other problems, we found it to be particularly easy to tamper with the calibration of the iVotronic's touchscreen by entering its cofiguration menu. This can be done entirely from the front panel (the part voters have private access to), and doesn't require knowing any passwords or other secrets. From our report (which you can download here [pdf]):

One of the simplest, and yet most important, configuration parameters of the iVotronic DRE is the calibration of its touchscreen input sensors. Calibration (which can be performed in the field through the screen itself) affects how voters' tactile input "maps" to different locations on the screen. If the procedure is performed incorrectly (or has been deliberately altered), voter choices might not be correctly recorded.

It is easy to surreptitiously re-calibrate the screen of an iVotronic terminal in a way that allows most input to behave normally but that denies access to specific screen regions (e.g., those corresponding to certain candidate selections).

Access to the screen calibration function of the iVotronic terminal requires the use of a supervisor PEB[*] during power-up (e.g., after voting or at idle times). No password is required. Any supervisor PEB is sufficient for this purpose, even one not specifically configured for the correct precinct or obtained from some other jurisdiction (e.g., through secondary markets such as eBay). A home-made PEB emulator (e.g., a specially programmed Palm Pilot and a small magnet) is also sufficient. The procedure requires about one minute and is, from a distance, largely indistinguishable from normal voter behavior.

A terminal can be maliciously re-calibrated (by a voter or poll worker) to prevent voting for certain candidates or to cause voter input for one candidate to be recorded for another. The terminal will remain in this state until the problem is detected (e.g., through voter complaints) and the terminal correctly re-calibrated by poll workers (which may require consultation with the central county office). Voters may or may not recognize that their votes are not correctly recorded, depending on voter training and other factors.

While a maliciously calibrated terminal may be noticed by voters and can, in principle, be corrected in the field, the attack is extremely simple for a poll worker (or other person with access to a PEB) to carry out and practical even without a PEB, and so may represent a serious practical threat. We note that iVotronic behavior consistent with such attacks has been reported in various jurisdictions during actual elections.

Again, I have seen no evidence at this point that anyone is actually doing this, and many problems that could be caused by deliberate mis-calibration can also be explained by entirely innocent factors. But in any case, voters, poll-workers and election officials should be aware of the potential risks here.

* "PEBs" are small devices used by pollworkers to control the iVotronic voting machines in a precinct throughout the day.

Update 4pm: Wired's Kim Zetter covers the issue here.

Photo: An iVotronic terminal with its "supervisor" menu enabled by a specially programmed Palm computer and a small magnet. Photo by me, first published in our EVEREST report, 2007.