The Election Assistance Commission has sent this response to Aaron Burstein and Joseph Lorenzo Hall’s comments on the EAC’s Voting System Test Lab and the California Top to Bottom Review of Voting Systems.
Thank you for your letter dated October 13, 2009, concerning the federally accredited Voting System Test Lab’s (VSTL) consideration of the California Secretary of State’s Top-To-Bottom Review (TTBR) in developing the test plan for the Premier Assure 1.2 voting system. The VSTL that tested the Premier Assure 1.2, iBeta Laboratories, closely reviewed the findings of the TTBR during the development of its test plan in accordance with the requirements of EAC’s Testing and Certification program and the “Evolution of Testing” requirement contained in Section 1.5 of the 2002 Voting System Standards (VSS). In addition, the VSTL reviewed the results of the Kentucky, Ohio, and Connecticut Reports which resulted in an update of the Security Test Case to verify that Connecticut’s recommended tamper-resistant seals were incorporated into the Premier Technical Data Package (TDP). The review of the 3 March 2009 California Secretary of State report. was also reviewed as well as the Premier Product Advisory Notices. Finally, please note that the software and firmware versions of each component of the system reviewed by California were an earlier version than that tested by the EAC VSTL. A comparison is listed below for your information.
California TTBR Diebold GEMS 1.18.24 (CA SOS Withdrawl Notice, October 25,
2007)
- 1. GEMS software, version 1.18.24,
- 2. AccuVote-TSX with AccuView Printer Module firmware version 4.6.4,
- 3. AccuVote-OS (Model D) with firmware version 1.96.6,
- 4. AccuVote-OS Central Count with firmware version 2.0.12,
- 5. Vote Card Encoder, version 1.3.2,
- 6. Key Card Tool software, version 4.6.1, and
- 7. VC Programmer software, version 4.6.1.
EAC Certified Premier Assure 1.2 (EAC Certification August 6, 2009)
- 1. GEMS software, version 1.21.5
- 2. AccuVote-TSX with AccuView Printer Module firmware version 4.7.8
- 3. AccuVote -OS (Models A, B, C and D) with firmware version 1.96.13
- 4. AccuVote -OS Central Count with firmware version 2.0.15
- 5. Vote Card Encoder, version 1.3.3
- 6. Key Card Tool software, version 4.7.8,
- 7. VC Programmer software, version 4.7.8
During their review, iBeta concluded that all concerns contained in the report were covered by the testing proposed by the test plan and the test cases developed for that test plan as required by the federal testing and certification process. The EAC also worked with iBeta to ensure all issues contained in other applicable reports posted in the EAC’s online voting systems clearinghouse were addressed. These steps ensured that all security issues raised by the TTBR were specifically addressed in iBeta’s testing of the Premier Assure 1.2 system.
For example, the TTBR Red Team found that database files were not protected. The iBeta test plan version 1.0 included a test to determine if “cast ballots and vote counts are protected from tampering” and “modification of the system and application of audit log is prevented” (pg. 74). In addition, the test plan included the following specific security test methods (pg. 32):
- Attempts to bypass or defeat voting system security including: changing vote data, copying voter cards, ability to bypass user passwords, modifying data in audit logs, and accessing controlled functions without appropriate validation.
- Voter denial of service attacks introduced via the voter card or results cartridges and memory cards.
- Attempts to circumvent physical security devices without detection, including destructible seals and system components locks for cartridge and memory card slots, polls switches, keypads, and hardware components.
In another example, the TTBR Red Team identified security vulnerabilities in the GEMS audit logs. The VSTL test plan included the following related security tests:
- Physical or logical access controls on ballot preparation, vote counting, and reporting equipment.
- Password and/or token access
- Additional three-factor authentication techniques
- Port access is controlled
- Default passwords are changeable after initial login
- Minimal password strength constraints are imposed by the vendor or settable by the
- jurisdiction
- Audit logs cannot be modified
Other examples of issues highlighted by the TTBR that were included in the VSTL test plan include PCMCIA card/slot encryption and authentication (pg. 74), documentation review of industry standard password policies (pgs. 73 and 75), and man-in-the-middle attacks (pg. 72).
The information above can be found in the approved test plan for the Premier Assure 1.2 voting system posted to the EAC Web site on April 7, 2009. I encourage you to review the approved test report to verify the testing that was done and the results of that testing. As you are probably aware, the EAC posts to its Web site all draft and approved test plans and test reports as well as all program correspondence to keep the public fully informed of its testing and certification process.
I encourage you to review all documents on our Web site and to contact me at any time should you have concerns or questions regarding our process.
We appreciate your interest in the federal testing and certification process and your commitment to expanding knowledge of voting technology security. Sharing such information with the election community is central to ensuring the integrity of America’s voting systems, and we value your contribution to it. We also commend the state of California for their leadership on this topic, and for submitting the report to us for inclusion in our online voting systems clearinghouse.
Sincerely,
Brian J. Hancock, Director of Voting System Testing and Certification Program
U.S. Election Assistance Commission