The Sequoia AVC Edge is a touch screen direct-recording electronic voting machine. It is a multilingual voting system activated by a smart card and records votes on internal flash memory. Voters insert a “smart-card” into the machine and then make their choices by touching an area on a computer screen, much in the same way that modern ATMs work.The votes are then recorded to internal electronic flash memory. When polls close, the votes for a particular machine are written to a PCMCIA card which is removed from the system and either physically transported to election headquarters or their contents transmitted via computer network.
The AVC Edge has a 15-inch LCD touchscreen that displays the ballot; allows voters to make selections and navigate the ballot; and provides an interface for testing, maintenance, and opening and closing the polls. On the front of each Edge unit is a slot for a smart card (also known as a “vote activation card”). A voter must have an activated smart card in order to begin voting. After the voter casts his or her ballot on the Edge, the smart card is deactivated and returned to a pollworker. This prevents one voter from voting multiple times.
The back of the Edge contains the power switch and a switch that opens and closes the polls on that particular voting machine. The cover for the poll function switch accommodates a tamper-evident seal. Also on the back of each Edge unit is a yellow “Activate” button, which can be used to switch the Edge into different operating modes. Finally, the backside of the Edge has a small LCD screen (two rows of 20 characters) that displays diagnostic and error messages. Sequoia uses a proprietary operating system for the Edge. Similarly, the ﬁrmware that the Edge uses to control the hardware and to allow voting are proprietary applications. The Edge also contains three serial EEPROMs (electronically programmable read-only memory), which store permanent conﬁguration information about the Edge unit as well as ballot counters. One of these EEPROMs is the “conﬁguration ROM,” which holds information to identify the machine and the customer and also contains a “cryptographic seed value.” The other EEPROMs hold a public counter (a counter that is reset at the beginning of each election) and a protective counter (a counter that is incremented each time a vote is cast and is never reset).
The ballot deﬁnition and audio ﬁles to assist visually impaired voters are programmed on a WinEDS election management system server and stored on the Results Cartridge. Prior to an election, the Results Cartridge is inserted into the Edge’s Results Port and covered by a plastic door, which is sealed with a tamper-evident seal. The Results Cartridge also stores the Audit Trail, which consists of ballot images, ballot summaries, and the event log. The Edge also stores a copy of the Audit Trail in the internal Audit Trail memory. If the Results Cartridge is lost, damaged or destroyed, it can be recovered from this internal memory. Event logging for the Edge is always turned on; it cannot be disabled.
At the close of an election, a pollworker may print the audit log on a VVPAT. Alternatively, or in addition, election ofﬁcials may access the event log stored as part of the Audit Trail on the Results Cartridge. Several other devices support the Edge. First, the Card Activator processes the smart cards (also known as “vote activation cards”) that voters use to access the Edge. After each use of a smart card, the Card Activator prepares the card for use by another voter. Before an election, each Card Activator must be prepared with the ballot deﬁnitions and other information appropriate for the precinct in which it will be used. An alternative to the Card Activator is the HAAT (Hybrid Activator, Accumulator, and Transmitter). There are two models of the HAAT, Model 50 and Model 100.
|A Voter Demo Edge without VVPAT from York County PA:
||A Pollworker Training Video from San Francisco CA:
Voting Process: When the voter enters the precinct, he or she is given a “smart-card” by a poll worker after confirming the voter is registered. A “smart-card” is a card the size and shape of a credit-card which contains a computer chip, some memory and possibly basic data such as the voter’s political party. The voter then takes the smartcard to a voting machine and inserts the smart-card into the yellow slot visible in the middle picture above. The first screen presented to the voter is one that allows him or her to choose the ballot language. After using the touchscreen to vote, 1) the record of the vote is directly recorded electronically to two flash memory cards and 2) the voter’s smart card is reset to ensure that the voter can only vote once. The AVC Edge may also be equipped in some precincts to print a voter-verifiable paper audit trail using the VeriVote printer. In this case, the voter will inspect the printout which is displayed underneath glass. If the paper accurately reflects the vote, the voter indicates so using the touchscreen and casts the vote; the printed paper is withdrawn into the machine to protect privacy. If the paper is incorrect, the voter may mark it as spoiled and change his or her vote using the touchscreen interface. After the vote is cast, the smart-card pops out of the machine and the voter returns it to a poll worker.
Checking the Voter-Verifiable Paper Trail: The Edge’s optional voter-verifiable paper-trail printer is called the VeriVote. The VeriVote printer is a cash-register type printer and is located to the left of the touch screen. Jurisdictions which use the Edge but do not equip their machines with the VeriVote include the state of Louisiana.
Spurred by the testimony of computer scientists at a hearing inSanta Clara County CA in January 2003, Sequoia Voting Systems was the first major vendor to produce a VVPAT retrot for their touch-screen voting machine, the Sequoia AVC Edge. A team led by John Homewood led for a provisional application in the Spring of 2003 and a full patent application in early 2004. The Sequoia system uses a thermal printer and a roll of cash-register receipt tape. After each voter completes a ballot on the display screen, the printed choices are displayed behind a glass window for voter approval, and then rolled onto a take-up reel before the next voter enters the voting booth. Unlike the Avante Vote Trakker, the tape is not cut after each ballot is printed. The Premier/Diebold AccuView VVPAT mechanism and the Hart Intercivic VBO also use thermal paper.1
When the polls close, a poll worker or election official inserts a different-type of smart card, an administrator card, into each voting machine and puts the machine into a postelection mode where it will no longer record votes. At this point, the machine writes the votes from its internal memory to flash memory on a PCMCIA card, a removable form of flash memory. A printed tape of all votes cast or vote totals for the voting machine can also be printed out at this time depending on local procedure and regulations. The PCMCIA cards are removed from each machine and either taken to a central tabulation facility or to remote tabulation facilities. At the tabulation facility the votes are copied from the PCMCIA cards and into a central computer database where precincts are combined to result in an aggregate vote. The votes may also be transmitted to the central tabulation facility via a closed “Intranet”, the Internet or modem. The PCMCIA cards and possible any printouts from the voting machines can then become part of the official record of the election.
Researchers contracted by the California Secretary of State for the State’s Top to Bottom Review in 20073 found signiﬁcant security weaknesses throughout the Sequoia system. The nature of these weaknesses raises serious questions as to whether the Sequoia software can be relied upon to protect the integrity of elections. Every software mechanism for transmitting election results and every software mechanism for updating software lacks reliable measures to detect or prevent tampering. These weaknesses, and their implications, in Chapters 3 and 4 of the Source Code Report.
In certain cases, audit mechanisms may be able to detect and recover from some attacks, depending on county-speciﬁc procedures; other attacks may be more difﬁcult to detect after-thefact even with very rigorous audits. There were numerous programming, logic, and architectural errors present in the software we reviewed. Some of these errors may be relatively harmless and reﬂect the large size and heterogeneous nature of the codebase. But other errors we found clearly have serious security implications. Many of the most signiﬁcant vulnerabilities we found — those likely to be especially useful to an attacker seeking to alter election results — arise from four pervasive structural weaknesses:
Data Integrity The Sequoia system lacks effective safeguards against corrupted or malicious data injected onto removable media, especially for devices entrusted to poll workers and other temporary staff with limited authority. This lack of input validation has potentially serious consequences, including:
– Precinct election results stored on DRE Results Cartridges and optical scan memory packs are not effectively protected against tampering. A poll worker with physical access to a Results Cartridge or MemoryPack before results are counted (e. g. when returning results to the county elections board) can change recorded votes, and, in some cases, can introduce spurious results for other precincts. Under some conditions, a corrupted Results Cartridge may be able to cause damage to the WinEDS system itself when it is loaded for vote counting.
– The safeguards against introduction of corrupt ﬁrmware into the precinct voting hardware are largely ineffective. An individual with even brief access to polling station hardware can tamper with installed ﬁrmware in a way that causes votes and paper trails to be recorded incorrectly, security logs to be corrupted, or ballots to be presented to voters incorrectly. Under some conﬁgurations and conditions, corrupt ﬁrmware may be able to be spread virally from compromised hardware and may persist across more than one election.
Cryptography Many of the security features of the Sequoia system, particularly those that protect the integrity of precinct results, employ cryptography. Unfortunately, in every case we examined the cryptography is easily circumvented. Many cryptographic functions are implemented incorrectly, based on weak algorithms with known ﬂaws, or used in an ineffective or insecure manner. Of particular concern is the fact that virtually all cryptographic key material is permanently hardcoded in the system (and is apparently identical in all Sequoia hardware shipped to different jurisdictions). This means that an individual who gains temporary access to similar hardware (inside California or elsewhere) can extract and obtain the secret cryptographic keys that protect elections in every jurisdiction that uses the system.
Access Control The access control and other computer security mechanisms that protect against unauthorized use of central vote counting computers and polling place equipment are easily circumvented. In particular, the security features and audit logs in the WinEDS back-end system (used for ballot preparation, voting machine conﬁguration, absentee ballot processing, and post-election vote counting) are largely ineffective against tampering by insider attackers who gain access to WinEDS computers or to the network to which the WinEDS computers are attached.
Software Engineering The software suffers from numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses. These include buffer overﬂows, format string vulnerabilities, and type mismatch errors. In general, the software does not reﬂect defensive software engineering practices normally associated with high-assurance critical systems. There are many instances of poor or absent error and exception handling, and several cases where the software behavior does not match the comments and documentation. Some of these problems lead to potentially exploitable vulnerabilities that we identiﬁed, but even where there may not be an obvious vulnerability identiﬁed, the presence of such errors reduces our overall conﬁdence in the soundness of the system as a whole.