ExpressVote XL “fix” doesn’t fix anything

The New York State Board of Elections is meeting tomorrow at noon to act on applications for the Dominion ICX and the ES&S ExpressVote XL. 

August 2023

Calendar of events for the New York State Board of Elections

Date: Wednesday 8/2 12:00 P.M.

Event: Public Campaign Finance Board Meeting followed by SBOE Commissioners Meeting

Additional Information:
State Board Offices*
40 North Pearl Street
3rd Floor
Albany NY 12207
Minutes and Archived Webcasts

* All meetings are webcast live. The NYSBOE provides closed captioning for all meetings open to the public.

………………………………………………………………………………………………….

Andrew W. Appel is the Eugene Higgins Professor of Computer Science at Princeton University. His research is in software verification, computer security, programming languages and compilers, and technology policy. Freedom to Tinker is hosted by Princeton's Center for Information Technology Policy, a research center that studies digital technologies in public life. 


Doug Kellner commented on this blog. He is one of the four  NYS Election Commissioners that will decide whether or not to certify these voting machines.

https://freedom-to-tinker.com/2023/07/28/expressvote-xl-fix-doesnt-fix-anything/

ExpressVote XL “fix” doesn’t fix anything

JULY 28, 2023 BY ANDREW APPEL 3 COMMENTS

Five years ago I described a serious security flaw in the design of all-in-one voting machines made by two competing manufacturers, ES&S and Dominion. These all-in-one machines work like this: the voter indicates choices on a touchscreen; then a printer prints the votes onto a paper ballot; the voter has a chance to review the ballot to make sure the right choices are printed; then the machine sends the ballot past an optical scanner to record and tabulate the votes. Then the mechanism drops the paper into a ballot box where it is saved for recounts or audits.

The reason we have paper (in addition to the optical scanner’s computer-count of the votes) is for our protection, in case the software in the voting machine is hacked. The votes printed on the paper and seen by the voter, can be seen again by the humans performing the recount or audit.

The fatal flaw is having the ballot printer in the same paper path that goes from the voter to the ballot box. That’s because the machinery (printer, scanner, motor-driven rollers) is controlled by the software, and if the software is hacked (replaced by fraudulent software) then the software can make the machinery do things “out of proper order”. In particular, after the voter approves the ballot and touches the “cast-vote” button on-screen, the software is supposed to convey the ballot past the scanner into the ballot box; but hacked software can direct the machinery to take a detour past the printer, where additional votes are printed on to the ballot that the voter did not approve.

This design flaw affects the Dominion ICE and the ES&S ExpressVote and ExpressVoteXL. We explained this problem in section 8 of our paper, Ballot-Marking Devices Cannot Assure the Will of the Voters, by Andrew W. Appel, Richard A. DeMillo, and Philip B. Stark.  (Election Law Journal, vol. 19 no. 3, September 2020; non-paywall version here)

It seems that the engineers at ES&S read our paper, because they’ve released a redesigned paper path for the ExpressVoteXL that they claim fixes the problem. They produced this video that states their claim. Unfortunately, they’re wrong: it doesn’t fix the problem.

Their claim is: they have a new “one-way bearing” on their platen roller. It’s mechanically impossible for the “platen roller with one-way bearing” to print while the paper is moving down; mechanically it’s only possible to print while the paper is moving up.

These engineers have failed to “think like the attacker”. Their own software, after the voter has approved what’s printed on the ballot, would only direct the machinery move the paper downward past the scanner and print head. So they fail to consider how hacked software could behave differently. In particular, fraudulent vote-stealing software could move the paper down past the print head, then take the extra step of moving it back up, while printing unauthorized votes on the paper; then move it down again toward the ballot box.

In my opinion, the newly designed paper path, with the “one-way roller”, is just as flawed as the ExpressVote XL’s previous design. Either way, fraudulent software can print additional votes onto the ballot after the last time the voter has had a chance to see the paper. Therefore, ExpressVote XL ballots cannot be considered “voter verified”.

The ExpressVote and ExpressVoteXL have another really big security hole, that their new “fix” also does not fix. The votes that count are the ones encoded in the barcode (which the voter cannot read), not the ones printed in plain text (which the voter can read but usually doesn’t bother to read). The optical scanner reads the barcode, not the plain text. So voters can’t meaningly verify the real votes. Supposedly that could be addressed by an audit of the paper ballots–but many states that use (or are considering) the ExpressVoteXL (New York, Arkansas, Tennessee, …) have very weak audits that wouldn’t reliably catch cheating. And even worse, some election administrators think they can “audit” the paper ballots by running them through a different scanner (from ClearBallot)–but that scanner also reads only the barcode, which the voter has never been able to verify.

FILED UNDER: UNCATEGORIZED TAGGED WITH: VOTING

Comments

  2. Douglas Kellner says:

    July 31, 2023 at 3:36 pm

    ES&S has provided this response to the New York State Board of Elections:

    “… a printer prints the votes onto a paper ballot; the voter has a chance to review the ballot to make sure the right choices are printed; then the machine sends the ballot past an optical scanner to record and tabulate the votes. Then the mechanism drops the paper into a ballot box…”

    The above is not an accurate statement. The XL scans as it prints, not after the voter chooses to cast. A reminder about how the XL behaves:
    1. Prints the card and simultaneously scans the ballot to ensure printing is accurate and readable.
    2. Presents the printed ballot alongside the voter’s on-screen selections to encourage voters to verify accuracy.
    3. ADA Voters can have selections scanned from the paper read back to them.
    4. Ejects the card at high speed.

    “It seems that the engineers at ES&S read our paper, because they’ve released a redesigned paper path for the ExpressVoteXL that they claim fixes the problem. They produced this video that states their claim. Unfortunately, they’re wrong: it doesn’t fix the problem.”

    ES&S is always listening to feedback, and our redesigned paper path for the XL is one of the many ways in which we have incorporated additional layers of protection in the unlikely event of an unauthorized attempt by a nefarious bad actor to manipulate a voting unit. Our re-engineered paper path design took what was already a highly improbable attack scenario and rendered it not only impractical but also nearly impossible.

    “Their claim is: they have a new “one-way bearing” on their platen roller. It’s mechanically impossible for the “platen roller with one-way bearing” to print while the paper is moving down; mechanically it’s only possible to print while the paper is moving up.”

    • This is not a claim. It is a fact. The mechanical design does ensure that if the print head is lowered as the paper is moving away from the voter, it will jam because the 1-way roller bearing fails to turn and push the paper through the print head.
    • The 1-way bearing can best be described as a clutch that connects the paper path motor to the printer roller in one direction and does not connect when running in the other direction. Without this connection, the paper cannot move to print and will jam.

    “…software could move the paper down past the print head, then take the extra step of moving it back up, while printing unauthorized votes on the paper; then move it down again toward the ballot box.”

    • This highly improbable attack scenario would require full insider access and a developer level of knowledge of three independent software components.
    • When initially printed, all unmarked ballot sections are marked with an X. If a selection is added, the barcode is visibly crossed out and cannot be read by the machine. And, all vote-fors have either a selection or a “no selection,” leaving no space for any additional print.
    • The hack would require changes to ES&S software, the paper path driver, and the paper path firmware and would be incredibly complicated, if not nearly impossible, to orchestrate a change across all three without detection.
    • In addition to a highly complex hack, the software currently prints a full image of selections all at once. To modify the software to print a change to one contest would be an extreme hack.

    “…votes that count are the ones encoded in the barcode (which the voter cannot read), not the ones printed in plain text (which the voter can read but usually doesn’t bother to read).”

    • There are methods for voters to validate the barcodes. Philadelphia produces a code book to allow voters to validate the barcode selections.
    • Every voter can review their ballot selections by comparing the cast vote records to the printed text. A voter may-
    o Read the card into a precinct tabulator and view the printed report
    o Re-read the card into an XL and preview the calculated barcode against the printed card.

    Other facts –
    • The theories and speculations set forth in the above blog are not based on scientific or mechanical fact but rather extreme hypotheses with zero basis in reality. No such attack has ever occurred on a voting unit in any election.
    On the other hand, manipulating a paper ballot is a simple proven hack that merely requires one nefarious bad actor with a pen. The XL is the most tested piece of voting equipment produced by ES&S. Multiple independent tests, including the Department of Homeland Security Idaho National Test Labs (Critical Product Evaluation Program), have confirmed that the device is safe, secure, and reliable.

    Reply

    • Andrew Appel says:

      August 1, 2023 at 1:10 am

      I stand by my analysis: The key vulnerability is that a software hack can make the mechanical components do things out of regular order. ES&S admit this in their reply: They write, “This hack would require changes to ES&S software, the paper path driver [software], and the paper path firmware [also software] and would be incredibly complicated.” That is, ES&S says that these are the software in the ExpressVoteXL that, if hacked, would make the mechanical components behave as I described. In our modern world, we see incredibly complicated software hacks detected many times per year to commercial software, and nobody knows how many undetected ones.
      When ES&S writes, such things as “the XL scans as it prints”, they are (as usual) describing what the legitimate software is supposed to do, not what hacked software might be capable of.