Sequoia Voting System v4.0: Still Hackable. Approved for Use in November Only with Conditions

California has approved the Sequoia System 4.0 with Ranked Choice Voting for use in San Francisco only for the the upcoming general election.

Conditions to be met are listed in this document.

http://www.sos.ca.gov/elections/voting_systems/sequoia/system40/2008-10-14_system40_approval.pdf


Here are some snips from the Source Code Review

Sequoia Voting System v4.0
Source Code Review Team Report

September 19th, 2008

~snip~

After examination of the source code, we have found that the security posture of the system is largely unchanged since the UC Berkeley review. There are still significant programming, logic, and architectural errors present in the software, ranging from fairly benign mistakes to severe systemic misuse of cryptographic methods and failures to implement correct integrity verification. The following are major points of weakness found in the source code:

• Failure to properly verify the integrity of election information, leaving the election definition and results vulnerable to undetectable tampering

• Improper and unsafe authentication and user account management

• Access control not implemented correctly allowing anyone with an account complete control over the central database

• Nonexistent or incorrect usage of encryption that can be easily defeated

• Lack of input sanitization leaving SQL injection vulnerabilities unchecked

• Various buffer overflow and software bugs creating possible avenues for arbitrary code execution inside the system

~snip~

With regard to determining whether the provided source code resolves the high-level security architectural issues identified in the UC Berkeley report, the reviewer found that the previously reported security architecture issues remain issues in the current version. There still is no effective mechanism to protect the integrity of data that is transferred between components of the system via removable media; there is a potential vulnerability for SQL injection attacks that result in unauthorized access to election data stored in the database or execution of malicious code on the database server machine to crash the system; a user can exploit a system weakness that enables him or her to access the database without going through the WinEDS user interface, and once there, that user can add, delete and modify any data in the database; cryptographic methods are improperly used; access control management is still cumbersome and subject to user error and also can be circumvented; and while password management has been improved, because of an architecture defect, the strengthening of password management does not necessarily lead to a strengthened access control system.

With regard to determining whether the provided source code resolves specific security defects identified in the UC Berkeley report, the reviewer could verify that nine of the 47 previously reported defects have been sufficiently resolved in the provided source code to mitigate the identified vulnerability. Code modifications for two defects partially resolve the reported issues. Code modifications for two defects do not sufficiently mitigate the reported vulnerabilities they are intended to resolve. Resolution of 10 issues could not be determined by static review of the source code, but can only be verified by functional testing, penetrating testing, live-code debugging, or other means; the reviewer acknowledges that two of these issues might be resolved. Based on the code review, the reviewer found that approximately 24 of the 47 issues have not been addressed by code modifications.

~snip~

With regard to review of the two new modules (WinEDS Extended Services and WinEDS Election Reporting) the reviewer found that the modules are susceptible to SQL injection attacks via both the GUI and malicious input files; rely on user action to ensure data integrity rather than implementing a system safeguard; and provide inadequate error handling. Exploitation of any of these weaknesses could result in data corruption and/or incomplete or false results. The system could enter an insecure state.

With regard to evaluating the extent to which the system protects the integrity of ballot data or ballot images stored in the 400-C Central Count Scanner and Optech Insight® Plus, the reviewer found that except for a simple CRC check, there is no security on the data in the MemoryPack. Program code or data could be easily manipulated by an attacker.

Overall, the reviewer found that while progress has been made, the integrity of election definitions and ballot information is not properly protected. Many attack scenarios center around interception and modification of data, since there are no reliable ways to detect them.

http://www.sos.ca.gov/elections/voting_systems/sequoia/system40/2008-09-19_source_code_report.pdf