A recently released report commissioned by California Secretary of State Alex Padilla details hundreds of security violations in the controversial new proposed barcode voting system for Los Angeles County, California's largest county, which a "vendor insider," an "election official insider," or a "poll worker" could exploit to hack the outcome of the all-important California Democratic Primary.
The race is currently neck-and-neck between Bernie Sanders and Joe Biden, with Elizabeth Warren dropping into third place in most polls.
The state's new proposed system has already been criticized for relying on barcodes which a human cannot read as the indicator of the voter's intentions.
The report is located at the California Secretary of State's website, at a page entitled Los Angeles County VSAP - Certification Information.
In describing one system vulnerability which involves bypassing the system's normal boot cycle, by utilizing an extraneous USB port, the mere presence of which is not compliant with state certification standards, the report opines:
"Because booting from a USB drive doesn’t use the operating system on the targeted computer, that computer is offline from the System’s perspective. As such, this approach defeats the ability of Carbon Black to prevent running unregistered executables. For the same reason, Snare, the logging system, will not receive any information while running from the USB drive. ... This attack could be conducted by an elections official insider or a vendor insider."
"Carbon Black" and "Snare" are part of the software's security system. The report declares that the system grants "excessive root access" and "the ability to boot the system from a USB port," which gives "access to the system by unauthorized individuals."
Los Angeles County Registrar Dean Logan has declined to answer questions about the new proposed system. The system vulnerabilities were discovered through the relentless investigative efforts of independent investigative journalist Brad Freidman of BradBlog.com.
Los Angeles County, which holds one quarter of the population of California, is crucial to the ambitions of any Democratic candidate for the presidential nomination. The state's primary has been moved up to March 3rd Super Tuesday, the earliest major wave of contests in the season. Historically California has come near the end of the season. With 494 delegates to apportion, it is the richest prize in the primary season, and will now weigh in early.
A poor showing in California will all but end the mathematical possibilities for the nomination for Sanders, no friend to the Democratic National Committee establishment. A candidate would have to amass a string of near-landslide wins in some or all of the states New York, Florida, and Texas to overcome the kind of defeat Sanders suffered in California in 2016, was he running neck-and-neck within 2 points of Hillary Clinton in the polls, but Clinton nevertheless emerged with a 10 point victory.
Although there were thousands of reports of irregularities and election department fraud, Sanders did not contest the seating of the delegates. In San Diego, Sanders poll watchers took film footage of election department workers covering over Sanders votes on ballots with white-out.
The VSAP Tally system ("Voting Systems for All People") proposed for Los Angeles County is already under fire by election integrity activists for its use of a barcode to transmit a voter's choices to an optical scanner vote-counting machine.
Los Angeles is far and away the most populous county in both the state of California and in the country. With a population of 10 million, it is twice as populous the next most populated county, Cook County, Illinois. The state with the next highest number of delegates to apportion behind California's 494 delegates is the state of New York, with 320. If the VSAP Tally system is successfully rolled out in California, it will likely be rolled out though the rest of California and in other states as well.
In the Democratic Primaries, California is the 800-pound gorilla.
In the proposed system, after the voter taps his or her choices out on a touch-screen ballot marking device, the device prints out a barcode onto a paper ballot, which presumably reflects those choices. But the barcode, more specifically a type of barcode called a QR code, is not readable by a human and could say anything. The QR codes may also be subjected to additional levels of encryption.
For example, the QR code below reads "Elizabeth Warren." But the QR code below that reads "Ha ha I just stole your vote."
Now election activists say the report, commissioned by the Secretary of State himself, proves that the system, including the ballot marking device that makes the barcode, can be hacked. They liken it to the worst of all possible worlds in election security.
Before the system is certified, the Secretary of State will be taking public comments in a presently ongoing public comment period until 5pm, Monday January 20th. The Secretary will then make a decision on whether to certify the system. Public comments may be addressed to VotingSystems@sos.ca.gov
Super Tuesday takes place soon after the New Hampshire and South Carolina primaries, and the Iowa Caucus. California is now in a position to deliver a knock-out blow in the race between Biden and Sanders.(See: "Bernie Sanders Will Be Stopped by Hackable Barcode Votes in California Super Tuesday")
The use of QR codes on voters' ballots means the voter cannot see how the touch-screen recorded his or her votes. The ballot marking device which prints out the QR code also prints out, onto the same paper ballot, the familiar marks next to chosen candidates' names. But the vote-counting optical scanner machine which it is then inserted into reads only the QR code.
Election integrity activists have long called for a universal standard of hand-marked ballots, either counted by hand or by an optical scanner machine which takes a digital image of each ballot, which can then be posted online or otherwise be made available to the public for verification of the machine vote counts.
The ease with which machine vote-counting systems can be hacked was the subject of a famous demonstration in the HBO documentary "Hacking Democracy." (Demonstration below.)
The documents describing the proposed voting system's vulnerabilities are located at the California Secretary of State's website. The most relevant documents are:
- County of Los Angeles VSAP 2.0 Consultant's Functional Testing Report (PDF) (Pages 12-18)
- County of Los Angeles VSAP 2.0 Consultant's Security and Telecommunications Report (PDF) (Pages 16-21)
- County of Los Angeles VSAP 2.0 Consultant's Software Testing Report (PDF) (Pages 45-97)
System testing was performed by Tallahassee, Florida consults the Freeman, Craft, McGegor Group, under contract to the California Secretary of State.
Among the vulnerabilities found and deemed "non-compliant" with California Voting Systems Standards (CVSS) are ("quotes" are directly from report):
- "Seals, locks, labels and sensors can all be bypassed."
- USB ports which violate California specifications disallowing any more ports than necessary for the system's basic function.
- "excessive root access and the ability to boot the system from a USB port give access to the system by unauthorized individuals. Either scenario can result in undetected changes to files and data."
- "It is possible to insert or remove ballots from both the BMD and ballot transfer boxes without detection."
- "The ability to boot from the USB port allows election data to be modified."
- "Locks and tamper seals are subject to picking and removal Lock picking was attempted and was successful using standard widely available lock picks and standard techniques. Tamper-evident adhesive label seals were removed without damage using a solvent and a razor blade. After removal, the label was allowed to dry and was reapplied to the equipment without leaving evidence of any compromise. Smooth tailed seals were opened successfully and reattached with no visible evidence of compromise. These attacks could be conducted by a poll worker, elections official insider, warehouse worker or vendor insider. They affect all parts of the system."
- "The easily defeated locks and seals on all of the VSAP devices resulted in the system not conforming to CVSS 2.1.1.a, which provides that all systems shall “Provide security access controls that limit or detect access to critical system components to guard against loss of system integrity, availability, confidentiality, and accountability.”
- "Unrestricted access to workstation cases The cases of the Command and Control workstations (generic standard PCs used for accessing and interacting with the system via a web browser) were not secured with tamper-evident labels or locks. The cases were opened in seconds without FCMG: Security and Telecommunications Test Report for the LA County VSAP Voting System 2.0 Last update: 12-24-2019 Status: Final Version: 1.5 Page 18 of 22 using any tools.
- "Once access was gained, any BIOS password could have been removed. This makes it possible to boot the machine using an outside operating system on a USB drive. In addition, there is no disk encryption so the hard disks could be directly accessed and all data files were accessible and alterable."
- "CVSS 7.3.a, b, and e which state: “a: Any unauthorized physical access shall leave physical evidence that an unauthorized event has taken place.” “b. Voting systems shall only have physical ports and access points that are essential to voting operations and to voting system testing and auditing.”"
- "Because booting from a USB drive doesn’t use the operating system on the targeted computer, that computer is offline from the System’s perspective. As such, this approach defeats the ability of Carbon Black to prevent running unregistered executables. For the same reason, Snare, the logging system, will not receive any information while running from the USB drive. ... This attack could be conducted by an elections official insider or a vendor insider."
- "The System also does not conform to CVSS 7.3.b, which states “Voting systems shall only have physical ports and access points that are essential to voting operations and to voting system testing and auditing.” Permitting the System to start from an external USB drive is not needed at any time to implement voting operations."
- The testers were able to gain access to the electronic event logs.
Despite the large number of non-compliant vulnerabilities, the testing firm Freeman, Craft, McGregor Group in its executive summary nevertheless pronounced the overall system compliant.
The public comment period on the proposed new system runs until Monday, January 20th at 5pm Pacific Time. Public comments may be addressed to VotingSystems@sos.ca.gov