Sequoia Edge touchscreen used in Arapahoe County, was Decertified by California, 2007
Arapaho County Clerk, Nancy Doty, demands to continue using the defective Sequoia Edge touchscreen,without a Voter Verified Paper Audit Trail, although the entire Sequoia voting system was decertified, by California, in 2007, after the thorough top to bottom review, by the University of California.
http://www.sos.ca.gov/elections/voting_systems/ttbr/sequoia_102507.pdf
Whereas, the Sequoia Source Code Review Team found significant security weaknesses throughout the Sequoia system, the nature of which raise serious questions as to whether the Sequoia software can be relied upon to protect the integrity of elections; and
Whereas, the Sequoia Source Code Review Team found that software mechanisms for transmitting election results and software mechanisms for updating software lack reliable
measures to detect or prevent tampering;
and
Whereas, the Sequoia Source Code Review Team found that the Sequoia system lacks effective safeguards against corrupted or malicious data injected into removable media, especially for devices entrusted to poll workers and other temporary staff with limited authority, with potentially serious consequences including alteration of recorded votes, adding false results, and, under some conditions, causing damage to the election management system when the corrupted or malicious data is loaded for vote counting;
and
Whereas, the Sequoia Source Code Review Team found that the Sequoia system's cryptography used to protect the integrity of precinct results can be easily circumvented and appears to be identical to cryptography key material in all Sequoia hardware,
meaning an individual who gains temporary unauthorized access to one county's Sequoia voting system has effectively gained access to all Sequoia voting systems used in other
counties, provided that person can gain physical access to those systems; and
Whereas, the Sequoia Source Code Review Team found that Sequoia's access controlsand other computer security measures that are supposed to protect against unauthorized
use of the Sequoia voting system's central vote counting computers and polling place equipment are easily circumvented; and
Whereas, the Sequoia Source Code Review Team found that the Sequoia voting system software suffers from numerous programming errors, which have the potential to
introduce or exacerbate security weaknesses;
and
Whereas, the Sequoia Source Code Review Team found that while in certain cases, audit mechanisms may be able to detect and recover from some attacks, depending on county specific
procedures, other attacks may be difficult or impossible to detect after the fact,even through very rigorous audits, and even with procedural safeguards in place and
strictly observed;
and
Whereas, the Sequoia Source Code Review Team found that many voting system attacks are hard to detect and correct, defling (sic)development and implementation of simple, effective countermeasures; and
Whereas, the Sequoia Red Team, in its penetration testing of the Sequoia voting system,discovered multiple vulnerabilities; and
Whereas, Sequoia Red Team members developed a working exploit of the Sequoiavoting system that allowed the system's firmware to be overwritten with a malicious
version; and
Whereas, the Sequoia Red Team members discovered that the Sequoia Edge direct recording electronic voting machine is designed to conduct Logic and Accuracy testing in
a mode distinct from Election Day mode, which enables malicious firmware to detect when the Logic and Accuracy testing, meant as a check on the correct operation of the
system on Election Day, is being conducted, and to avoid operating in an incorrect manner while in testing mode; and
Whereas, an attack could therefore be carried out on Election Day without being detected during the Logic and Accuracy testing; and
Whereas, the Sequoia Red Team members found that there is no secure, hardware-based mechanism to ensure that the voting system is running on the certified version of the
firmware, which creates the potential for corrupted firmware to be loaded and executed without being detected; and
Whereas, the Sequoia Red Team members found a shell-like scripting language in the firmware of the Edge direct recording electronic voting machine that could be coerced
into performing malicious actions, in apparent violation of 2002 Voting System Standards that prohibit "self-modifling, dynamically loaded or interpreted code,"
and that the scripting language includes, among others, a command to set the protective counter of the machine, which Sequoia representatives had described to the team as tamper-proof; a command to set the machine's serial number; a command that can be used to overwrite arbitrary files on the internal compact flash drive, including the system firmware or audit trail; and a command to reboot the machine at will; and
Whereas, the Sequoia Red Team members found that the host operating system of the Sequoia voting system it tested was vconfigured so that it will execute an "autorun" file
whenever removable media is inserted, which could allow the insertion of a Trojan program via a malicious USB removable storage media device that could modify ballot
definitions and results and could also infect other components of the voting system; and
Whereas, the Sequoia Red Team members report that malicious firmware installed in such a manner could persist in a Sequoia Edge notwithstanding efforts to re-install certified software that would be believed to be uncorrupted; and
Whereas, the Sequoia Red Team members were able to bypass Sequoia voting system election management system controls to compromise the server host, despite vendor assurances to the contrary, because access controls could be bypassed and arbitrary commands could be executed; and
Whereas, the Sequoia Red Team members were able to create a working exploit on the Sequoia Edge that shifted votes from one candidate to another and was not detectable on
the voter verifiable paper audit trail (VVPAT); and
Whereas, the Sequoia Red Team members found that forging cartridges used to update the Sequoia voting system was possible for multiple reasons; and
Whereas, the Sequoia Red Team members determined that physical security devices, such as seals, used on the Sequoia voting system could be easily bypassed in a manner that was undetectable, and that all components (Optech 400-C, Edge, HAAT and Card Activator, Insight Optical Scanner, and Memory Packs) are vulnerable to these attacks;
and
Whereas, tampering with optical scan equipment such as the Optech 400-C and Insight Optical Scanner can be readily detected and corrected through hand counting of the
optical scan paper ballots marked and directly verified by voters; and
Whereas, voted and unvoted optical scan paper ballots can be secured through well developed and tested physical security policies and procedures; and
Whereas, tampering with direct recording electronic voting machines such as the Edge can be diEcult or impossible to detect, and is also difficult or impossible to correct
through hand counting of VVPAT records, particularly when combined with successful attacks on VVPAT printing systems such as the VeriVote printer;
and
Whereas, studies have shown that many voters do not review VVPAT records and that test voters who do review VVPAT records do not detect many discrepancies that have been intentionally introduced between selections shown on the paper record and
selections shown on the review screen of a direct recording electronic voting machine;
and
Whereas, on July 30,2007, a duly noticed public hearing was held to give interested persons an opportunity to express their views regarding the review of various voting
systems, including the Sequoia Voting Systems, Inc., WinEDS v. 3.1.0 12lAVC Edgefinsightloptech 400-C voting system. At this hearing, approximately 60 individuals testified. Many more submitted comments by letter, facsimile transmission, and
electronic mail; and
Whereas, pursuant to Elections Code section 19222, I, as Secretary of State, am authorized to withdraw approval previously granted of any voting system or part of a
voting system if I determine that voting system or any part of that voting system to be defective or otherwise unacceptable; and
Whereas, I have reviewed the Sequoia Voting Systems, Inc., WinEDS v. 3.1.0121AVC Edge/Insight/Optech 400-C voting system and I have reviewed and considered several reports regarding the use of this voting system; the public testimony presented at the duly noticed public hearing held on July 30,2007; and the comments submitted by letter, facsimile transmission, and electronic mail; and
Whereas, pursuant to Elections Code section 19222, six months' notice must be given before withdrawing approval previously granted of any voting system or part of a voting
system unless I, as Secretary of State, for good cause shown, make a determination that a shorter period is necessary;
and
Whereas, pursuant to Elections Code section 19222, any withdrawal by the Secretary of State of the previous approval of a voting system or part of a voting system is not
effective as to any election conducted within six months of that withdrawal;
now
Therefore, I, Debra Bowen, Secretary of State for the State of California, find and determine, pursuant to Division 19 of the Elections Code, as follows:
For the reasons set forth above, the Sequoia Voting Systems, Inc., voting system,comprised of WinEDS, version 3.1.012, AVC Edge Model I, firmware version 5.0.24,
AVC Edge Model 11, firmware version 5.0.24, VeriVote Printer, Optech 400-CIWinETP, firmware version 1.12.4, Optech Insight, APX K2.10, HPX K1.42,Optech Insight Plus, APX K2.10, HPX K1.42, Card Activator, version 5.0.21, HAAT
Model 50, version 1.0.69L, Memory Pack Reader (MPR), firmware version 2.15, which was previously approved, is found and determined to be defective or unacceptable and its certification and approval for use in subsequent elections in
California is withdrawn effective August 3,2007, except as specifically provided
below.