Vulnerabilities of the ES&S DS200 Vote Tabulator

  • by:
  • Source: UncoverDC
  • 09/19/2023

More electronic voting machines in the United States are managed by Election Systems & Software (ES&S) than any other vendor. An in-depth review of the specifications and functions of one of the company's most used voting machines—the DS200 Vote Tabulator—reveals a machine with a difficult-to-detect modem buried in its motherboard, allowing the device mostly undetected access to the internet. 

ES&S DS200 Vulnerabilities

Let's Fix Stuff reported that the DS200 has a modem embedded in its motherboard, noting that "Malware can be embedded in hardware as well as software." Attorney Matt DePerno included that finding in Exhibit 6 of his Michigan lawsuit. According to Let's Fix Stuff, the chip is "designed to operate on a virtual private network" and enables communication with election servers while not having a visible external port:

"It is very difficult to detect unless you pry open the machine case to investigate the hardware... Anyone with access to any SIM card could have pre-programmed access to the APN... It demonstrates how electronic voting systems could be connected to the internet with minimal risk of detection."

More detail on that vulnerability can be found in an affidavit from the Executive Director of Americans United for Democracy, Integrity, and Transparency (AUDIT), John Brakey. He describes himself as specializing in "evaluating the vulnerability and reliability of election systems" and says the machines are "vulnerable to insider or sophisticated hacking."

In 2017, Brakey sent a letter to the State Election Director serving under the Secretary of State of Alabama advising that the digital images of cast ballots that are created by the DS200 are part of the chain of custody and therefore must be preserved per federal law— but the DS200 has a vulnerability in which menu options accessible to election officials allow images to be destroyed on election day.

There's a limit to how much we can find out about how the ES&S DS200 counts votes underneath the hood. The code is not open source—the "System & Method for Decoding Marks on a Paper Ballot" is a proprietary "trade secret" and considered intellectual property owned by the company based on patent law.

"The fact that we have vendors that say 'you cannot look at our code' is the first problem," says Jake Stauffer, a former cyber analyst for the U.S. Air Force. He is one of few who have looked inside the ES&S DS200—his "Red Team" was approved to produce a "Vulnerability & Security Assessment Report" for the State of California. He is featured in HBO's productions about vulnerabilities in America's voting systems: Hacking Democracy (2006) and Kill Chain (2020). In Hacking Democracy, he said:

"What we found... it's staggering. There were multiple vulnerabilities that could allow an attacker to get the highest level of access to the system. We found multiple operating system patches missing—what that means is that an attacker can inject code into that system, execute that with the possibility of receiving some sort of control.

When ES&S discovered that we were not using their testing plans, they were appalled. When we used our own testing plan and found these vulnerabilities, they pretty much told us that they had their own team and that they were not interested.

How can a vendor sell a voting system with this many vulnerabilities? I can't find a straight answer."

Among other vulnerabilities, the Red Team also found that the file systems on the flashcards used were not encrypted, the system was allowed to boot to a modified version, and that ballot images were unencrypted and alterable. Additionally, the password to access the SSH server "was cracked within 46 seconds using a common dictionary attack." The analyst says this process resulted in gaining remote access to an unmodified DS200.

The Red Team report states:

"Upon further investigation of the DS200, a weak root password hash was discovered, along with an SSH server that allows root logins as well as the ability to trivially image system memory (RAM). This could ultimately lead to a malicious actor obtaining a DS200 compact flash card, modifying the operating system's configuration, and putting a modified operating system into production unbeknownst to election officials or voters."

How ES&S DS200 Operates

Anoka County, Minnesota hosts start-of-day Set Up Instructions to be used by election administrators in precincts that use the DS200; Broward County, Florida created a training & procedures manual for poll workers' election day operations, and the following are slides from Fairfax County, VA Office of Elections:

[gallery type="slideshow" size="large" ids="27837,27836,27835,27834,27833"]

In precincts that operate under an election administration contract that calls for ES&S systems, the DS200 is used alongside optional devices, including the KNOWiNK Pollpad device that is pre-loaded with voter data from an iSYNC drive to check in voters and the ExpressVote Ballot Marking Device (BMD).

Source: TrustTheVote.org Election Technology Report

An administrator with password access to the printing options screen on a DS200 can select from several reports. These reports are then printed out on paper similar to a retail cash register or an ATM receipt. These are the "tally tapes" or "ballot tapes" we refer to throughout this article.

Caption: From the DS200 Operator Guide

Based on the manual, the DS200 instructions give us these definitions of the various printable report types:

  • Ballot Status Accounting Report: "[A] descriptive list of system settings that automatically generates when you turn on the scanner. The report includes a list of election configuration settings if the election definition is loaded when you turn on the scanner."
  • Zero Totals Report: "[Used to] ensure all of your contests have zero votes when the polls are initially opened."
  • Event Log Report: "...lists all of the scanner events that occur from the time you load your election definition USB flash drive into the scanner until you remove the flash drive after the election is complete."
  • Configuration Report: "...lists information such as the storage memory availability, firmware information and basic scanner information such as the status of the touch screen and battery charge level."
  • Voting Results Report: "...prints the results of your elections."

[gallery type="slideshow" size="large" ids="27824,27823,27822,27821,27820"]

The "Election Definition" for each jurisdiction is programmed onto a USB flash drive for each tabulator. As stated in the DS200 manual, "An election definition contains all of the candidates, contests and ballot variations that the scanner will process at the polling place. The election definition also contains customizable program options that control how the tabulator operates and reports results." In each jurisdiction, those options -- such as whether polls can be re-opened, whether results reports are automatically printed when polls close, and whether the voter can override a rejected ballot -- are all decided beforehand and loaded into the "Election Definition."

Caption: From the DS200 Operator Guide

During election day, when a voter tries to cast their paper ballot into the DS200, it could be rejected from the feed mechanism for the reasons explained below. The configuration options above determine the conditions that will trigger the machine to reject a ballot. The machine makes an audible sound, and the voter is shown a message on the screen. Here's a screenshot of an example of what is seen by the voter when their ballot is rejected (in this case because it is blank):

From the ES&S DS200 Operator's Manual:

"The DS200 can scan ballots inserted in any direction or orientation. Depending on the options set for your election definition, the DS200 will use one of the following methods for accepting or rejecting blank ballots, overvotes, and undervotes.

Unconditional acceptance: The scanner accepts and tabulates results for all ballots. Any contests that are blank, overvoted, or undervoted will be logged as such, and the remaining contests will be tabulated appropriately.

Unconditional rejection: The DS200 automatically rejects undervoted, overvoted, or blank ballots. Voters must review and correct ballot selections before the scanner will accept the ballot.

Query the voter for correction: The DS200 returns a questioned ballot to the voter and displays a screen message that describes the problem and prompts the voter to either review and edit the ballot or cast the ballot as it is."

An election day training manual for the ES&S DS200 explains other conditions in which the machine can be programmed to reject a ballot:

  • If the voter has 'undervoted,' it means there are too few markings for the ballot to be considered valid. For example, the voter did not mark any ovals for any candidate.
  • If the voter has 'overvoted,' it means there are too many markings for the ballot to be considered valid. For example, the voter marked both Candidate A and Candidate B's ovals.
  • If the voter has 'crossover' voted, it means there are markings for more than one party during a closed primary election.
  • The ballot may also detect one of these conditions and automatically allow the ballot to pass through into the storage bin.

[gallery type="slideshow" ids="27828,27827"]

If you have more information about the DS200 machine, including how to interpret the ballot tapes, please contact us at tips@uncoverdc.com.

Get the latest news delivered daily!

We will send you breaking news right to your inbox

© 2024 UncoverDC