By Kevin Skoglund, Citizens for Better Elections
Published June 4, 2019
The ES&S ExpressVote XL and ExpressVote all-in-one voting machines have the ability to alter the paper record after it has been cast by a voter. This ability could allow hacked software to manipulate the paper records to change election outcomes without detection. This is a critical design flaw that deserves public and government attention.
Several voting machines were introduced in the last few years which are commonly referred to as all-in-one hybrid voting machines. They are called “all-in-one” because they combine two tasks which are more often performed by two separate devices: marking a paper ballot and tabulating votes from a paper ballot. On an all-in-one hybrid, these two voting processes are contained in a single device.
A voter makes ballot selections using the hybrid’s touchscreen (or an alternative input controller). The hybrid prints the voter’s ballot selections on a paper ballot or paper record. The hybrid shows the paper to the voter for approval. Once the voter approves the paper, the hybrid counts the votes by scanning the paper.
There is a major design flaw in all of the current all-in-one hybrid voting machines.
After the paper ballot or paper record is verified and cast by a voter, the paper travels through a printer before it is tabulated. This gives the printer an opportunity to mark on the paper after the last time the voter sees it. A malfunctioning or manipulated voting machine could add, modify, or invalidate votes and other information on the paper ballot before it is counted and stored in the ballot box.
Prof. Andrew Appel from Princeton first wrote about this design flaw in October 2018.
Three voting machines have the Opportunity to Mark design flaw:
Nothing mechanical prevents these all-in-one hybrids from marking on the ballot. The paper travels on a single paper path through the system. The printer is controlled by software. The print head is raised and lowered by software. The printer outputs whatever data the software sends to it. The software can be modified, replaced, or circumvented by an attacker who is able to get malicious code onto the voting machine.
In addition, in a all-in-one hybrid the hardware which marks the paper and the hardware which scans the paper are both connected by the same software. This enables a hacked machine’s software to “know” what was printed on the ballot early in the process and to make use of that information later. For example, if a voter selected no candidate in one contest (an undervote), the all-in-one hybrid would know that there was an opportunity to add a vote in that contest. The software would also know if a certain candidate had been selected by the voter and could mark only on those ballots while leaving others alone.
The ExpressVote all-in-one hybrid (third image above) is essentially just a smaller, less expensive version of the ExpressVote XL (second image above), so I will discuss them as one for convenience.
The ExpressVote (third image above) also has a more common, non-tabulating configuration. It is often purchased to assist voters who find it difficult to hand-mark a paper ballot. We should be careful not to cause unnecessary concern. If it uses a separate optical scanner for reading and counting votes, then it cannot mark on the ballot and it is not affected by this flaw.
A direct threat to the evidence being collected is a significant, high-impact vulnerability.
The entire purpose of having a paper record during an election is to collect durable evidence of voter intent. Vote totals can be digitally computed but there will be evidence to validate those totals. The paper evidence is the official ballot, the ground truth of the election.
This makes this flaw very serious. All-in-one hybrids can change the paper evidence. They can change not only the totals, but the evidence that would show if those totals are correct or not. They enable cheating and they make the cheating hard to detect or to reverse. Altered ballots could be used as proof that totals were not changed, even when they are. Altered ballots would be the official ballots.
Imagine giving a defendant free access to crime scene evidence before it goes to the evidence locker. A jury could not trust that evidence. More directly, it is like handing your paper ballot to a poll worker with a black pen in their hand and trusting them not to mark on it as you walk away. None of us would find that idea acceptable.
The Dominion ImageCast Evolution (ICE) has received the most attention for the Opportunity to Mark flaw. The flaw was first identified in the ICE. It was confirmed quickly because a PDF was posted online showing a cross-section of the ICE internals along with text promoting its single-paper-path design as a feature. It was obvious that the paper was passing the print head again on its way to the optical scanner.
Following Prof. Appel’s blog post in October 2018, he brought the issue to the attention of Douglas Kellner, Co-Chair of the New York State Board of Elections (NYS BOE). On March 7, 2019, Kellner wrote a letter recommending a reexamination of the ICE. The NYS BOE agreed and asked their IT department and a voting system test lab to review it.
On April 29, 2019, the NYS BOE concluded their reexamination. The examiners recommended disabling the printer to mechanically prevent the ICE from being able to mark on most ballots (but not all ballots). They advised using procedural controls to disable the printer most of the time, and only reenabling the printer when a voter with a disability needs to use it. The NYS BOE accepted their recommendation and continues to allow the ICE to be used in New York State. It is unclear whether counties that purchase the ICE will receive any guidance on the recommended mitigations or how their usage will be enforced.
Prof. Appel wrote a blog post which explains how the NYS BOE conclusion mischaracterized the security advice of their IT experts and too easily dismissed the “Very High” impact threat that they identified. I agree with his points and would offer two more. It is unwise to assign a critical security task to hundreds of busy, distracted poll workers and expect them to perform it reliably from year to year. It is also troubling that voters with disabilities will still be exposed to this flaw. One might argue that these ballots are a small percentage of the total and therefore less likely to change the election outcome, but contests are often decided by a few votes and no ballots should be treated as “second class” and less important.
The ExpressVote XL has received less attention than the ICE. The Opportunity to Mark flaw was presumed to exist in the XL but not confirmed until early 2019. The effect of this flaw on the XL is more pervasive and serious than on the ICE for several reasons.
The ICE is designed so that most voters will hand-mark paper ballots and then feed them into the paper slot for scanning. These ballots will pass the printer, but the ICE will not yet know what marks are on them. It can mark on them but it would have to do it blindly. If it added a mark to a contest, it would not know if it was overwriting an existing mark, creating a second mark (an overvote), or creating the first mark in an unvoted contest (an undervote).
Voters using an “assistive voting session,” such as voters with disabilities, will be the most affected by the design flaw on the ICE. A voter feeds a blank paper ballot into the ICE and then uses a touchscreen or an assistive device to make their selections. The ICE marks those selections on the ballot and returns it to the voter for verification. Then the voter reinserts the ballot, which passes the print head before being scanned and stored. In this case, the ICE does know what the voter has marked on the ballot and can use this information to decide whether to mark and what to mark. (The NYS BOE procedural controls will not protect the ballots of these voters. They must be exposed to the flaw. It is fundamental to how the assistive voting sessions work.)
This aspect is notable because the ExpressVote XL has the same flaw, but it exposes all voters to it. All voters will feed a blank piece of paper into the XL and use a touchscreen to make selections. All voters will have their paper record printed by the XL and it will know their selections. All voters will have their paper record pass the print head a second time, not just during assisted voting sessions.
Furthermore, the mitigations which were suggested in New York to protect most ballots (such as disabling the printer when not being used) cannot be applied to the ExpressVote XL. The printer is essential for operation and cannot be disabled. All voters must be exposed to the flaw. It is simply how the voting machine works.
Much of what has been written about this flaw has focused on the ability of the ICE to fill in ovals for any undervoted contests, which would be difficult to detect. Professors Appel, DeMillo, and Stark describe it in “Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters,” on pages 18-19.
Vote-stealing software could easily be constructed that looks for undervotes on the ballot, and marks those unvoted spaces for the candidate of the hacker’s choice. This is very straightforward to do on optical-scan bubble ballots (as on the Dominion ICE) where undervotes are indicated by no mark at all. On machines such as the ExpressVote and ExpressVoteXL, the normal software indicates an undervote with the words NO SELECTION MADE on the ballot summary card. Hacked software could simply leave a blank space there (most voters wouldn’t notice the difference), and then fill in that space and add a matching bar code after the voter has clicked “cast this ballot.”
Their analysis is correct, but it describes a single manipulation—the one most similar to the behavior of the ICE.
The XL has much more flexibility. It does not use a pre-printed paper ballot with ovals that get filled in. The XL controls the layout and format of the paper record. It has total freedom, nothing is pre-printed on the paper to restrict it. Instead of having names next to ovals, the XL chooses the contest labels and candidate names for each selection and even whether they should be printed at all.
The ICE prints marks which indicates a positive choice on a ballot. A filled-in oval cannot have another meaning. The information the mark conveys is immediately transparent to anyone reviewing the paper ballot because the mark is next to a label.
The XL prints all vote selections as barcodes. The barcodes are what the machine scans and counts. The information contained in these barcodes is not transparent. They are machine-readable, not human-readable. The voter cannot verify the barcodes are correct. Even if the voter has a barcode scanner, the barcodes printed by an ExpressVote contain six-digit numbers (“171311”) which represent candidates on the ballot. A voter will not know to which candidate a number refers.
This fundamental lack of transparency provides an opportunity for hacked software to hide ballot manipulations in plain sight. The simplest hack does not depend on the Opportunity to Mark design flaw. In a Barcode Mismatch Attack a hacked voting machine could print a barcode for one candidate while printing a different candidate name for the voter to verify. A voter cannot notice that a barcode does not match the human-readable version. The barcodes will be counted by the voting machine and those tallies will be the election night results.
Hacked software which exploits the Opportunity to Mark design flaw can also make good use of barcodes to hide ballot manipulations.
This may seem like a small difference, but it makes manipulations more difficult to detect. If a voter marks a paper ballot by hand with a pen—perhaps going outside the ovals, or marking an X or a check—and then the ICE prints an additional mark using printer ink, then the style of the marks may be different enough to detect the manipulation.
On the XL, all of the marks on the paper record are created the same way: using heat to mark on thermal paper. (Thermal paper is used to avoid the need to purchase and maintain ink cartridges.) A mark made in the initial printing of the record and a mark made after the voter has cast the record will look the same. It will be difficult, maybe even impossible, to detect.
These differences provide even more possibilities for manipulation on the XL than on the ICE.
This is a brainstorm about the ways the Opportunity to Mark design flaw could be exploited on the ExpressVote XL. These are all unproven ideas. I do not have an XL available to test which work and which do not. Voting machine vendors do not provide access to source code so that we can see what defenses and preventions are in place. (However, on a compromised system, software protections could be removed or bypassed too.) So these are hacks that seem reasonable given what is known about how the XL operates.
I have assigned names to each of the hacks to make them distinct. The example images were modified using image software and are for illustration purposes only.
An undervote is when a voter does not vote for any candidate in a contest or too few candidates in a multi-candidate contest. Under normal operation, the XL does not print any barcode for an undervote and prints “No Selection” in the ballot summary.
Hacked software could leave the ballot summary line blank instead of printing “No Selection”. After the record is cast, the XL would add the name of the preferred candidate. It could print the corresponding barcode initially or wait until the name was added. This is the same hack described in the Appel-DeMillo-Stark paper cited above. It is similar to the undervote hack on the ICE.
This hack would be very difficult for voters or auditors to detect. A blank space on the paper record would seem reasonable to a voter because they left the contest blank. During an audit, the paper record would look normal, as if the voter had cast votes in all contests.
This hack is similar to The Undervote Thief, but it does not require an undervote. Hacked software could suppress printing the human-readable line of text for any contest, not just undervoted contests, thus making an opportunity to add a candidate name later. This hack would work best in down-ballot contests—a voter may notice that a vote for President is not shown on the paper record, but they are unlikely to notice if a judge or a ballot question is missing. Once the voter casts the paper record, the XL could add the contest and the preferred candidate name.
This hack has a limited chance of detection by the voter. Voters do not review the paper records carefully. Even if they do, it would be easy to validate that all displayed selections are correct while failing to notice that a selection is missing. If the missing selection is detected, the voter may believe it was their mistake and then either spoil the ballot or cast it anyway. If they spoil it, the voting machine would know it had been spoiled and could stop cheating for a period of time to avoid detection. If the voter does not detect it, then an audit could not. The paper record would look normal, as if the voter had cast votes in all contests.
The ExpressVote prints barcodes in rows of three. If a row is not evenly divisible by three, then it leaves one or two white spaces with no barcode or other mark. Because it does not print a barcode when a voter chooses not to vote in a contest (an undervote), the whitespace can vary between paper records.
Hacked software could add a barcode to any blank space. It could add a vote in an undervoted contest (similar to The Undervote Thief but without bothering to print the equivalent human-readable text). It could add a second vote to an existing contest (an overvote) which might invalidate the real vote in the contest. It could add a duplicate of an existing vote (i.e., one barcode for George Washington becomes two barcodes for George Washington). It is not clear that both barcodes would not be counted.
If a paper record did not have enough blank spaces, hacked software could add an additional blank row during the initial printing to make room for stowaway votes. One stowaway vote would be easiest, but it could print more than one.
This hack would be impossible for the voter to detect and difficult to detect during an audit. The barcodes are printed in a random order, not in the same order as the contests in the ballot summary. An extra barcode could be easily overlooked. It would only be detectable if an audit carefully accounted for all barcodes, checking each one off as it was matched with its corresponding line in the ballot summary.
Hacked software could deface a barcode to make it unreadable. The easiest defacement would be to black out the barcode completely. A more stealthy defacement would make subtle changes to make the barcode invalid.
Barcodes in Code-128 format are constructed using lines made up of a start symbol, the encoded data (the six-digit number), a check character, and a stop symbol. The check character is a value calculated by sending the data through a mathematical algorithm. It is used to ensure that the data has been read correctly. A barcode scanner detects the start symbol, reads the data until it gets to the stop symbol, sends the data through the algorithm, and confirms that the result matches the check character. If not, then the barcode scanning fails. The data and the check character have to match.
The XL could change any of those lines, simply by making an existing line a little thicker, and the barcode would become unreadable. It could change the start symbol so that a scanner would never start reading the data. It could change the stop symbol so that a scanner would never finish reading the data. It could change the check character so that it did not match the data. It could change the data so that it did not match the check character.
We do not know how the optical scanner on the XL would react to an unreadable barcode. It might skip only that one barcode and proceed normally. It could stop reading any barcodes that came after the invalid one. It might return the paper record to the voter. It could get stuck in a loop trying to read it. It could cause a system error and crash the voting machine. It might fail to count any votes but deposit the paper record in the ballot box anyway.
Hacked software is not limited to defacing the barcodes containing vote selections. The ballot style identifier, which is often unique to each polling place and determines the candidates being voted on, is also stored as a barcode. It could be defaced to make the entire record unreadable while the barcodes containing vote selections would be valid if inspected.
This hack has little chance of detection by the voter. The paper record is normal when the voter sees it. The ability of an audit to detect the hack depends on how subtle the defacement is. A crossed-out barcode would be easy to detect. A single thickened line would be hard to detect and easy to attribute to malfunction.
Hacked software could change a vote for one candidate to be a vote for another candidate. It could edit the lines in a barcode so that the encoded numbers become the numbers for a different candidate while the barcode is still valid and readable.
This hack is challenging to pull off for two reasons. Any change to the encoded data must also change the check character to match (see the discussion of the check character in The Invalidator). There are also limits to how the lines representing the digits can be changed. The printer cannot undo an existing black line—the process has to be additive. For example, the number four is represented by three thin black lines while the number seven is represented by three thick black lines. A four can become a seven, but a seven cannot become a four.
However, the task is made easier because the numbers encoded in the barcodes are almost sequential. The numbers relate to the coordinates where the ovals would be placed on a pre-printed ballot. The candidates are listed vertically in a column so their coordinates are similar. For example, four candidates in a contest might be referenced by the numbers: 092211, 092411, 092611, 092811. Editing a single number (the fourth digit) would change the number to reference a different candidate. If the check character can also be changed to match then the edited barcode would be valid. The coordinates may vary for different ballots styles (i.e. different polling places), making some ballot styles more favorable to alteration than others.
For an in-depth explanation and demonstration, see “How ExpressVote Barcodes Could Be Modified.”
The hack would be impossible for voters to detect. The paper record would appear normal during review. An audit of the human-readable ballot summary will see text for the original selection (unless this hack is combined with The Opportunity Maker). Only an audit which includes scanning the barcodes would detect the mismatch.
Hacked software could invalidate one barcode while adding a preferred, substitute barcode. This is a combination of the The Invalidator and The Stowaway hacks.
Like The Fixer, this hack would change a vote to a different candidate, but it does not require careful barcode manipulations. Hacked software could attempt to use The Fixer, but fall back to using The Substitute if the conditions for modifying the lines in the barcode were not favorable.
This hack has little chance of detection by the voter. The paper record is normal when the voter sees it. If the defacement of the barcode is subtle then an audit would need to fully reconcile all barcodes with the lines in the ballot summary to detect the hack. Otherwise, it would appear that the text for George Washington has a corresponding barcode for George Washington.
The human-readable ballot summary on the paper record is generally assumed to be the official record (though election law is typically not clear on this point). This is important because if there is a Barcode Mismatch Attack, where the barcode and text do not match, an audit may detect the manipulation and correct the election outcome if necessary.
Hacked software could print black over all or part of the human-readable ballot summary to prevent auditing. This could be used to cover up a Barcode Mismatch Attack or simply to prevent auditing.
This hack would be impossible for voters to detect. The paper record they review will be normal. It would be easy to detect in an audit. However, it would not be easy to recover from the hack. What should be done after detection? Election law is unlikely to specify remedies for this new problem. We might choose to count the barcode portion, to spoil the ballot, to invalidate all votes from that voting machine, or to hold a new election. Any choice would create issues, as well as include consequences which could also be used by an attacker to manipulate the outcome.
Hacked software could go further than The Unauditable Record and print black over both the barcodes and the human-readable summary. It seems likely that the XL would accept the paper record without any readable barcodes because it will accept a paper record where the voter intentionally chooses not to vote in any contest.
Also note that because the paper record is on thermal paper, an overheated machine part or a hot environment could also turn the paper record black. A fingernail scratch generates enough heat from friction to mark it.
This hack would be impossible for the voter to detect, but easy to detect in an audit. Like The Unauditable Record, it is not clear how to recover from it. One advantage of this attack is deniability—it may be more easily attributed to malfunction or other conditions besides hacking.
The XL normally encodes numbers in the barcodes. The Code-128 format it uses allows for hundreds of characters, including letters, symbols, and control codes. Some of these characters have special meaning and, if the XL software does not handle them carefully enough, they may be used to change software behavior and cause unintended effects. This is a common software vulnerability called code injection.
This hack requires experimenting to find a useful combination of characters—like picking a lock. There are software tools which can help try all combinations quickly.
There are many possible results of a code injection. A malicious barcode could cause the XL software to crash. It could cause the XL to stop counting subsequent barcodes. It could allow programming commands to be sent to the software. It could create a buffer overflow, which allows modification of the programs and data being used by the system.
Why would a hacked voting machine need to further hack itself? Access privileges are often layered and hacked software may wish to gain more control. It might have enough access to control the printer but not enough access to modify the tabulation and results directly. It might want to disable security controls. It might want to modify log files to hide its activity. A modification might enable it to spread to other voting machines via removable media or to allow the hacked software to persist between elections and software updates.
This hack could be performed on the first printing of the paper record too. Using the Opportunity to Mark flaw allows it to better evade detection.
A voter would not notice the hack. Unlike the other hacks, only one malicious barcode on one paper record is required. An audit would notice the malicious barcode only if that specific record was selected for the audit and the barcodes were completely reconciled against the items in the ballot summary.
These hacks are unlikely to be detected by voters or by election administrators.
Probably not. There are only two symptoms the voter could notice.
The first symptom would be any changes, additions, or omissions to the paper record presented for their review. Some hacks will make subtle changes to that record, while most will print a perfectly normal record. A recent study makes it clear that voters either do not review the paper records or do not review them carefully.
The second symptom is that the paper will appear to pause for a moment while the second printing takes place. In most cases, the bottom third of the paper record would be visible to the voter during printing. I believe that voters will assume this pause is a normal part of the process. The pause could be attributed to reading the votes or taking care of some other administrative business.
Even regular voters will only use the voting machine twice a year. Many will use it once every four years. These voters will have little experience with normal operation, making it difficult to detect abnormal operation. Voters are also not expecting to be voting machine watchdogs. If a voter does notice anything out of the ordinary, they are likely to think it is a harmless glitch or the result of something they did. We routinely encounter machines in our everyday lives which experience intermittent issues.
The only way to detect the presence of any manipulation is to examine the barcodes and the human-readable ballot summaries on every paper record. Instead, election administrators use post-election audits which typically sample and evaluate only 1% to 3% of the paper records. Risk-limiting audits (RLAs) may evaluate far fewer.
RLAs are a robust tool to gain confidence that the outcome is correct. They are not a hacking detection tool. An RLA’s purpose is to confirm the tabulation of ballots, not to forensically examine them. An RLA can audit manipulated records without noticing the manipulation. An RLA can also “sample around” manipulated records and never evaluate any.
Another obstacle to detection is that post-election audit practices vary widely. Some jurisdictions do not perform audits at all. In some locations, a machine-recount which rescans only the barcodes is considered adequate. Those that perform audits may examine only the human-readable text and not the barcodes. Even jurisdictions which have routine, robust audits only choose a few contests to audit. You cannot detect anything if you do not even look.
An auditor who scans the barcodes and knows which candidates the six-digit numbers indicate faces another obstacle. The barcodes are not printed in the same order as the items in the ballot summary. Detecting manipulations requires a careful reconciliation of every barcode with every item in the ballot summary.
Less rigorous inspection can allow significant manipulation to go undetected.
Hacked software can utilize the Opportunity to Mark design flaw of all-in-one hybrid voting machines in a variety of ways to add, modify, and invalidate votes with little chance of detection. All-in-one hybrids do not even need to be compromised to be a threat to our elections. The public knowledge that they are capable of manipulation makes them untrustworthy.
The Election Assistance Commission (EAC), state governments, and local election officials should not allow voters to use any voting machine which is capable of changing the paper evidence of their votes.
This should be common sense. Cast ballots should be protected from modification. The recommendation of the examiners in New York State was to disable the printer to prevent marking. It would be wiser not to attach a printer and an optical scanner to each other in the first place.
On May 15, 2019, Senator Ron Wyden and 14 Senate co-sponsors introduced an updated version of the Protecting American Votes and Elections Act. The PAVE Act includes restrictions which would ban all-in-one hybrid voting machines. It forbids ballot marking devices from being capable of tabulating votes. It requires that optical scanners and ballot marking devices shall be “designed and built in a manner in which it is mechanically impossible for the device to add or change the vote selections on a printed or marked ballot at any time after the ballot has been presented to the voter for inspection and verification.”
The PAVE Act clearly sees the threat presented by all-in-one hybrids and the Opportunity to Mark design flaw. We should not wait for federal legislation to pass to address it.