I see stories about how election is rigged or that there are security vulnerabilities and lots of people don’t believe the outcome. Why don’t they just open source everything so that anyone can look at the code and be sure the votes are tallied correctly?
I don’t know that that’s the reason, but I have an intuition from having been an election judge here in Illinois.
A voting machine is a closed-circuit system that just counts votes and prints the tally. It is not connected to any network, and getting its software upgraded requires a key that only the voting machine company has, and a seal that is unique and that can only be replaced by that voting machine company.
To make it clear with an example: a judge ruled in Illinois that ballots that would be in either English or Spanish were now void, they all had to be in both language at the same time. Because that didn’t use to be the case, the election judge has to choose for each person between “English”, or “Spanish”, or both in the UI, and if they don’t choose both, the ballot is void. It’d be a trivial UI fix, and critical enough that you’d think it would be a priority. And yet the past elections still had the old UI, because updating the software on there is that hard.
So my intuition: if a CVE was found in one of the open-source solutions on there right before the election, the voting company would have to patch it, except it couldn’t realistically be done in time, so the election would be canceled until there is enough time without a CVE. Which of course doesn’t typically happen for very long. But if it’s all closed-source and the voting machine company is on the line for it, therefore that problem doesn’t exist.
security through obscurity is a terrible idea - the problem is still there, and a determined attacker will find it anyway
I don’t disagree. The point here being that the choice that was made was to keep the machines off any network to mitigate a bunch of attack vectors, and that’s having consequences on which unusual compromises had to be found. In other words: I can see how the obscurity is probably not the goal, only a consequence of other goals.
In general I agree, but these voting machines are in the quite uncommon position where potential attackers not only don’t have access to the source code, but in general don’t even have access to the program for any significant amount of time, and has no way of knowing if the software has been updated since they last interacted with it. That makes it very hard to even start developing an attack that could maybe work.
I guess my major concern with voting machines is this.
Thanks for your insights.
A high profile CVE on voting machines released right before an election would almost certainly be solved by air-gapping the machines during the election.
Also, a high profile CVE released right before an election is almost guaranteed to happen, thanks to the motives of potential attackers, so it would be important to have a plan in place.