September 23, 2013 Attention: Chicago Board of Elections Chairman Langdon Neal Commissioner Richard Cowen Commissioner Marisel

Hernandez Executive Director Lance Gough Dominion Voting Executive Vice President Howard Cramer When we discussed the need for a vulnerability assessment of the EdgePlus2 DRE machines at the last Chicago Board of Elections meeting, we agreed that we would present a description of the vulnerability assessment and work on developing common ground. As such, we anticipate there will be measures where we agree and others where further discussion will be required. This document was prepared by Defend the Vote in conjunction with Dr. Roger Johnston in his official capacity as the head of the Vulnerability Assessment Team at Argonne National Laboratory. There are three parts: a description of the vulnerability assessment, particulars of the assessment, and a description of various levels of a vulnerability assessment on election machines. Dr. Johnston completed the third part. This vulnerability assessment focusses on the Edge2Plus, Haat, Insight and the WinEDS systems currently in use in Chicago. In addition, we would like to test the 400c but it is not specified in this particular document.

Description of the vulnerability assessment:

A vulnerability assessment of voting machines strives to find simple low cost improvements in security without requiring radical changes to the voting machines. Recommendations will dramatically improve security without requiring a lot of cost, time, or effort. The purpose of this vulnerability assessment is to improve security of the vote and it is designed to be public in nature.

Scope: This security-based vulnerability assessment looks at the processes, procedures, and the operations of the Edge2Plus, Haat, Insight, and WinEDS 4.0 voting systems. The assessment seeks to find remedies for security-based vulnerabilities when they are identified. Reports: A preliminary report will be produced which will present the result of the assessment. This will be provided to Defend the Vote, the Chicago Board of Elections, and to Dominion Voting for comment and feedback. A final report will then be issued which will include comments, feedback, and any subsequent followup. This report will be made public; however, protected and proprietary information will not be included in the public report.

Particulars of the Assessment:

Time Frame: The Assessment will begin on October 15th, 2013 Resources: Defend the Vote will provide the funding for Argonne National Laboratory, any related costs of the assessment, and the secure movement of the equipment. Argonnes National Laboratorys Vulnerability Assessment Team will conduct the assessment at their laboratory in Argonne, IL. Dominion Voting will provide technical assistance and feedback during the assessment. This may involve up to 2 days of staffing time. Generally, there is not a lot of time involved. Chicago Board of Elections and staff will provide election machines to simulate voting in two precincts and for an early voting set-up. The use of Equipment Supply Containers is highly preferred to simulate the entire voting process, from transport to set up to use. The assessment team will need use of these machines for up to a week. The CBOE may also provide a staff person for up to two days in staffing time for information and feedback. Generally, there is not a lot of time involved. Documents: Training and instruction manuals: Manufacturer manuals for use and training manuals for the poll workers. Timing: The actual testing will be completed within a week. The report will take about 60 days for completion. Length of time is greatly influenced by the level of the vulnerability assessment decided upon. Assessment Documentation: Argonne National Laboratory will document all assessments and results as part of their report.

Various Levels of a Vulnerability Assessment

1. Visual inspection of the exterior of the device to identify potential vulnerabilities, design flaws, countermeasures, and suggested use protocols. [Usually of very limited value.] 2. Visual inspection of the interior of the device to identify potential vulnerabilities, design flaws, countermeasures, and suggested use protocols. [Usually of somewhat limited value.] 3. Observe the device in use to identify potential vulnerabilities, design flaws, countermeasures, and suggested use protocols. [Usually of somewhat limited value.] 4. Experiment hands-on with the device, including putting it through its usual modes of operation. [Usually reveals some potential vulnerabilities, and results in some suggestions for improved use protocols.] 5. Reverse engineer the device. Time and expense depends on whether this is a white box vulnerability assessment (detailed specifications, drawings, circuit diagrams, or perhaps even source code is provided by the designer, manufacturer, or vendor) or a black box vulnerability assessment (the assessors have to learn all this from scratch). [Results are usually about the same for white vs. black box, and quite useful for improving security, but a fully black box analysis can be slow and expensive.] 6. Experiment with various software, hardware, and electronic attacks and issues, including but not limited to the following [usually reveals numerous vulnerabilities and countermeasures]:
fault analysis power analysis buffer overflow side channel attacks man-in-the-middle attacks partial counterfeiting attacks full counterfeiting attacks device ID manipulation skimming attacks attacks on power systems attacks on data storage attacks on program storage port attacks cable attacks display attacks software/firmware tampering CPU attacks sensor attacks chip level attacks security of VVPR security of excess unused ballots security of ballots prior to use security of associated election materials, pre-use security of associated election materials, post-use tamper detection capabilities locking capabilities vote privacy two-person rule implementations election programming attacks insider attacks outsider attacks with insider assistance outsider attacks

7. Demonstrate the most viable attacks. [Though usually not to perfection due to time and cost constraints.] 8. Experiment with various countermeasures to the discovered attacks and vulnerabilities. Can include design changes, but also suggestions for modified use protocols. [Practical countermeasures are almost always discovered.] 9. Demonstrate the countermeasures. [If time and funding permit.] 10. Propose an optimum set of use protocols to minimize vulnerabilities. Typically a menu of prioritized options, rather than one fixed protocol. Defend the Vote believes that when the public has faith in their elections, they are more motivated to vote. Likewise, Defend the Vote believes when the publics faith in their elections is lost, the government loses its legitimacy in the eyes of the citizens.

Roger Johnston, Ph.D., CPP

Senior Systems Engineer & Section Manager Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory 9700 South Cass Avenue, Bldg. 206 Argonne, IL 60439-4840 1-630-252-6168 phone 1-630-252-7323 fax 1-630-788-4713 mobile rogerj@anl.gov

Sharon Meroni
Executive Director Vulnerability Assessment Project Defend the Vote 1 West Surrey Lane Barrington Hills, IL 60010 847-382-1100 Phone 224-357-6366 fax 847-778-3495 mobile Sharon@DefendTheVote.com