Wireless Communications in Local Voting Systems – Part 1
The devices used when you check in to receive a ballot, and the scanner where you place your ballot, both have hardware and software reviewed and certified by the Commonwealth of Virginia. The scanner is also tested by the the Election Assistance Commission (EAC) which was formed in 2002 after the Bush v Gore hanging chad and the passage of the Help America Vote Act.
But is it possible these devices mess up your vote because a ‘bad actor’ that we cannot see gets involved? Could this happen remotely?
If you are feeling geeky, you will enjoy watching the HACMS project videos. A drone is remotely hacked and taken control of showing that yes, a bad actor taking remote control of a device can happen.
We asked about the wireless connection testing for ballot scanners during a conversation with Systems and Satellite Engineer Dan Sundin. He has contacts in Texas counties that use Hart Verity ballot scanners like we do in Prince William.
EAC and State Testing on Wireless Communications
For some background, the EAC certifies systems after applications are made by vendors like Hart InterCivic. These vendors also get to select the Voluntary Voting System Standard (VVSG) to which they wish the system to be certified. They usually pick the lowest standard because it is easier. The Hart Verity system 2.5 was modified by Virginia to 2.5.2 which Prince William County uses and was originally certified to the VVSG 1.0, the easiest version from 2005. The Virginia Voting System Standard of 2020, and prior one from 2015, does not allow wireless transmissions or ability. We asked Dan Sundin if there is any testing for wireless communications of any kind at the EAC level so we know what to expect from Virginia.
Dan Sundin, [9/29/2023 1:04 PM]
Regarding EAC Certification, Remote Connections are not certified. States can do their own certification to overcome that deficiency, such as California, Florida or Rhode Island.
Dan Sundin, [9/30/2023 9:09 PM]
RF emissions are what are tested for, which is much different that connectivity, such as Wi-Fi (2.4 or 5Ghz frequencies), Bluetooth, Infra-Red, and Near-field communications, along with Ethernet (or other interfaces) connected Modems and Cellular integrated Modems, all of which are not part of the VVSG-1 Specification.
The EAC.gov specifications say that Network Connectivity isn’t allowed, and not part of the approved specifications. Therefore, states (and/or counties, or other jurisdictions), which want those functions must SELF-CERTIFY and appear as the WHITE areas on the EAC.gov map for certified systems. Changes, revisions and additions to a jurisdiction must be reported within 60-days of revision to the EAC.
Modems or things like WiFi / Bluetooth are easy to identify, when you look at the equipment description and definition. Things implemented at a chip level, part of the motherboard, are much harder to determine in the hardware build. There should be software messages generated, which identify usage, at an Operating System alarm level. Many times, no one is really viewing, or care to LOOK.
When understanding what Clay Parikh and other are talking about in Security Testing, those levels of verification are left out, on purpose by the vendors.
Dan Sundin, [9/30/2023 9:25 PM]
California is another state using ES&S and Remote transmissions of precinct information after closing.
Dan Sundin, [9/30/2023 9:27 PM]
The City of Chicago is an example of the state not certifying their system, which is a Dominion platform. They have over 2000 precinct polling locations, and use a distinct different version of the Dominion platform. They use installed cellular modems in these platforms, and I’m sure no one can find the hardware, if allowed to look at the motherboard, without a board-level Schematic Diagram, and microscope.
On the EAC.gov map zoomed in for Virginia, we see Prince William in RED.
What matters here is that the county did not send in any notice to the EAC of a self-certification for using WI-FI or cellular, etc. I asked Dan if jurisdictions are required to report into the EAC, in the question below,
EB, [9/30/2023 9:25 PM]
But if a state does not self-certify there is likely no penalty. In other words, they may get a slap but really EAC is not regulatory so if they use one of the connectivity functions without notifying EAC then they can do it, it seems. Just trying to get the lay of the land better.
Dan Sundin, [9/30/2023 10:20 PM]
Some jurisdictions do report, most don’t have the skill-set to be doing that. So it is a what-ever thingy.
Then we noticed on the EAC.gov map for Virginia, we see Prince William in RED, but if you hover on our county the website says ‘Hart Verity 2.0’ which is a version used a long time ago. This is the same for all the counties using Hart, so it could be that Virginia stopped notifying the EAC about what they were using. We asked the EAC and they responded,
Hello,
Thank you for your inquiry. Within the Map of EAC Certified Voting System by County on the EAC website, the counties in red contain an EAC certified voting system and the counties in white do not contain an EAC certified system. This does not mean that they do not contain certified systems, as many of these states require a state certification and perform their own testing. The EAC does not track state certified systems, so they will not be represented within our map. Within our records, Verity 2.0 is the latest EAC certified system that was provided to Prince Williams County. It should be noted that the EAC relies on manufacturers, and occasionally jurisdictions, to provide information on what systems are being fielded.
Thank you kindly,
Jonathan Le | Senior Election Technology Specialist, Testing and Certification
U.S. Election Assistance Commission
633 3rd Street NW, Suite 200 | Washington, DC 20001
Even if this map was updated, it does not mean wireless or cellular communication does not exist in any system. The EAC did not test for this, and they are silent on the matter. This is up to Virginia to test. We have been unable to ascertain what Virginia’s test includes.
Note that both the EAC and Virginia DID certify the Hart Verity Central, used to scan and tabulate the absentee ballots. The purchase order from Hart for the Central high-speed scanner, only states “Workstation for Verity software w/ 5-year warranty” but it does not specify which EAC certified workstation model was chosen. It could any one of three; HP Z4 G4 Workstation, HP Z230 or Z240 Workstations. Only after attending the Logic and Accuracy of the high-speed scanner did we find that the find the model used is the HP Z4 G4 Workstation. This workstation has multiple storage types internally, connects to the internet, and unless you reformat the drives, it’s nearly impossible to identify hidden processes. It also has many ways to connect to Wi-Fi, even if the Wi-Fi card is removed, and it will try to connect to a network. The workstation could also easily connect to an ‘evil twin’ or bad actor modem to send or receive information. The Verity Central software, used for absentee ballot tabulation, is loaded on this workstation.
The Hart Verity Central system also has the 8-port Ethernet Switch 1405-8GV3 included in its certification paperwork, but this may or may not be used by Prince William. Again, a hard copy tabulation report of vote tallies is generated in Prince William County, and the opportunity exists for the public to view this to be sure it matches the data found on ELECTs website. This verification opportunity must not be overlooked by the public. The numbers do not always match and must be corrected.
The same Hart Verity Central purchase order calls out a Canon DR-G2140 Central Scanner , but you have to check the EAC certification for the exact model permitted. This has USB and ethernet connectivity. We can only assume this connectivity is never used. This device scans the ballots and creates the images from which tabulation is done by the software on the HP Z4 G4 Workstation.
Further, Dan recommends verifying the firmware and driver installed on the canon ballot scanner are what is certified.
Dan Sundin, [10/1/2023 10:39 AM]
Regarding the Canon DR-G2140, it is important to verify that the EAC.gov certified versions of Drivers (running at the Windows 10 PRO level) are the ones certified. The same goes for the Firmware downloaded into the DR-G2140.
With the audit conducted on Dominion systems, we found that multiple different of either the Firmware(s) and/or Driver(s) were being employed, against the EAC Certification requirement.
Hart Verity Scan also shows the following diagram in its EAC certification, below.
Prince William County uses the vDrive method in the red oval above, and not Relay shown in the blue oval. However, according to Dan Sandin, Relay can be initiated without buying the separate LTE modem called out in the EAC certification.
Dan Sundin, [9/29/2023 12:35 PM]
This can be much other than a Cellular Modem. WiFi is a secondary feature, which is required for an Electronic Poll Book platform to function. Relay can function via both connection vehicles. I’ll ask my contact in Tarrant County about both.
Also notable is that the DemTech pollbook was certified by Virginia without using Test Case T00048, to verify the pollbook system would not interfere with a ballot scanner. They stated no voting system was available even though the test was done in Loudoun County Office of Elections.
Reference: DEMTECH Electronic Pollbook Certification, 4.48 Test Case Identifier: T0048: Voting System Not Required, page 1
The Commonwealth of Virginia 2019 EPB Test Cases and Virginia Electronic PollBook final standards 2020 require the Test Case T0048 to verify that the EPB cannot connect to the voting system. Neither the State Board of Elections nor DemTech provided pollbook connectivity functions as required, and we do not know who allowed the waiver.
Another Virginia colleague points to the following additional areas of concern.
There are two problems with verification of the security of these systems. Supply chain of components preventing individual motherboard chips getting replaced with Wi-Fi capable ones, unknown to the vendor. Second is we don’t get actual operating system logs or physical access logs.
So the answer to the question “Do our voting systems have wireless ability?” is MAYBE. This is not a very comforting answer since our precious ballots go through these machines to be counted!
To be continued….(sorry to make your head spin!)