Author: Andrew Appel

This article was originally posted at Freedom to Tinker on October 16, 2018.

The Dominion ImageCast Evolution looks like a pretty good voting machine, but it has a serious design flaw: after you mark your ballot, after you review your ballot, the voting machine can print more votes on it!. Fortunately, this design flaw has been patented by a rival company, ES&S, which sued to prevent Dominion from selling this bad design. Unfortunately, that means ES&S can still sell machines (such as their ExpressVote all-in-one) incorporating this design mistake.

When we use computers to count votes, it’s impossible to absolutely prevent a hacker from replacing the computer’s software with a vote-stealing program that deliberately miscounts the vote. Therefore (in almost all the states) we vote on paper ballots. We count the votes with optical scanners (which are very accurate when they haven’t been hacked), and to detect and correct possible fraud-by-hacking, we recount the paper ballots by hand. (This can be a full recount, or a risk-limiting audit, an inspection of a randomly selected sample of the ballots.)

Some voters are unable to mark their ballots by hand–they may have a visual impairment (they can’t see the ballot) or a motor disability (they can’t physically handle the paper). Ballot-marking devices (BMDs) are provided for those voters (and for any other voters that wish to use them); the BMDs are equipped with touchscreens, and also with audio and tactile interfaces (headphones and distinctively shaped buttons) for blind voters, and even sip-and-puff input devices for motor-impaired voters. These BMDs print out a paper ballot that can be scanned by the optical scanners and can be recounted by hand.

In a typical polling place, there are cardboard privacy screens for those voters who use a pen to fill in the the bubbles on their op-scan ballots; one BMD for voters who want machine assistance marking their ballots; and one optical scanner into which all voters deposit their ballots.

In contrast, the ImageCast Evolution is an “all-in-one” device: combination BMD and optical scanner. Most voters fill out their ballots by hand, and insert into the scanning slot. But those using the BMD feature will insert a blank ballot into the scanning slot; after they indicate their choices using the touchscreen or audio/button interface, the ImageCast Evolution will fill in the bubbles on their ballot for them.

Combining the BMD+scanner is a really bad idea! Remember, the purpose of the paper ballot is to guard against cheating by hacked voting computers. If the optical-scanners have been hacked, they lie about what’s on the paper ballots. We can detect this fraud by recounting a random sample of the paper ballots. But the ImageCast Evolution can print right onto your ballot, after you insert it into the slot. From the diagram of the paper path, above, it’s pretty clear that the same bidirectional paper path contains both the scanner and the printer. That means it can cast more votes onto your ballot. Of course, the legitimate software installed by Dominion won’t do that, but the machine is physically capable of it, and fraudulent software can exploit this ability.

When I feed my marked ballot into an optical scanner, I do not want the optical scanner to have the ability to fill in more bubbles on my ballot! The whole purpose of the paper ballots, and the human-inspection random audits, and the human-inspection recounts, is to guard against the possibility that a hacker installed cheating software into the voting machine. If the cheating software can mark my ballot, after the last time I can inspect it, then the ballot seen by the recount team is not the same as I marked it.

This appears to be an elementary security-design mistake. Security design isn’t easy! A good security designer has to be able to think adversarially, to understand the threat model, to understand how the software could subvert the hardware. In this case, the threat is:

  1. Hacker exploits a security vulnerability of the ImageCast voting machine or on the election-administration laptop computer that prepares ballot files. For example, the ImageCast has several USB ports, and USB is notoriously insecure.
  2. Hacker uses this vulnerability to install additional software on the ImageCast, that fills in additional ovals on the op-scan ballot, after the voter has inserted it for scanning. For extra credit, don’t perfectly fill in the ovals like a BMD normally would; instead, mimic the style that the voter has used with a pen. For double-extra-credit, do this only when the scanner detects that the voter has used a similar color pen to the ink-jet cartridge in the BMD’s printer. For triple-extra-credit, only fill in ovals in races where the voter hasn’t already marked a vote, this avoids overvotes that would draw attention to the paper ballot during an audit or recount.

ImageCast Evolution product brochure.

Another ImageCast Evolution product brochure

Video (click here, scroll down to ImageCast Evolution, click on the first blue square labeled “VIDEO”)

Dual Display Brochure

Dual Display Video (click here, scroll down to ImageCast Evolution, click on the second blue square labeled “VIDEO”).

Dave (Jing) Tian, Nolen Scaife, Deepak Kumar, Michael Bailey, Adam Bates, Kevin R. Butler. SoK: “Plug & Pray” Today – Understanding USB Insecurity in Versions 1 through C. 39th IEEE Symposium on Security and Privacy (Oakland ’18), May 2018.

Kevin Skoglund, personal communication, June 2018: “In August 2017, ES&S sued Dominion alleging that the ImageCast Evolution infringed on their patents. In several demos since then [in Harrisburg, PA and in Montgomery County, PA], Dominion has not featured the ICE even though it is still prominent on their website. Instead they have featured the ImageCast X which is not even listed on their website. The lawsuit appears to have been settled on June 12. Settlements are typically confidential so there will be no public documents on it.”