That XKCD on voting machine software is wrong

The latest XKCD comic on voting machine software is wrong, profoundly so. It’s the sort of thing that appeals to our prejudices, but mistakes the details.

Accidents vs. attack

The biggest flaw is that the comic confuses accidents vs. intentional attack. Airplanes and elevators are designed to avoid accidental failures. If that’s the measure, then voting machine software is fine and perfectly trustworthy. Such machines are no more likely to accidentally record a wrong vote than the paper voting systems they replaced — indeed less likely. The reason we have electronic voting machines in the first place was due to the “hanging chad” problem in the Bush v. Gore election of the year 2000. After that election, a wave of new, software-based, voting machines replaced the older inaccurate paper machines.
The question is whether software voting machines can be attacked. Well, if that’s the measure, then airplanes aren’t safe at all. Security against human attack consists of the entire infrastructure outside the plane, such as TSA forcing us to take off our shoes, to trade restrictions to prevent the proliferation of Stinger missiles.
Confusing the two, accidents vs. attack, is used here because it makes the reader feel superior. We get to mock and feel superior to those stupid software engineers for not living up to what’s essentially a fictional standard of reliability.
To repeat: software is better than the mechanical machines they replaced, which is why there are so many software-based machines in the United States. The issue isn’t normal accuracy, but their robustness against a different standard, against attack — a standard which airplanes and elevators suck at.

The problems are as much hardware as software

Last year at the DEF CON hacking conference they had an “Election Hacking Village” where they hacked a number of electronic voting machines. Most of those “hacks” were against the hardware, such as soldering on a JTAG device or accessing USB ports. Other errors have been voting machines being sold on eBay whose data wasn’t wiped, allowing voter records to be recovered.
What we want to see is hardware designed more like an iPhone, where the FBI can’t decrypt a phone even when they really really want to. This requires special chips, such as secure enclaves, signed boot loaders, and so on. Only once we get the hardware right can we complain about the software being deficient.
To be fair, software problems were also found at DEF CON, like an exploit over WiFi. Though, a lot of problems are questionable whether the fault lies in the software design or the hardware design, fixable in either one. The situation is better described as the entire design being flawed, from the “requirements”,  to the high-level system “architecture”, and lastly to the actual “software” code.

It’s lack of accountability/fail-safes

We imagine the threat is that votes can be changed in the voting machine, but it’s more profound than that. The problem is that votes can be changed invisibly. The first change experts want to see is adding a paper trail, rather than fixing bugs.
Consider “recounts”. With many of today’s electronic voting machines, this is meaningless, with nothing to recount. The machine produces a number, and we have nothing else to test against whether that number is correct or false. You can press a button and do an instant recount, but it won’t tell you any other answer than the original one.
A paper trail changes this. After the software voting machine records the votes, it prints them to paper for the voter to check. This retains the features of better user-interface design than the horrible punch-hole machines of yore, and retains the feature of quick and cheap vote tabulation, so we know the results of the election quickly. But, if there’s an irregularity, there exists an independent record that we can go back, with some labor, and verify.
It’s like fail-systems in industrial systems, where we are less concerned about whether the normal systems have an error, but much more concerned about whether the fail-safe system works. It’s like how famously Otis is not the inventor of elevators, but the inventor of elevator brakes that will safely stop the car from plummeting to your death if the cable snaps.
What’s lacking in election machines therefore is not good or bad software engineering, but the failure of anybody to create fail-safes in the design, fail-safes that will work regardless of how the software works.

It’s not just voting machines

It’s actually really hard for the Russians to hack voting machines, as they have to be attacked them on a one-by-one basis. It’s hard for a mass hack that affects them all.
It’s much easier to target the back-end systems that tabulate the votes, which are more often normal computers connected to the Internet.
In addition, there are other ways that hackers can target elections. For example, the political divide in America between rural (Republican) and urban (Democrat) voters is well known. An attack against traffic lights, causing traffic jams, is enough to swing the vote slightly in the direction of rural voters. That makes a difference in places like last night’s by-election in Ohio where a House candidate won by a mere 1,700 votes.
Voting machines are important, but there’s way to much focus on them as if they are the only target to worry about.

Conclusion

The humor of this comic rests on smug superiority. But it’s wrong. It’s applying a standard (preventing accidents) against a completely different problem (stopping attackers) — software voting machines are actually better against accidents than the paper machines they replace. It’s ignoring the problems, which are often more system and hardware design than software. It ignores the solution, which isn’t to fix software bugs, but to provide an independent, auditable paper trail.


*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: https://blog.erratasec.com/2018/08/that-xkcd-on-voting-machine-software-is.html