A team of Rochester Institute of Technology students was granted the opportunity to conduct an independent security test of the ExpressVote XL voting machine for Election Systems & Software (ES&S), the largest voting device manufacturer in the United States.
After weeks of research, the team conducted a 10-day penetration test on the ExpressVote XL voting machine. As a result of the engagement, the student researchers found zero attacks that could alter or manipulate a voter’s choices under real-world conditions at an active polling site.
Robert Gray tests the voting mechanisms on the machine. The penetration test was a “white box” test, meaning that the testers were given access to documentation and ES&S engineers to better understand how each part of the device worked.
“This is a testament to the security of this piece of our nation’s critical infrastructure and the strength of our nation’s elections,” said Chris Wlaschin, senior vice president and Chief Information Security Officer at ES&S. “The comprehensive nature of the penetration tests, the high-quality analysis conducted by the RIT team, and the actionable recommendations set forth in the report have laid the foundation for a potential long-term security testing relationship between RIT and ES&S.”
Since the 2016 and 2020 election cycles, public interest in voting security has intensified. Government and cyber experts say the potential for cyberattacks on election infrastructure continues to be a growing threat to national security.
“It’s the reason why ES&S continues to focus on the security of its voting systems and partnering with third-party researchers to ensure the resilience of election equipment,” Wlaschin said. “Every eligible voter should know that their ballot is being counted as cast.”
Ian Stroszeck, a fifth-year computing security BS/MS student, feels the same way. He has always had an interest in government, even opting to become a poll worker in Monroe County to better understand how elections are conducted. Recognizing how relevant last year’s election was to his studies, he and a team of computing security students wanted to test the security of electronic voting hardware for their undergraduate capstone project.
During the engagement, RIT student researchers tested software security and physical security, including testing tamper seals on the voting machine.
“It’s important to do this because of the current lack of public research out there,” said Stroszeck, who is from the Rochester, N.Y. suburb of Brighton. “To alter the integrity of an election you don’t even have to attack the device—you just need to create uncertainty. These companies need to be open and let the public know that they are, in good faith, striving to keep these machines as secure as possible.”
Stroszeck—along with Andrew Afonso, a fifth-year BS/MS student from Hubbardston, Mass.; Robert Gray, a fourth-year BS/MS student from Canandaigua, N.Y.; and Daniel Monteagudo, who graduated with a bachelor’s in computing security in 2021 and is from Staten Island, N.Y.—worked with RIT’s Global Cybersecurity Institute (GCI) to reach out to several manufacturers and government entities to gauge interest in security testing a voting machine. ES&S returned the call.
“I thought it was unique that a respected academic institution came to us and we saw a real opportunity for testing in New York,” said Wlaschin. “There is immense value in conducting independent testing with academia and I found the quality beyond reproach.”
ES&S interviewed the students and faculty to make sure the penetration testing program was legitimate, respected and guided by professional and ethical behavior. Wlaschin also wanted to review the testing site, located in the GCI’s Eaton Cybersecurity SAFE (Security Assessment and Forensic Examination) Lab.
The RIT team went to work creating threat models for the ExpressVote XL, a ballot marking device and tabulator designed to be accessible for all voters. It has a full face 32-inch interactive touchscreen and a scanner/printer that produces a voter-verifiable paper record. The ExpressVote XL is pending certification in New York and is already being used by voters in Pennsylvania, New Jersey, and the entire state of Delaware.
For the penetration test, the RIT students developed two scenarios where the voting machine might likely be found.
In the first attack scenario, the team envisioned that the device would be located in an unsecured storage closet. There, attackers would likely have access to the device for hours with nobody watching them.
In the second scenario, the team envisioned the device in an active polling place. Attackers in this environment would only have a few minutes alone with the device before poll workers would likely get suspicious. The device would be turned on and logging all actions.
“There was nothing we could find—in either scenario—that someone can do to change a voter’s choices in the real world,” said Stroszeck.
The students invited people to vote on the machine in a mock election in order to gather feedback on the usability and timing of voters voting on the machine. They started with physical access control testing, by looking at the tamper seals and locks on the machine. Additionally, they tested the touchscreen, storage devices, operating system, and firmware. They also attempted to modify the paper ballot to alter votes or change the count of votes.
“We really liked the device’s defense-in-depth approach and the number of safeguards in place,” Stroszeck said. “All of the restricted input points were out of reach or secured with multiple tamper seals.”
The team did identify a limited number of specific areas for improvement and offered recommendations on how to incorporate these improvements into the ExpressVote XL. These recommendations did not represent problems that could actually be exploited during an election, as they were protected by compensating controls, explained Wlaschin. The recommendations ranged from strengthening the locks and seals to improving the functionality of the software. The company plans to incorporate the student’s recommendations into its next product release.
“Some people have alleged that attackers could easily change the election results in the ExpressVote XL machine,” said Wlaschin. “The RIT team disproved this and affirmed that you are not able to manipulate the machine without detection.”
RIT’s Department of Computing Security gave the RIT students the Top Capstone Project of the Year award for their work.
In the future, researchers in the GCI want to partner with more businesses and organizations to provide security testing services for voting systems.
“It was surprising that during our research we could not find an established route through government agencies for someone to do independent testing of voting machines,” said Afonso. “The states agencies we contacted to arrange access to a machine to test did not have an established process to handle such a request. I hope that we can establish GCI as a new type of testing lab for testing the security of voting machines.”