Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
How do ES&S Voting Machines compare to other voting systems in terms of security?
Executive Summary
ES&S machines present a mixed record: the company documents extensive built-in safeguards—secure boot, application allowlisting, encryption, audit logs, and paper vote records—while independent assessments and past vulnerability reports identify serious weaknesses that have appeared in similar vendors’ systems and in older ES&S deployments. Assessing how ES&S compares to other systems requires weighing manufacturer claims and recent product certifications against independent vulnerability reports, academic analyses of other vendors, and the broader challenges in auditing and operational implementation that ultimately determine whether security features succeed in practice [1] [2] [3] [4] [5].
1. Why ES&S’s security claims sound strong — and what they actually cover
ES&S public materials emphasize a three-part security philosophy—design, testing, implementation—backed by secure-hardware features such as pick‑resistant keylocks and tamper‑evident seals, and software controls like secure boot, application allowlisting, encrypted cards, and detailed audit logs; newer models also produce a verifiable paper record to enable post‑election audits [1] [2] [3]. These manufacturer documents indicate compliance with voluntary federal guidance and independent laboratory certification processes, which are important baselines for security. However, vendor documentation describes intended controls and test results rather than field performance under adversarial conditions. Certification and vendor testing do not guarantee absence of exploitable flaws; real-world security depends on configuration, patch management, chain-of-custody, and whether jurisdictions run rigorous audits and operational controls alongside the equipment [1] [3].
2. What independent technical reviews reveal about ES&S’s historical vulnerabilities
A 2016 vulnerability assessment of ES&S Unity 3.4.1.0 reported dozens to hundreds of misconfigurations, missing patches, weak root password hashes, physical lock weaknesses, and unencrypted storage on devices like the DS200 and DS850—issues that could allow local attackers to modify files, alter ballot images, or bypass protections if physical access were obtained [4]. That report shows concrete, exploitable weaknesses in deployed ES&S systems at that time, emphasizing how device hardening, patching, and physical security are critical. ES&S product claims of improved controls in later models (e.g., DS300, ExpressVote 3) address many architectural defenses, but the historical findings underline that vendor upgrades must be paired with persistent operational discipline in jurisdictions to realize security gains [4] [2] [3].
3. How ES&S compares to recent findings on other vendors — lessons from Dominion analyses
Independent security analyses of other major vendors reveal serious problems that mirror systemic industry risks rather than isolated vendor failures. For example, a 2023 analysis of Dominion’s ImageCast X reported vulnerabilities enabling malware installation and password bypasses, and academic work showed ballot randomization flaws that could compromise secrecy if unchecked [5] [6]. These reports demonstrate that structural weaknesses in software engineering, randomness, and update practices can affect multiple vendors. By comparison, ES&S has both public claims of modern protections and prior independent findings of misconfigurations; the broader takeaway is that no leading vendor is categorically immune, and comparative security often depends more on deployment practices, patching cadence, and audit regimes than on vendor marketing alone [5] [6] [4].
4. Audits and paper records: the real arbiter of trust beyond vendor features
ES&S’s support for verifiable paper vote records and exportable audit logs is a critical strength only when jurisdictions use risk‑limiting audits (RLAs) or robust post‑election procedures; academic reviews of auditing practices show substantial gaps in standardization, data availability, and operational adoption that limit audits’ effectiveness [1] [3] [7]. The industry trend toward RLA compatibility and paper trails improves resilience across vendors, but the security dividend accrues only when election officials implement audits rigorously and maintain chain-of-custody, data integrity, and transparent reporting. Weak or inconsistent auditing in any jurisdiction magnifies the impact of device vulnerabilities regardless of vendor claims [7].
5. Bottom line: apples-to-apples comparison requires jurisdictional context
Comparing ES&S to other systems cannot rely solely on product specs or single audits; it requires combining vendor documentation, independent technical reviews, and the operational practices of jurisdictions. ES&S offers modern technical controls and paper‑based auditing support that align with current federal guidance, yet historical independent assessments show serious operational vulnerabilities that echo problems found at other vendors like Dominion. Therefore, ES&S is neither clearly superior nor uniquely deficient—security outcomes depend on certification recency, whether known vulnerabilities have been remediated, and whether election officials implement strong physical security, patch management, and post‑election audits [1] [2] [3] [4] [5].