Smartmatic-Sequoia Trusted Build Deployment Risks

On June 1, 2007, Venezuelan representatives of Smartmatic reached out Sequoia representatives to provide guidance on how to deploy a “certified trusted image” of its election system onto Sequoia systems. It’s one simply email, but it tells a very interesting story if you know what to look for.

For starters, please note that Smartmatic acquired Sequoia on March 8, 2005 and remained its owner until November 2007. At that time, a group of U.S.-based investors organized as SVS Holdings, Inc. led by Sequoia President & CEO Jack Blaine and Chief Financial Officer Peter McManemy purchased Sequoia in the wake of a 2006 CFIUS investigation into foreign ownership of a U.S. election system company. Dominion Voting System later acquired Sequoia in 2010.

The email indicates close technical coordination between Smartmatic technical representatives in Venezuela and U.S.-based Sequoia technical representatives. It also indicates the flow of certified build from Smartmatic to Sequoia and not the other way around. This indicates that Venezuela was the source of the software that was to be used in the conduct of U.S. elections. These assets were subsequently owned and likely deployed by Dominion Voting Systems in support of U.S. elections. This is the first and most significant security concern evident from this email. There are many others.

Based on the provided email regarding the “Steps to load an Edge2Plus app,” the communication reveals several significant election security implications related to the maintenance and software updating of voting machines:

Physical Access and Hardware Vulnerability

The procedure requires direct physical access to the internal components of the voting machine. To perform the update, an individual must “physically open the E2P by removing the white cover on top” using a physical key. Furthermore, the process involves direct interaction with the machine’s motherboard, as the operator must “carefully remove CF [Compact Flash card] from the E2Ps motherboard. This implies that security relies heavily on the physical control of the keys and the machine itself; if a bad actor obtained the key, they would have direct access to the machine’s storage media.

Risks Associated with External Devices and “Trusted” Computers

The instructions create a bridge between the voting machine and external systems. The process mandates that the operator “insert the CF just removed from the E2P into a trusted computer”. This step introduces specific security risks:

Malware Propagation: By removing the storage media from the voting machine and connecting it to a general-purpose computer (even one designated as “trusted”), there is a risk that malware or viruses from the computer could infect the CF card before it is returned to the voting machine.
Dependency on External Security: The integrity of the voting machine software becomes dependent on the security posture of the “trusted computer” used to perform the file transfer.

Manual File Manipulation and Human Error

The update process described is manual rather than automated, increasing the potential for human error or inconsistent software states.

Manual Deletion: The operator is instructed to “select all files on the CF” (ensuring hidden files are shown) and “delete all files selected”. The email explicitly warns “DO NOT FORMAT THE CF”. A mistake in this step—such as formatting the card or failing to delete specific files—could corrupt the storage media or the operating system.
Manual Copying: The installation involves copying files from a compressed archive (“E2P WinXP Image V1.2.33.rar”) and pasting them directly onto the CF card. This manual “drag-and-drop” method lacks the automated verification checks (such as hashing or cryptographic signing verification during the install process) that are typically present in modern automated firmware installers.

Software Integrity and Chain of Custody

The email states the goal is to load the app from a “certified trusted image”. While the source image is described as “certified,” the mechanism of delivery involves a 137 MB .rar file that the sender notes was not attached due to size. The reliance on a file sent separately (presumably via internet transfer or removable media) necessitates strict chain-of-custody protocols to ensure the .rar file was not tampered with between the sender (Smartmatic Labs) and the recipient.

Operational State Requirements

Finally, the instructions highlight the importance of the machine’s operational state, requiring the operator to “make sure Polls are closed in the E2P” before turning the machine back on. This implies that performing these maintenance steps while an election is effectively “open” on the machine could jeopardize vote data or tabulations.

Conclusion

The 2007 Smartmatic procedure for loading software onto the Edge2Plus device is fundamentally insecure by design. The 18-step manual process is susceptible to critical failures from human error, lacks any digital integrity verification, and operates without creating an auditable record. Its security rests on ambiguous terms like “trusted,” which are left undefined and are therefore unenforceable.

The core conclusion of this analysis is that the procedure systematically replaces robust, verifiable security controls with a fragile and opaque reliance on human trust. It demands faith in the infallibility and honesty of operators, the security of unknown computers, and the integrity of a software supply chain that is not secured by technical means. Such a system is ill-suited for critical infrastructure like a public voting system, as it fails to provide the verifiability and transparency necessary to guarantee election integrity and maintain public confidence.