Posted on 05/10/2006 9:37:36 AM PDT by NormsRevenge
Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines.
The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.
Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways.
"This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa.
"In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat."
This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available.
A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official let the expert examine the machines.
Black Box Voting was to issue two reports today on the security hole, one of limited distribution that explains the vulnerability fully and one for public release that withholds key technical details.
The computer expert, Harri Hursti, quietly sent word of the vulnerability in March to several computer scientists who advise various states on voting systems. At least two of those scientists verified some or all of Hursti's findings. Several notified their states and requested meetings with Diebold to understand the problem.
The National Association of State Elections Directors, the nongovernmental group that issues national-level approvals for voting systems, learned of the vulnerability Tuesday and was weighing its response. States are scheduled to hold primaries in May, June and July.
"Our voting systems board is looking at this issue," said NASED Chairman Kevin Kennedy, a Wisconsin elections official.
"The states are talking among themselves and looking at plans to mitigate this."
California, Pennsylvania and Iowa are issuing emergency notices to local elections officials, generally telling them to "sequester" their Diebold touch screens and reprogram them with "trusted" software issued by the state capital. Then elections officials are to keep the machines sealed with tamper-resistant tape until Election Day.
In California, three counties — San Joaquin, Butte and Kern — plan to rely exclusively on Diebold touch screens in their polling places for the June primary.
Nine other counties, including Alameda, Los Angeles and San Diego, will use Diebold touch screens for early voting or for limited, handicapped-accessible voting in their polling places.
California elections officials told those counties Friday that the risk from the vulnerability was "low" and that any vote tampering would be revealed to voters on the paper read-out that prints when they cast their ballots, as well as to elections officials when they recount those printouts for 1 percent of their precincts after the election.
"I think the likelihood of this happening is low," said assistant Secretary of State for elections Susan Lapsley. "It assumes access and control for a lengthy period of time."
But scientists say that is not necessarily true.
Preparations could be made days or weeks beforehand, and the loading of the software could take only a minute or so once the machines are delivered to the polling places. In some cases, machines are delivered several days before an election to schools, churches, homes and other common polling places.
Scientists said Diebold appeared to have opened the hole by making it as easy as possible to upgrade the software inside its machines. The result, said Iowa's Jones, is a violation of federal voting system rules.
"All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design," he said.
Diebold makes pretty secure banking systems, yet they cannot produce an even relatively secure voting system.
The only reason I can see is that their bank customers demand security and accountability, while the government doesn't care.
North Carolina demanded to see their source before they would get certified (look for security bugs, back doors and modifications to affect valid votes). Diebold sued and got certified anyway. They've been certified in various states despite not complying with election laws and policies.
As I said earlier, North Carolina wanted to audit their software, but Diebold didn't let them, and got certified anyway.
Which, if you think about it, is exactly what a hacker would need in order to reprogram the machine.
How do hackers manage to break into Windows servers so often?
Through their attachment to the internet, one which the stand-alone voting machines do not have. These are locked, stand-alone machines. They're programmed, then locked and sealed. Every 'vulnerability' postulated so far involves getting physical access to the machine, an act that would permit a fraudulent outcome with any method of voting... that's why controlling physical access is an important part of securing every voting method.
Not at such a low level. Off the top of my head, I'd do something along these lines:
Each state election office is given a cryptographic certificate server off of a central root, every action being audited. The state election office is responsible for tracking their machines and signing all BIOS and software updates, as well as issuing smart cards to election officials with certificates on them.
The hardware of each machine has a cryptographic key and basic loader hard-burned. We use a non-BIOS machine and flash memory to hold the OS.
The OS of the machine has a cryptographic key that must authenticate with the key of the hardware. It won't boot unless the keys authenticate (like a TiVo).
At the local level, the election official uses his smart card certificate to start up the machines that he's allowed to. Everything being authenticated, the machine generates a key for this voting session and puts it on the smart card and the corresponding key in the session database.
When voting is over, the machine encrypts and signs the vote tally, signs the system using its key, and puts its keys and the session keys on the smart card. The smart card and the files are taken to the state voting authority for counting. At counting time, the vote files are authenticated against the key, and the machine keys are verified.
With the above system, we know that:
You can do even better having it networked.
We're talking about a company that has a "we don't care" attitude about the security of their machines and the validity of their counting. How do we know? Someone leaked their internal memos proving it, and Diebold sued to stop their distribution. Luckily they failed.
The vector is irrelevant to the discussion of whether access to code endangers security.
They're programmed, then locked and sealed.
Then opened back up, played with, closed and used for voting. Not good. The system, from the software up to the process, is broken.
In my county, we recently switched from paper to touch-screen. We get a paper printout of who we voted for, but election officials/monitors don't keep a copy. There is absolutely NO papertrail.
1. How do you know they "don't care." They're a business, trust me, they care.
2. How do we know? OOOWEEEOOOOH? Tinfoil hat time.
3. Of course a business will attempt to stop unsubstantiated allegations.
4. Someone leaked, etc. Please, spare me. There are, of course no Bush haters working for Diebold.
5 Luckily they failed. Luckily for who?
Nuts abound.
The memos were Diebold memos. They tried to stop the publication of the memos based on their copyright on the memos, legally admitting that the memos are authentic. So, no, there are no unsubstantiated allegations about this, only truth as said in Diebold's own words -- words they didn't want anyone to see.
5 Luckily they failed. Luckily for who?
Luckily for anyone who wants a fair election.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.