Hotel minibar key opens Diebold voting machine!!!!

Freedom-to-Tinker ^ | Monday September 18, 2006 | Ed Felten

[dickmc]

Like other computer scientists who have studied Diebold voting machines, we were surprised at the apparent carelessness of Diebold’s security design. It can be hard to convey this to nonexperts, because the examples are technical. To security practitioners, the use of a fixed, unchangeable encryption key and the blind acceptance of every software update offered on removable storage are rookie mistakes; but nonexperts have trouble appreciating this. Here is an example that anybody, expert or not, can appreciate:

The access panel door on a Diebold AccuVote-TS voting machine — the door that protects the memory card that stores the votes, and is the main barrier to the injection of a virus — can be opened with a standard key that is widely available on the Internet.

On Wednesday we did a live demo for our Princeton Computer Science colleagues of the vote-stealing software described in our paper and video. Afterward, Chris Tengi, a technical staff member, asked to look at the key that came with the voting machine. He noticed an alphanumeric code printed on the key, and remarked that he had a key at home with the same code on it. The next day he brought in his key and sure enough it opened the voting machine.

This seemed like a freakish coincidence — until we learned how common these keys are.

Chris’s key was left over from a previous job, maybe fifteen years ago. He said the key had opened either a file cabinet or the access panel on an old VAX computer. A little research revealed that the exact same key is used widely in office furniture, electronic equipment, jukeboxes, and hotel minibars. It’s a standard part, and like most standard parts it’s easily purchased on the Internet. We bought several keys from an office furniture key shop — they open the voting machine too. We ordered another key on eBay from a jukebox supply shop. The keys can be purchased from many online merchants.

Using such a standard key doesn’t provide much security, but it does allow Diebold to assert that their design uses a lock and key. Experts will recognize the same problem in Diebold’s use of encryption — they can say they use encryption, but they use it in a way that neutralizes its security benefits.

The bad guys don’t care whether you use encryption; they care whether they can read and modify your data. They don’t care whether your door has a lock on it; they care whether they can get it open. The checkbox approach to security works in press releases, but it doesn’t work in the field.

*******************************************

Also, see the Princeton site at http://itpolicy.princeton.edu/voting/ for the related Security Analysis of the Diebold AccuVote-TS Voting Machine

[Ditter]

Paper ballots can be over voted by a election worker and then thrown out. The only solution is honest election judges and honest poll watchers "from our side". I plan to volunteer to be a poll watcher in the Nov. election.

[DBrow]

Sounds like it is easier to swap a carton of paper ballots than it is to have a geek pick a lock, swap a card, override the encryption by knowing what sector to change and what to change it to (keeping the CRC, tally, and parity check the same for each machine) and leave the system with no sign of tampering. This would have to be done to a number of machines and coordinated at a high level.

The article deliberately makes it seem easy to do in theory.

As for problems, sure, as long as the wrong party wins there will be howls of protest and people marching in the street burning things and lawyers plotting per diem rates. Good thing Mexico avoided that by using paper ballots! Or ask the runner-up in the Washington governor's race about paper ballots, or perhaps look at the Milwaukee primary results.

[DBrow]

Hee hee, I didn't notice that. The guy looks at the key, maybe takes notes, then shows up with an identical key many hours later. Well that's proof, and David Copperfield made an elephant disappear right on stage too.

Wonder what locksmith got bribed or what blackbag team got an urgent call!

[steve-b]

The bottom line is that electronic voting is easy to subvert -- one crack into the system allows you to change as many votes as you like, unlike paper ballots where faking a thousand votes is a thousand times as much work (and a thousand times as much risk of getting caught) as faking one vote.

It's time to forget it and use straightforward paper ballots. Getting results an hour after the polls close is a luxury; trustworthy elections are a necessity.

[silverleaf]

ROFLMAO!

[nascarnation]

beat me to it, that's the sure flag for a bogus story

[DBrow]

"electronic voting is easy to subvert -- one crack into the system"

It is not easy to subvert a closely watched data system. Even harder to do it undetectably.

If it were easy, then computer-controlled doors and gates in a prison would all be open, the Pacer system the US courts use would issue pardons, and passenger flight schedules would be made to order for hackers, and the LATimes Editorial page would have my direct input.