• Cast ballots, ballot definition files, and audit logs could be modified; • Supervisor functions were protected with weak or easily guessed passwords; • Systems had easily picked locks and power switches that were exposed and unprotected; • Local jurisdictions misconfigured their electronic voting systems, leading to election day problems; • Voting systems experienced operational failures during elections; • Vendors installed uncertified software; • Some electronic voting systems did not encrypt cast ballots or system audit logs, and it was possible to alter both without being detected; • It was possible to alter the files that define how a ballot looks and works so that the votes for one candidate could be recorded for a different candidate.
*******************
HARRY HURSTI, BLACK BOX REPORT Security Alert: July 4, 2005 Critical Security Issues with Diebold Optical Scan Design (1.94w), 2005, http://www.blackboxvoting.org/BBVtsxstudy.pdf Some of the key findings include:
With this design, the functionality – the critical element to be certified during the certification process -- can be modified every time an election is prepared. Functionality is downloaded separately into each and every machine, via memory card, for every election. With this design, there is no way to verify that the certified or even standard functionality is maintained from one voting machine to the next.
Paper trail falsification – Ability to modify the election results reports so that they do not match the actual vote data 1.1) Production of false optical scan reports to facilitate checks and balances (matching the optical scan report to the central tabulator report), in order to conceal attacks like redistribution of the votes or Trojan horse scripts such as those designed by Dr. Herbert Thompson.(19)
Removal of information about pre-loaded votes 2.1) Ability to hide pre-loaded votes 2.2) Ability to hide a pre-arranged integer overflow
The exploits demonstrated in the false optical scan machine reports ("poll tapes") shown on page 16 do not change the votes, only the report of the votes. When combined with the Trojan horse attack demonstrated by Dr. Thompson, this attack vector maintains an illusion of integrity by producing false reports to match the contaminated central tabulator report. The exploit demonstrated in the poll tape with a true report containing false votes, shown on page 18, changes the votes but not the report. This example pre-stuffs the ballot box in such a way as to produce an integer overflow. In this exploit, a small number of votes is loaded for one candidate, offset by a large number of votes for the opposing candidate such that the sum of the numbers, because of the overflow, will be zero. The large number is designed to trigger an integer overflow such that after a certain number of votes is received it will flip the vote counter over to begin counting from zero for that candidate.
*******************
RABA TECHNOLOGIES, Trusted Agent Report: Diebold AccuVote-TS Voting System (report prepared for Department of Legislative Services, Maryland General Assembly, Annapolis, Md., January 2004). http://www.raba.com/press/TA_Report_AccuVote.pdf
The general lack of security awareness, as reflected in the Diebold code, is a valid and troubling revelation. In addition, it is not evident that widely accepted standards of software development were followed.
Knowing the password, a smart card can be replicated, and the voter can vote multiple times. RABA was able to guess the passwords quickly, and access each card's contents (Supervisor Card, Voter Card, and Security Key Card). Given access to the cards' contents it became an easy matter to duplicate them, to change a voter card to a supervisor card (and vice versa) and to reinitialize a voter card so that it could be used to vote multiple times.
The use of hardcoded passwords is surprising both as an inferior design principle and in light of them being published openly in the Hopkins report. It must be assumed these passwords are well known.
The contents of these cards are neither encrypted nor digitally signed. Thus, for example, the PIN associated with a Supervisor Card23 can be read directly from the card – provided the password is known. This means creating Supervisor Cards is a simple task: a perpetrator could program his card with an arbitrary PIN that the AccuVote-TS would readily accept.
It is reasonable to assume that a working key to the AccuVote hardware is available to an attacker. The hardware consists of a touch-screen voting terminal with two locked bays. Maryland has ordered approximately 16,000 AccuVote-TS terminals each equipped with two locking bays and supplied with two keys accounting for 32,000 locks and keys. Surprisingly, each lock is identical and can be opened by any one of the 32,000 keys. Furthermore, team members were able to have duplicates made at local hardware stores.
One team member picked the lock in approximately 10 seconds. Individuals with no experience (in picking locks) were able to pick the lock in approximately 1 minute.
A sampling of the vulnerabilities found as a result of poor physical security coupled with software that fails to use robust encryption and authentication include six methods of attack. (Not reproduced herein.)
In 2004, Rady Ananda began contributing to the Web, as part of the growing community of citizen journalists. Focusing mainly on elections, her blogs also address religious, gender, sexual and racial equality, as well as environmental issues; and are sprinkled with book and film reviews on various topics. She spent most of her working life as a legal investigator for lawfirms, and about 5 years as an editor. She currently serves as a senior editor at OpEdNews.
All material offered here is the property of Rady Ananda, copyright 2006, 2007, 2008. Permission is granted to repost, with proper attribution including the original link.
In a time of universal deceit, telling the truth is a revolutionary act. Tell the truth anyway. Sign this petition: http://www.electiondefensealliance.org/ny_levers_petition
This is an exceedingly useful resource. I hope that you will be able to update it soon with the latest NIST Draft, and then its bastard brother, the amended follow up report. And other reports as they come in.
by
Nancy Tobi (69 articles, 4 quicklinks, 0 diaries, 53 comments)
on Wednesday, January 3, 2007 at 3:24:50 PM
