2007 Technology Tests of Computerized Voting Systems

The paper concludes that the standards structurally encourage and reward election system vendors for using less exacting database design standards. 

FLORIDA: Software Review and Security Analysis of the Diebold Voting Machine Software, Security and Assurance in Information Technology (SAIT) Laboratory Florida State University, July 2007.  

The two primary systems analyzed consist of the Diebold Optical Scan, firmware version 1.96.8, and Touch Screen, firmware version 4.6.5.  We also examined the Diebold Touch Screen bootloader version 1.3.6 as well as GEMS server software version 1.18.25. 

We considered flaws in previous versions of the software for all parts of the system, including those found in the AccuBasic interpreters.   

Our analysis focuses on two attacker categories… voters and poll workers.  Attacks by elections officials and voting system vendors are largely outside the scope of this review.  We did not conduct penetration or red team testing for these systems.

Our analysis examined only those flaws previously reported in the cited literature. 

Flaws in the Optical Scan software enable an unofficial memory card to be inserted into an active terminal. Such a card can be preprogrammed to swap the electronically tabulated votes for two candidates, reroute all of a candidate’s votes to a different candidate, or tabulate votes for several candidates of choice toward a different candidate. 

Data on optical scan memory cards is neither encrypted nor authenticated, leading to many potential attacks that could manipulate vote counts on a memory card prior to or during the voting day. 

Unsupervised access allows an attacker to place the Optical Scan terminal into diagnostics mode and obtain all or most of the data on the memory card, or to reset the machine clock. 

The hand-coded RSA signature verification is insecure and can be forged. This applies to both the optical scan and touch screen systems. With technical knowledge and unsupervised access, an attacker can copy or dump the memory card contents by connecting a laptop or modem to the optical scanner. 

The system uses the same cryptographic key for multiple purposes and is tied to publicly-known machine serial numbers.  Its value is never changed after being created.  The security key cards are insecurely protected, the same as all other smart cards, which allows anyone to read all data from them. 

The public key is hard-coded into the source code. Such key-reuse is discouraged by the cryptographic community since such reuse introduces vulnerability. Supervisor PIN is not cryptographically protected. 

System configuration information is unprotected.  The “protected” counter is stored in a mutable file, and the ballot definition file is unprotected.  Since stored votes are only associated with a candidate number and not a name, the ability to create custom ballot definition files allows one to alter or switch candidate names without any record in the vote counts or electronically stored ballots. 

In the Touch Screen software, flaws allow an adversary to prepare official, activated voter smart cards that would enable voters to cast multiple ballots in a ballot-stuffing attack.  Once an adversary obtained the necessary information, smart cards could be created and used in any precinct through a county.  Even if detected, this attack is not correctable: the malicious ballots, either in electronic or paper form, are essentially unidentifiable and thus cannot be removed. 

Memory card update file is unprotected. The file assure.ini remains unencrypted and unauthenticated and is subject to malicious manipulation.  Removal of a memory card allows an attacker to create valid voter cards. 

 1  |  2  |  3  |  4  |  5  |  6  |  7  |  8