By adding extra security measures against the over-emphasized threat posed by outsiders, one can actually increase the risk posed by insiders.
For example, today’s mobile phones often combine a processor, execution memory and tamper-resistant key storage to make sure only the manufacturer (who has the cryptographic signing keys) can update the software. These mechanisms can sometimes still be circumvented, but at least they offer a layer of security that is completely absent in the Nedap ES3B. But by adding ‘security’ in this way, the device could also resist any attempts to independent inspectors to see what code it is actually running.
UCONN University of Connecticut Security Assessment of Diebold Optical Scan system, 2006 Abstract:
We identify a number of new vulnerabilities of this system which, if exploited maliciously, can invalidate the results of an election process utilizing the terminal.
An Accu-Vote Optical Scan can be compromised with off-the-shelf equipment in a matter of minutes even if the machine has its removable memory card sealed in place. The basic attack can be applied to effect a variety of results, including entirely neutralizing one candidate so that their votes are not counted, swapping the votes of two candidates, or biasing the results by shifting some votes from one candidate to another.
Such vote tabulation corruptions can lay dormant until Election Day, thus avoiding detection through pre-election tests.
UCONN University of Connecticut Security Assessment of Diebold Touch Screen (TSx) system, 2007.
The attacks presented in this report were discovered through direct experimentation with the voting terminal and without access to any internal documentation or the source code from the manufacturer.
We present two attacks based on these vulnerabilities: one attack swap the votes of two candidates and another erases the name of one candidate from the slate.
These attacks do not require the modification of the operating system of the voting terminal, and can be launched in a matter of minutes, requiring only a computer with the capability to mount a PCMCIA card file system (a default capability in current operating systems).
Security problems are present in the system despite the fact that a cryptographic integrity check appears to be employed in the voting system’s memory card.
