Most Popular Choices
Share on Facebook 2 Printer Friendly Page More Sharing
General News   

Critical security alert: Three-level security flaws found in Diebold touch-screens

By Bev Harris, Black Box Voting  Posted by Joan Brunwasser (about the submitter)       (Page 1 of 3 pages)   No comments
Follow Me on Twitter     Message Joan Brunwasser
Black Box Voting : Latest Consumer Reports from Black Box Voting: 5-11-06: Three-level security flaws found in Diebold touch-screens

Posted by Bev Harris on Thursday, May 11, 2006 - 12:34 pm:

Due to the nature of this report it is distributed in two different
versions. Details of the attack are only in the restricted
distribution version considered to be confidential. Fewer than 50
words have been redacted in the version below.

327 KB
Critical Security Alert: Diebold TSx and TS6 voting systems
by Harri Hursti
for Black Box Voting, Inc.

Note: Please refrain from speculation or public discussion of
inappropriate technical details.

This document describes several security issues with the Diebold
electronic voting terminals TSx and TS6. These touch-pad terminals are
widely used in US and Canadian elections and are among the most widely
used touch pad voting systems in North America. Several
vulnerabilities are described in this report.

One of them, however, seems to enable a malicious person to compromise
the equipment even years before actually using the exploit, possibly
leaving the voting terminal incurably compromised.

These architectural defects are not in the election-processing system
itself. However, they compromise the underlying platform and therefore
cast a serious question over the integrity of the vote. These exploits
can be used to affect the trustworthiness of the system or to
selectively disenfranchise groups of voters through denial of service.

Three-layer architecture, 3 security problems

Each can stand alone or combine for 3-layer offense in depth

As an oversimplification, the systems in question have three major
software layers: boot loader, operating system and application
program. As appropriate for current designs, the first two layers
should contain all hardware specific implementations and
modifications, while the application layer should access the hardware
- the touch pad, memory card, the network etc. - only via services and
functions provided by the operating system and therefore be
independent of the hardware design. Whether the architecture in
question follows these basic guidelines is unknown.

Based on publicly available documentation, source code excerpts and
testing performed with the system, there seem to be several backdoors
to the system which are unacceptable from a security point of view.
These backdoors exist in each of these three layers and they allow the
system to be modified in extremely flexible ways without even basic
levels of security involved.

In the worst case scenario, the architectural weaknesses incorporated
in these voting terminals allow a sophisticated attacker to develop an
"offense in depth" approach in which each compromised layer will also
become the guardian against clean-up efforts in the other layers. This
kind of deep attack is extremely persistent and it is noteworthy that
the layers can conceal the contamination very effectively should the
attacker wish that. A quite natural strategy in these types of
situations is to penetrate, modify and make everything look normal.

Well documented viral attacks exist in similar systems deploying
interception and falsification of hash-code calculations used to
verify integrity in the higher application levels to avoid detection.
The three-level attack is the worst possible attack. However, each
layer can also be used to deploy a stand-alone attack. The TSx systems
examined appear to offer opportunities for the three-level attack as
well as the stand-alone attacks.

It is important to understand that these attacks are permanent in
nature, surviving through the election cycles. Therefore, the
contamination can happen at any point of the device's life cycle and
remain active and undetected from the point of contamination on
through multiple election cycles and even software upgrade cycles.

Next Page  1  |  2  |  3

(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).

Rate It | View Ratings

Joan Brunwasser Social Media Pages: Facebook page url on login Profile not filled in       Twitter page url on login Profile not filled in       Linkedin page url on login Profile not filled in       Instagram page url on login Profile not filled in

Joan Brunwasser is a co-founder of Citizens for Election Reform (CER) which since 2005 existed for the sole purpose of raising the public awareness of the critical need for election reform. Our goal: to restore fair, accurate, transparent, secure elections where votes are cast in private and counted in public. Because the problems with electronic (computerized) voting systems include a lack of (more...)

Go To Commenting
The views expressed herein are the sole responsibility of the author and do not necessarily reflect those of this website or its editors.
Follow Me on Twitter     Writers Guidelines

Contact EditorContact Editor
Support OpEdNews

OpEdNews depends upon can't survive without your help.

If you value this article and the work of OpEdNews, please either Donate or Purchase a premium membership.

If you've enjoyed this, sign up for our daily or weekly newsletter to get lots of great progressive content.
Daily Weekly     OpEd News Newsletter
   (Opens new browser window)

Most Popular Articles by this Author:     (View All Most Popular Articles by this Author)

Interview with Dr. Margaret Flowers, Arrested Tuesday at Senate Roundtable on Health Care

Renowned Stanford Psychologist Carol Dweck on "Mindset: The New Psychology of Success"

Howard Zinn on "The People Speak," the Supreme Court and Haiti

Snopes confirms danger of Straight Ticket Voting (STV)

Fed Up With Corporate Tax Dodgers? Check Out!

Literary Agent Shares Trade Secrets With New Writers

To View Comments or Join the Conversation:

Tell A Friend