Back   OpEd News
Font
PageWidth
Original Content at
https://www.opednews.com/articles/genera_bev_harr_060524_hursti_report_update.htm
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).

May 24, 2006

Hursti Report Update today: more bad news

By Bev Harris, Black Box Voting

On May 11, 2006 the Black Box Voting "Hursti II" report was released, showing devastating security flaws in the Diebold touchscreen machines. This study has now been covered by Newsweek and the New York Times. A small supplemental report was issued today pointing out additional concerns and high priority areas for further study.

::::::::

On May 11, 2006 the Black Box Voting "Hursti II" report was released,
showing devastating security flaws in the Diebold touchscreen
machines. This study has now been covered by Newsweek and the New York
Times.

A small supplemental report was issued today pointing out additional
concerns and high priority areas for further study.

The supplemental study can be found here:
http://www.blackboxvoting.org/bbvtsxstudy-supp.pdf

Excerpts:
1. Flash memory erasure:

There seems to be a memory card-triggered feature to erase the
contents of flash memory. This destructive function was started in the
TS6 with the file [redacted], and there are indications that the
feature is carried over to the TSx with trigger file [redacted], if it
is found on the memory card. This feature was not tested in Emery
County and should be examined further.

2. Further study needed on macros:

TS6 and TSx machines have as built-in features new kinds of macro
capabilities. These capabilities make use of a simplistic Windows
Window Manager Message recording and play function. Presumably the
feature has been designed for automation of volume testing. If this is
the case it is important to understand that this approach bypasses
part of the system and therefore is by no means equal to end-to-end
testing. There are a number of concerns around this feature
functionality warranting further studies.

- The files are stored on the removable memory card as unprotected
plain-text files. There are no protection mechanisms against
modifications to these files.

- Are the WM_message filters adequate?

- Is the processing function secure against buffer overflow / boundary
overflow attacks and/or string format attacks?

- Are the message parameters passed back to windows boundary checked,
is there proper exception handling in place?

Creation and access to the macros is available with poll worker level
access, under some circumstances even without any smart card
authentication.

In preliminary testing the following issues were identified :

- The macro is not contained in the user interface logic. Because of
this, the macro can access settings, changing the telephone number /
ip address and initiating calls.

- Two machines with completely identical software release numbers had
different behavior with the same macro. Machine A just had a software
crash and become unstable, while machine B produced an error message
on the system log and contained the error while still resulting in
loss of software functionalities. There were also other examples of
different, but reproducible, software behaviors between machines with
both modified and unmodified macros.

- File handle processing seems to be flawed and interrupted by
exception macro processing, producing open file handles.

- There seem to be user interface race conditions, which can not be
triggered by human interaction with the machine, but are revealed by
no delay playback of the human actions, i.e. unmodified macros.

(See photos in report)

3. Back door

The TS6 is likely to have an additional back door for accessing
windows, though this could not tested in Emery County – also it is
unknown if any of this in any form has been carried over to TSx.
Further source code analysis of the well-known "CVS.TAR" file1, which
contains source code for the TS6 and has been widely used in
touch-screen system security studies, has revealed this feature.

The fact that this backdoor has not been published before underlines
the fact that source code reviews performed this far have been not
conclusive.

The start-up program for the ballot station is looking for the
existence of [redacted] on the memory card. The file itself can be
empty, because the found file, based on the name alone, is a trigger
for alternative execution of a general purpose file management utility
program instead of the ballot station, therefore enabling access to
Operating System. This back door has also been documented in
[redacted]:

[redacted]

4. Automatic deletion of files, including election file-extension
files:

In case the memory card is full, the system will, without any
interaction with the user, start to delete files from the card to free
up memory. This deletion will also take out files with election file
extensions from the election subdirectory. There is no way to verify
which logic the system follows when choosing the files to be deleted.

5. Memory card test file merits further study:

From the publicly available documentation there is reference to memory
card testing with 16-bit "gray-code algorithm" using the file:

[redacted]

This functionality should be studied. Vulnerabilities are unknown.

6. Other file names should be examined:

The following references were found from the publicly available
documentation:

[redacted]
[redacted]

No testing was done with these files. It is unknown what, if any,
functionalities are involved.

7. Outdated OpenSSL version

The OpenSSL used in the TSx BallotStation 4.6.4 software is an
outdated version 0.9.7e, dated 25/10 1994, which is known to contain
some security vulnerabilities. At the time of the writing the most
current versions are 0.9.7j and 0.9.8b.

8. Certificate will expire

The Cyptographic certificate of the TSx machines examined in Emery
County have an expiration date of 1/31/2009. The
installation/replacement process for renewed certificate was not
studied.
9. Piggyback connectors under modem

The modem is implemented on the motherboard as piggyback module.
However, there are two sets of connectors underneath this modem built
for two different kinds of piggybacks. It is unknown what the other
piggyback modules enable.

Additional concerns and many photographs are contained in the report.

PERMISSION TO REPRINT GRANTED WITH LINK TO
http://www.blackboxvoting.org

------------------------------------------------------------

Use this link to go directly to full article:
http://www.bbvforums.org/cgi-bin/forums/show.cgi?1954/29817

Submitter: Joan Brunwasser

Submitters Website: http://www.opednews.com/author/author79.html

Submitters Bio:

Joan Brunwasser is a co-founder of Citizens for Election Reform (CER) which since 2005 existed for the sole purpose of raising the public awareness of the critical need for election reform. Our goal: to restore fair, accurate, transparent, secure elections where votes are cast in private and counted in public. Because the problems with electronic (computerized) voting systems include a lack of transparency and the ability to accurately check and authenticate the vote cast, these systems can alter election results and therefore are simply antithetical to democratic principles and functioning.



Since the pivotal 2004 Presidential election, Joan has come to see the connection between a broken election system, a dysfunctional, corporate media and a total lack of campaign finance reform. This has led her to enlarge the parameters of her writing to include interviews with whistle-blowers and articulate others who give a view quite different from that presented by the mainstream media. She also turns the spotlight on activists and ordinary folks who are striving to make a difference, to clean up and improve their corner of the world. By focusing on these intrepid individuals, she gives hope and inspiration to those who might otherwise be turned off and alienated. She also interviews people in the arts in all their variations - authors, journalists, filmmakers, actors, playwrights, and artists. Why? The bottom line: without art and inspiration, we lose one of the best parts of ourselves. And we're all in this together. If Joan can keep even one of her fellow citizens going another day, she considers her job well done.


When Joan hit one million page views, OEN Managing Editor, Meryl Ann Butler interviewed her, turning interviewer briefly into interviewee. Read the interview here.


While the news is often quite depressing, Joan nevertheless strives to maintain her mantra: "Grab life now in an exuberant embrace!"


Joan has been Election Integrity Editor for OpEdNews since December, 2005. Her articles also appear at Huffington Post, RepublicMedia.TV and Scoop.co.nz.

Back