Schneier on Security
A blog covering security and security technology.
« Defeating a Coin-Op Copy Machine |
| Industrial Spying »
September 14, 2006
New Diebold Vulnerability
Ed Felten and his team at Princeton have analyzed a Diebold machine:
This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures.
(Executive summary. Full paper. FAQ. Video demonstration.)
Diebold has repeatedly disputed the findings then as speculation. But the Princeton study appears to demonstrate conclusively that a single malicious person could insert a virus into a machine and flip votes. The study also reveals a number of other vulnerabilities, including that voter access cards used on Diebold systems could be created inexpensively on a personal laptop computer, allowing people to vote as many times as they wish.
More news stories.
Posted on September 14, 2006 at 3:32 PM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
From one of the articles:
"I'm concerned by the fact we weren't contacted to educate these people on where our current technology stands," Mark Radke said.
What the hell does that matter? The first round of deployed machines should not be vulnerable. These aren't ATM machines. We can't fix broken elections (especially if they've been fixed).
The root of the problem is the whole evoting system we're deploying; not just the machine.
Who needs to attack the machines when the election workers forget to bring the key cards? I live in Montgomery County, where we were the beneficiaries of this form of "good government." Denial of service by stupidity.
@Gary in DC
I voted in Howard Co. in 2004. The cards were EVERYWHERE. People waiting in line were EVERYWHERE.
My terminal had no privacy; the line was crosswise behind me. It was the biggest Charlie Foxtrot I've ever seen.
It's time to call Voting Day by its real name: "Patch Tuesday".
Ah, Diebold, the company who's security architechture is based on the belief that:
"For there to be a problem here you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software … I don't believe these evil elections people exist."
So, I'm safe to assume that Diebold doesn't have locks on their doors or use passwords on their e-mail accounts since breaking into their property or e-mail is illegal and would require that evil and nefarious people exist when clearly no such people exist.
Any company who would say "For there to be a problem here you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software … I don't believe these evil elections people exist." Should by default be disqualified to work in any area pertaining to security. Diebold isn't fit to guard a mini-mart let alone our nation's democracy--and yet one also hopes their ATMs are a wee bit more secure than their voting machines...
One can only imagine that the next release of these machines will come with a few upgrades like mercury switches to set off an alarm if the boxes are tilted or flipped upside down, magnetic reeds to check if the doors have been accessed while the machine is operating, and physically lock when the machine is powered off.
Of course this wouldn’t solve the heart of the matter – but usually in such circumstances “security��? ends up being something to fix rather than something to design.
Generally it then enters the catch-up game and only waits to be defeated again next time by a bigger brain.
> It's time to call Voting Day by its real name: "Patch Tuesday".
You got coffee to come out of my nose with that one. Argh.
The only way to change this is to actually hack some of those boxes during an election.
Yes, that is probably a felony offense. But it _WILL_ illustrate to everyone that these boxes cannot be trusted without a paper trail.
And it will have to be blatant.
-4 votes for Candidate 1
2 votes for Candidate 2
n votes for Spider-Man
(where n = how many ever votes can be recorded by the machine).
If this happens at a few sites, the message will get through.
Therefore, I cannot recommend that anyone actually do this. Yeah, like that disclaimer will actually stand up in Court.
Too late, Brandioch, you're on record now. I think they can get you on conspiracy charges.
Good grief, what will it take for people to stop using these machines?
I'm thinking Brandioch is on the right track.
That is some funny stuff. Well played!
Felton had me rolling with laughter. Windows CE? On a general purpose board? The best part is Diebold's response in 2003 to an earlier exploit -- that the software had been proven "correct." Don't we all learn in undergraduate math/algorithms about the halting problem? You can't "prove" most (by which I mean everything bigger than a small asic) software correct, without going through every possible state of the machine, and this one has 4G of memory.
Somehow, some scientists and engineers have to get into government, cause lawyers just can't cut it anymore.
Word is not getting out about the risks of computer voting machines. For three years, I've been a poll worker in New York City, where we use aging mechanical voting machines. When we discuss the need for new machines, I mention that, as a computer programmer, I don't trust computer voting systems because it is easy to make computers fail. All I get is blank looks -- from the same people who tell me of their troubles with home computers.
You can help by working at the polls on election day. It's hard - 15 hours sitting in a chair - but it's essential that a broad cross-section of citizens do it. A person is the best security system.
The video on the princeton site is compelling. This pisses me off. The fix is a VVPT (voter verified paper trail) along with an audit. But they claim that printers are not robust enough. But the damn machine HAS a printer!!!
Better locks, better software, signed software downloads, etc. just an arms race against an unknown. Without audit, you'll never know if you've been vote-hacked or not.
There has already been an election machine that has recorded a negative vote for a candidate.
And was it really that difficult to turn dials on the mechanical voting machines or stuff ballot boxes? Every single election counts more votes than were cast. Lets get real, folks - Diebold's problems aren't any more or less insidious than any other voting systems. No matter what is counting the votes - you still have to trust a bunch of political nobodies with physical access to the systems.
Then you have the voter fraud issue that always comes up. Our system authenticates so well that every year the staunchest vote block is the dead...err...Living Impaired (they hate the term 'dead' - so non-PC). I have yet to actually see zombies voting, but somehow the recently deceased always turn out and vote 100% democrat. Yet we worry about the voting machine itself? Why bother?
So if Diebold is no more or less secure than other voting methods, why is so much money being spent to replace the old systems?
There is a solution, and it's been trotted out since the 2000 election mess. You make a paper voting trail, where you can look at what was recorded as your vote, and take that record home with you.
The Diebold spokesman is quoted in Salon: "For there to be a problem here," ... "you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software."
What amazes me is that people seem to swallow "arguments" like this. He probably just forgot to say that they make their security seals from a secret compound of lunar cheese and snake oil.
Diebold got it right with ATMs a long time ago. How could they get it so wrong with voting machines? Occam's razor would indicate that they're crappy on purpose.
"where you can look at what was recorded as your vote, and take that record home with you"
We CAN'T have a record that we can bring home (selling votes is bad).
I think the best solution is to have electronic machines print paper ballots and have those counted with an optical reader. Then we have the nice computer interface and we don't have to worry about electronic ballots -- the paper printoff is the real, actual ballot. This is different than an audit trail, which I think is too complicated of a system.
Issue a paper receipt to each voter with a unique number on it corresponding to a key that was used to digitally sign his/her vote. Keep all 200 Million votes (signatures) in a database and allow each citizen to check via the internet or phonein that his/her individual vote is registered in the database correctly. It only needs about 2% of all voters to double check their vote (i.e. verify the signature) in order to expose manipulations.
Internet or phone banking works the same way. You can verify your actions (withdrawing, depositing or transferring money) online. Having your vote manipulated is just as bad as having your bank account manipulated!
The idea is to create a double ledger accounting system of votes where everyone involved in the voting or counting process has to account for and can check the balances in his/her account.
I'm not an expert, but there must be a way to sign, seal and deliver every vote so that the process can be reconstructed, verfied and audited all the way up the final result in the same way that bank accounts can be traced and audited!
Diebold bought the company that made the voting machines ("Global Election Systems") in 2001 and operates it as a separate subsidiary ("Diebold Election Systems"). There's probably no technology connection at all between the ATMs and the voting machines.
Nothing new here.
@dude, @al: Follow the money. ATMs are operated by banks who lose money when ATMs screw up, therefore they are operated in a fashion to minimize/prevent the losses.
Voting machines are operated by amateurs who change every year/couple of years, tracking nebulous abstractions (does a vote have mass?), and the flaws may actually benefit the guy in charge (and thats assuming no active collusion or intentional fraud on their part).
Votematic (the punch cards and stylus) was the most securable system ever invented for this; the electronic vote gathering UI is a giant leap backwards for mankind.
swiss connection, the argument against being able to verify your vote after you get home is that it then becomes possible for someone who buys or coerces your vote to insist that you verify it for them.
The problem of vote verification has been well studied. There are (somewhat complicated) ways to set things up so that you can make sure your vote was counted correctly, without being able to prove it to anybody else. That's what it would take to address the issue of vote buying. But that is not the problem that most badly needs to be addressed.
@DBH - You're right. "Printers not robust enough"? Give me a freaking break. How long do the printers in ATMs last? Considering the voting record in this country, those get far, far more use than the printer on a voting machine.
"For there to be a problem here you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software … I don't believe these evil elections people exist."
This is either the most misleading OR most naive statement I've ever read.
Diebold...(and other e-voting machine vendors)...do you REALLY THINK that EVERYONE can resist the temptation to change election results?
We're talking about the power to CHANGE THE FUTURE here...
To determine direction for policy, economic decisions, military decisions...and so on, and so forth.
Not protecting every single vote with a verifiable paper trail is, in my mind, absolutely un-American.
From the string of comments, folks just don't get it.
An electronic system is inherently less transparent, more complex and corrupted by a smaller conspiracy than simple paper ballots.
To corrupt a well run system of paper ballots, you have to take over multiple local beauracracies.
Example: Chile in the '80's was run by a fairly harsh junta. Pinochet decided to put his continued dictatorship up for referendum -- he was under the illusion that he was very popular. In order to legitimize it, he used the traditional Chilean voting system. Paper ballots, representatives of all parties at each precinct, watching each step together and counting all votes together. He lost, and was forced to surrender power.
Can you imagine that occurring with an electronic system, where no one can see the ballot box, no one can see the counting, the data then gets up loaded to databases for summing, which once again is non-transparent? Where every step of the way data is being destroyed.
By the way, Chile can get national results in a few hours with the old-fashioned system.
Back To Paper!
what about Chaum proposal and Vora's protocol of Chaum proposal? Has anyone seen any real study or implementation? I'm writing an essay on these electronic voting systems and here in europe the problem is quite huge (maybe trying to copy Diebold machines?)
Why bother with computer voting in the first place?
What advantage does it have?
Save labor? Not an advantage in my opinion. We would be better off having MORE people directly involved in the democratic process, not fewer. School kids could count votes, it's not complicated, and then they would experience democracy hands-on. They and their parents would probably get a kick out of it.
Faster results? Election results are already fast enough that east-coast results may be affecting west-coast voting. Is that a good thing?
Spiffy looking gee-whiz high tech? Maybe we could have designer ballots or something if it's looks you care about.
1) unfortunately noone will ever ask us if we prefer paper vote or else: we should face a problem we never wanted.
2) electronic voting machines were the ideal translation of lever machines and this happened in the 60ies, then after 1999 some more sophisticated systems (read VOI and SERVE systems before) were developed for american citizens living abroad: this should be the target.
3) given the all above we should consider this as a great security (read "democracy") problem.
Voting is treated by the public [officials] as an engineering problem, not a security problem.
I omitted one logical step.
Engineering anything does lead to security in some way. IMHO.
If you think their ATMs work well then perhaps you should talk to somebody whom fixes them for a living and rid yourself of your delusion. Do you really think that a machine which fails to be able to count bills each time the temperature drops below 20F (in a place where temperatures of 5F used to be common during the winter at night) is reliable? Perhaps it is in at least one way: it fails reasonably predicably (for that one and only that one machine). The only thing most ATMs have going for them is that if something inside stops working right the whole machine often refuses to continue to work until a technician comes and shakes the sand out of its brain.
You seem to have been talking about the concept of a "Chain of Custody"--most people in the USA whom know about this probably only do because of a CSI episode. This technique has long been used by traditional vote-counting systems in the USA, and is no more or less reliable than its law enforcement counterpart from what I've been able to gather. In any case, the best chain of custody systems out there are likely the simplest: no computer involved.
Actually lately it seems to have been treated as a Social Engineering problem. (Just ask the man in NH whom asked and paid a telemarketing firm to DoS a call center providing rides to voting centers for the elderly and those whom were otherwise unable to travel without help.)
Mickey Mouse actually gets a rather significant portion of the vote in most elections in the USA.
The post by Al Lang at September 15, 2006 06:29 AM is dead-on correct. The voting machines operate in a vacuum from the rest of the company, at least as far as engineering and programming go.
A correction (that won't be seen in this avalanche of comments): I don't believe Felten's team has discovered any previously unknown vulnerabilities. They did undoubtedly confirm ones that were speculated and have actual exploit code and virial proof-of-concepts.
How would a verification system like the one you suggest prevent voters from creating a slew of false positives? If a bunch of "voting terrorists" lied to the verification system, authorities could declare the vote flawed. The system would significantly increase the population of potential attackers.
This suggestion is akin to auditing by agreeing numbers on two photocopies. Even if the voter "verified" the printer output (see above problem), the malicious code could still insert additional records with matching printed lines.
"Even if the voter "verified" the printer output (see above problem), the malicious code could still insert additional records with matching printed lines."
YES!! That is why the verification of paper "through the window" doesn't work either. There is always the invisible electronic ballot. The solution to this is to make the printout the official ballot. That is what we count. The consistent printouts will make optical counting quick and accurate.
If a machine is tampered with, then it will be detected if only one person reads their final election ballot (printout) and sees the change. The machines would be optional, and used as a convenient way to fill out ballots. The alternative would be to fill out an identical optical ballot with a #2 pencil. Either way, the ballots all look the same and etampering is not a problem.
--"What advantage does it have?"
It does actually have a couple, although nowhere near enough (IMNSHO) to outweigh the disadvantages.
Fast results (hey, we're 'merkans, we want it and we want it yesterday).
Interface. This is the main thing they've tried to present in the legal side of things, ie. HAVA. Computerized ballots makes it easy for all polling stations to be able cope with multiple languages (download the ballots instead of print out a bunch of extras that may never get used) and have interfaces for disabled voters (ie. blind people).
Of course, as far as I can tell, none of the second have come into much fruition for the most part. There's some minimal ADA compliance, but that's about it.
The negatives are much, much more extensive.
At least... until you ask one pertinent question. Advantageous to whom?
Put some serious thought into who benefits most from a voting process that is unauditable and unverifiable, and who would lose most from admitting that this is what we're getting. Makes the actions of the vendors, the election officials, and the politicians ever so much more sensible.
Not to mention who's getting paid (at what kind of markups?) and who's footing the bill.
And as far as Diebold and their ATMs, this is the product that got hit by a few Windows worms not long ago. Despite being a seperate unit, they don't strike me as particularly security focused either. The main reason they work at all in this arena is the accounting processes of the banks. Since they can look at and analyze the full logs the banks can at least see the fraud happening.
Of course, you can't rely on after-the-fact accounting to prevent fraud in a secret ballot, but they don't seem to be able to understand that.
Sadly, the solution to all this is simple, if they wanted to fix it. Even allows them to keep their pockets lined. Just add printers to the stupid things, use the printers to print the actual ballot, which is placed in the box and handled like the old fashioned paper ones. Gets you the interface toys and rapid pre-results (it'd be stupid to use the computer count as the official returns, but good luck getting that across), then optical-scan the ballots for the results. And you can make them human-readable for hand-counts.
Since this is a) simple, b) obvious, c) has been explained reatedly at great length and d) wouldn't hurt their bottom line (the opposite, in fact), you have to wonder what kind of agenda these companies really have.
@Nancy Lebovitz and McGavin
I'm not convinced by the secret ballot arguments. The two basic arguments are vote buying and intimidation. Both fail, in my opinion, because the secret ballot allows the same things, only now you have to buy/blackmail/intimidate less people -- the counters.
In a district of 2000 people, you would have to buy/intimidate/convince half the people, 1000 of them. In reality, lets say you really only need to swing the vote of a quarter (500), the others are convinced by your plans.
Now compare that 500 to the 50 (perhaps) that you need to buy in order to rig the election by getting them to modify or "lose", or otherwise change the count. (Hanging chads anyone?). And as the districts get larger, the cost/benefit tradeoff gets better.
IMNSHO, secret ballots make it easier to rig an election, not harder. Paper ballots are better then electronic, but ultimately suffer the same flaw -- who's counting?
Bring in your vote receit for "Mike the Mover" and get $500 off the purchase of a certified pre-owned vehicle!!!
If "Mike the Mover" wins, we'll throw in a $50 gas card!
If your ATM vendor's machine is jamming at 20 degrees F, he should have ordered a machine with a heater. It's certainly an option with any quality ATM intended for outdoor use... maybe not the ones intended for the inside of a Qwik-E Mart, though.
When you have a paper ballot system that allows 1 representative for each candidate on the ballot to observe the opening of the obviously empty ballot box, the entire day's worth of voting and the count at the end, as well as the call to the Returning office to verify the vote total and the sealing of the box for recount purposes, where's the fail point?
- The previous is EXACTLY the system Canada uses for their federal elections.
"Don't we all learn in undergraduate math/algorithms about the halting problem? You can't "prove" most (by which I mean everything bigger than a small asic) software correct, without going through every possible state of the machine, and this one has 4G of memory."
The halting problem implies that you can't write a computer program to verify with 100% accuracy the correctness of arbitrary other computer programs. Verifying the correctness of a single, known, computer program is a totally different issue, and the halting problem does not come into play.
Knuth's quote about provably correct programs is kind of funny, though:
"Beware of bugs in the above code; I have only proved it correct, not tried it."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.