Florida E-Voting Study
Florida just recently released another study of the Diebold voting
machines. They -- and it was real security researchers like the California study, and not posers -- studied v4.6.5 of the Diebold TSx and v1.96.8 of the Diebold Optical Scan. (California studied older versions (v4.6.4 of the TSx and v1.96.6 of the Optical Scan).
The most interesting issues are (1) Diebold's apparent "find- then-patch" approach to computer security, and (2) Diebold's lousy use of cryptography.
Among the findings:
- Section 3.5. They use RSA signatures, apparently to address previously documented flaws in the literature. But their signature verification step has a problem. It computes H = signature**3 mod N, and then compares _only 160 bits of H_ with the SHA1 hash of a message. This is a natural way to implement RSA signatures if you just read a security textbook. But this approach is also insecure -- the report demonstrates how to create a 250-line Java program to forge RSA signatures over (basically) arbitrary messages of their choosing.
- Section 3.10.3. The original Hopkins report talked about the lack of crypto for network (or dialup) communications between a TSX voting machine and the back-end GEMs server. Apparently, Diebold tried to use SSL to fix the problem. The RABA report analyzed Diebold's SSL usage and found a security problem. Diebold then tried to patch their SSL implementation. This new report looks at the patched version, and finds that it is still vulnerable to a man-in-the-middle attack.
- Section 22.214.171.124. Key management. Avi Rubin has already summarized some of the highlights.
This is arguably worse than having a fixed static key in all of the machines. Because with knowledge of the machine's serial number, anyone can calculate all of the secret keys. Whereas before, someone would have needed access to the source code or the binary in the machine.
Other attacks mentioned in the report include swapping two candidate vote counters and many other vote switching attacks. The supervisor PIN is protected with weak cryptography, and once again Diebold has shown that they do not have even a basic understanding of how to apply cryptographic mechanisms.
Avi Rubin has a nice overall summary, too:
So, Diebold is doing some things better than they did before when they had absolutely no security, but they have yet to do them right. Anyone taking any of our cryptography classes at Johns Hopkins, for example, would do a better job applying cryptography. If you read the SAIT report, this theme repeats throughout.
Right. These are classic examples of problems that can arise if (1) you "roll your own" crypto and/or (2) employ "find and patch" rather than a principled approach to security.
It all makes me wonder what new problems will arise from future security patches.
The good news is that Florida has decided not to certify the TSX at this time. They may try to certify a revised version of the OS (optical scan) system.
Posted on August 6, 2007 at 6:34 AM • 42 Comments