Page 12 of 18
The readers were hacked when they were built, “either during the manufacturing process at a factory in China, or shortly after they came off the production line.” It’s being called a “supply chain hack.”
Sophisticated stuff, and yet another demonstration that these all-computer security systems are full of risks.
BTW, what’s it worth to rig an election?
You know your industry has problems when mainstream comic strips make fun of you.
Premier Election Solutions, formerly called Diebold Election Systems, has finally admitted that a ten-year-old error has caused votes to be dropped.
It’s unclear if this error is random or systematic. If it’s random—a small percentage of all votes are dropped—then it is highly unlikely that this affected the outcome of any election. If it’s systematic—a small percentage of votes for a particular candidate are dropped—then it is much more problematic.
Ohio is trying to sue:
Ohio Secretary of State Jennifer Brunner is seeking to recover millions of dollars her state spent on the touch-screen machines and is urging the state legislature to require optical scanners statewide instead.
In a lawsuit, Brunner charged on Aug. 6 that touch-screen machines made by the former Diebold Election Systems and bought by 11 Ohio counties “produce computer stoppages” or delays and are vulnerable to “hacking, tampering and other attacks.” In all, 44 Ohio counties spent $83 million in 2006 on Diebold’s touch screens.
In other news, election officials sometimes take voting machines home for the night.
My 2004 essay: “Why Election Technology is Hard.”
This comment is absolutely correct.
It’s been a while since I’ve written about electronic voting machines, but Dan Wallach has an excellent blog post about the current line of argument from the voting machine companies and why it’s wrong.
Unsurprisingly, the vendors and their trade organization are spinning the results of these studies, as best they can, in an attempt to downplay their significance. Hopefully, legislators and election administrators are smart enough to grasp the vendors’ behavior for what it actually is and take appropriate steps to bolster our election integrity.
Until then, the bottom line is that many jurisdictions in Texas and elsewhere in the country will be using e-voting equipment this November with known security vulnerabilities, and the procedures and controls they are using will not be sufficient to either prevent or detect sophisticated attacks on their e-voting equipment. While there are procedures with the capability to detect many of these attacks (e.g., post-election auditing of voter-verified paper records), Texas has not certified such equipment for use in the state. Texas’s DREs are simply vulnerable to and undefended against attacks.
Yesterday, the Center for American Progress published its paper on identification and identification technologies: “The ID Divide: Addressing the Challenges of Identification and Authentication in American Society.” I was one of the participants in the project that created this paper, and it’s worth reading.
Among other things, the paper identifies six principles for identification systems:
From the Executive Summary:
How can these principles be honored in practice? That’s where the “due diligence” process comes into play when considering and implementing identification systems. Due diligence in the financial world of mergers and acquisitions and other important corporate transactions is conducted before a company makes a major investment. Proponents of, say, a merger (or in our case, a new identification program) can err on the side of optimism, concluding too readily that the merger (or new ID program) is clearly the way to go. Thorough due diligence protects against such over-optimism.
In the pages that follow, we apply this due diligence process to some recurring technical problems with current and proposed identification programs. And we discover—as you’ll see toward the end of the report—that ID programs that rely on “shared secrets,” such as Social Security numbers or your mother’s maiden name, are becoming more insecure due to the increased use of identification. Similarly, ID programs based on biometrics such as fingerprints or iris scans are not the “silver bullets” that some proponents claim they are, but rather could become compromised rapidly if deployed in haphazard ways.
We then apply our progressive principles and due diligence insights to two current examples of identification programs. The first details why it would be bad policy to require government-issued photo ID for in-person voting. The second shows the basically sound policy rationale for the Transportation Worker Identification Card, used for workers with access to security-critical port facilities. By examining one identification program that is reasonable, and one that is not, our analysis shows the usefulness of the Progressive Principles for Identification Systems.
I participated in the panel discussion announcing this report, along with Jim Harper (Director of Information Policy Studies at the Cato Institute).
Ohio just completed a major study of voting machines. (Here’s the report, a gigantic pdf.) And, like the California study earlier this year, they found all sorts of problems:
While some tests to compromise voting systems took higher levels of sophistication, fairly simple techniques were often successfully deployed.
“To put it in every-day terms, the tools needed to compromise an accurate vote count could be as simple as tampering with the paper audit trail connector or using a magnet and a personal digital assistant,” Brunner said.
The New York Times writes:
“It was worse than I anticipated,” the official, Secretary of State Jennifer Brunner, said of the report. “I had hoped that perhaps one system would test superior to the others.”
At polling stations, teams working on the study were able to pick locks to access memory cards and use hand-held devices to plug false vote counts into machines. At boards of election, they were able to introduce malignant software into servers.
Note the lame defense from one voting machine manufacturer:
Chris Riggall, a Premier spokesman, said hardware and software problems had been corrected in his company’s new products, which will be available for installation in 2008.
“It is important to note,” he said, “that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States.”
I guess he didn’t read the part of the report that talked about how these attacks would be undetectable. Like this one:
They found that the ES&S tabulation system and the voting machine firmware were rife with basic buffer overflow vulnerabilities that would allow an attacker to easily take control of the systems and “exercise complete control over the results reported by the entire county election system.”
They also found serious security vulnerabilities involving the magnetically switched bidirectional infrared (IrDA) port on the front of the machines and the memory devices that are used to communicate with the machine through the port. With nothing more than a magnet and an infrared-enabled Palm Pilot or cell phone they could easily read and alter a memory device that is used to perform important functions on the ES&S iVotronic touch-screen machine—such as loading the ballot definition file and programming the machine to allow a voter to cast a ballot. They could also use a Palm Pilot to emulate the memory device and hack a voting machine through the infrared port (see the picture above right).
They found that a voter or poll worker with a Palm Pilot and no more than a minute’s access to a voting machine could surreptitiously re-calibrate the touch-screen so that it would prevent voters from voting for specific candidates or cause the machine to secretly record a voter’s vote for a different candidate than the one the voter chose. Access to the screen calibration function requires no password, and the attacker’s actions, the researchers say, would be indistinguishable from the normal behavior of a voter in front of a machine or of a pollworker starting up a machine in the morning.
Elsewhere in the country, Colorado has decertified most of its electronic voting machines:
The decertification decision, which cited problems with accuracy and security, affects electronic voting machines in Denver and five other counties. A number of electronic scanners used to count ballots were also decertified.
Coffman would not comment Monday on what his findings mean for past elections, despite his conclusion that some equipment had accuracy issues.
“I can only report,” he said. “The voters in those respective counties are going to have to interpret” the results.
Coffman announced in March that he had adopted new rules for testing electronic voting machines. He required the four systems used in Colorado to apply for recertification.
The systems are manufactured by Premier Election Solutions, formerly known as Diebold Election Systems; Hart InterCivic; Sequoia Voting Systems; and Election Systems and Software. Only Premier had all its equipment pass the recertification.
California is about to give up on electronic voting machines, too. This probably didn’t help:
More than a hundred computer chips containing voting machine software were lost or stolen during transit in California this week.
News:
Electronic voting systems used throughout California still aren’t good enough to be trusted with the state’s elections, Secretary of State Debra Bowen said Saturday.
While Bowen has been putting tough restrictions and new security requirements on the use of the touch screen machines, she admitted having doubts as to whether the electronic voting systems will ever meet the standards she believes are needed in California.
I’ve written a lot on this issue.
EDITED TO ADD (12/5): Ed Felten comments.
Sidebar photo of Bruce Schneier by Joe MacInnis.