Voting Machine Analysed, Found Wanting

posted Jul 24, 2003

From the linked site:

The authors have done a security analysis of Diebold code that was downloaded from an open FTP site earlier this year. While the paper is technical, significant portions of it can be read easily by a non-computer scientist.

From the conclusion of the paper, "Analysis of an Electronic Voting System", emphasis mine:

Using publicly available source code, we performed an analysis of a voting machine. This code was apparently developed by a company that sells to states and other municipalities that use them in real elections. We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater. Based on our analysis of the development environment, including change logs and comments, we believe that an appropriate level of programming discipline for a project such as this was not maintained. In fact, there appears to have been little quality control in the process....

The model where individual vendors write proprietary code to run our elections appears to be unreliable, and if we do not change the process of designing our voting systems, we will have no confidence that our election results will reflect the will of the electorate....

And finally, the text of the Voter-Verifiable newsletter I received regarding this issue, which should appear on this page sometime (July 24, 2003):

Since I entered the fray in January, I've been constantly challenged to "prove that DREs can be hacked." My answer was usually something like the following:
"It is very hard to find out enough details about these systems to determine what security flaws they have. However, we know it is practically impossible to stop tampering by insiders. Furthermore, any system that has not been designed and thoroughly scrutinized by top-flight computer security professionals is guaranteed to have major security holes."

I believe this to be obvious to anyone with a casual acquaintance with computer security (such as me).

Now I can "prove that the machines can be hacked" by citing the following paper which just appeared on the web. Computer security researchers an Johns Hopkins and Rice Universities have inspected the Diebold code that appeared on a web site in New Zealand a few weeks ago. The report appears at:

My understanding is that this analysis took about a week. Very serious security blunders were discovered in a matter of hours. While I still believe that insider attacks are still the hardest to stop and potentially the most damaging, it is now clear that there are serious security holes that can be exploited by election workers and even voters. Unlike insider tampering, most of these problems could have been easily avoided had competent computer security people been involved in the system design and implementation.

For, example, it appears that it is easy to make counterfeit "voter cards," which can be used to vote as often as you like. One can easily make a fake "administrator" card. Hackers could rearrange the candidate order on the ballot so that votes are credited to the wrong candidates.

We've been told by voting machine vendors, regulators, and election officials that "hacking" DREs is almost impossible because the machines are designed carefully, use cryptography, and have proprietary software; that there are stringent Federal regulations; that Independent Testing Authorities (ITAs) scrutinize every line of code; that states have exhaustive certification processes; and localities do extensive Logic and Accuracy Tests.

It's just not true. That was obvious before the report, but now it should be undeniable.

There is no reason to believe that Diebold's system is less secure than other vendors. Their code just happened to be available. All the other vendors are implementing the same indadequate security requirements and satisfying the same inadequate reviews.

There is also no reason to assume that the worst problems have been found. The authors felt that it was important to get the information out quickly. Additional weeks or months of review might reveal even worse problems.

I hope this settles the debate on DRE security. They're not secure. There needs to be an independent audit trail.

In other related news in the newsletter, LCCR, a coalition of civil rights organizations, came out against voter-verifiable paper trails. It boggles my mind how anyone can be against more accountability in the voting process; more inappropriate technology worship I suppose. "The computer said it, how could it be wrong?"


Site Links


All Posts