Diebold Voting Systems Grossly Insecure

Several well-known security researchers have examined the code for Diebold's voting machines (which we last mentioned two weeks ago) and produced an extensive report (pdf). The NYT has a story on the report, which cuts to the bone: 'Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.'

Ah-ha!

[grub]

voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal.

Were they testing these in Florida a few years ago?

Re:Ah-ha!

[Glonoinha]

Dammit, that's a bug.

Unlimited voting was supposed to be restricted to the elite voters that have insider privileges.

Expect a patch.

Re:Ah-ha!

[perdelucena]

Maybe you should try those ones. Weve been using those in Brazil for almost a a decade. Software code can be evaluated by independent institutions, and as far as I know it does not run Win32. Last elections the whole country used voting machines (no manual votes) And weve got the result (>100,000,000 in few hours).

*sigh*

[Ummagumma]

You would think, with all the qualified unemployed software engineers out there, they could at least hire a few...

Re:*sigh*

[kannibal_klown]

I take it you haven't been unemployed too recently. Fortunately, I'm still employed right now, but I can see the writing on the wall. Our department has been doing some machete-style slashing of the budget, and has been letting A LOT of IT people go (programmers and technicians). And those they let go were great at their job.

A bunch of people at work were saying the SAME THING YOU ARE. They said their skills were current, had qualifications, and were good at their job. Now, it's 3 months later and they're still outta work.

Sure, I know some people (from elsewhere) that got jobs reasonably quick, but that's because they KNEW SOMEONE on the inside, or had some high connections. I'm not being bitter, they've admitted it to me.

Some people with jobs or in school tend to think that everything is fine-and-dandy for people so long as they know their stuff and look hard. But those people are usually the first to start freaking out that they can't find jobs.

It's a cliche, but in today's market it's not what you know, but who you know.

Re:*sigh*

[stefanlasiewski]

Very good point.

In fact, Diebold laid off a good number of their QA, code integrity staff and software developers in late-2001/early-2002, when this product was under heavy development.

Flaws still unfixed after ***5 Years***

[kryzx]

Here the bit from the article that I find most interesting. To have security flaws is one thing. To not fix them even after you know about them is another.

'But Douglas W. Jones, an associate professor of computer science at the University of Iowa, said he was shocked to discover flaws cited in Mr. Rubin's paper that he had mentioned to the system's developers about five years ago as a state elections official.

'"To find that such flaws have not been corrected in half a decade is awful," Professor Jones said.'

Re:Flaws still unfixed after ***5 Years***

Let me tell you a story about Diebold.. I almost went to work for them in their North Canton, OH office in the mid-nineties. They were doing some smartcard work themselves (research) and some interested crypto projects that I thought would keep me busy. At least, that was the story I got during the interviews.

But then I talked to a low-level employee. He was worried because they kept laying off staff, then employing new people. Seems that once a project was "done" (meaning, shipped first version, wrote up your research findings, etc.) they had the nasty habit of laying off the entire team. They would literally hire a team to do a job, then fire them for each project. There was no continuity between versions of software (if there were any), and things tended to languish, while they tried to make a quick buck.

And based on what I was told, this wouldn't be the first time that one of their products was wholly insecure from the get go. Don't get me started on their ATMs piss-poor security features from that time. Things just didn't get fixed until someone got screwed.

PS. I turned down their generous offer of employment.

Well yeah!

[cspenn]

You can't expect a secure voting machine! I mean, how else can [insert current party in power] rig the next election unless the machines are grossly insecure?

What, you were expecting fairness?

You didn't read it here first

[ansak]

Anyone who's even briefly perused comp.risks, even before the post-US-Election-2000 debacle, wouldn't be the least bit surprised by these conclusions.

Scottie's Law strikes again (from Star Trek III): "The more they back up the plumbing, the easier it is to stop up the drains." The simpler the voting system (the less mechanical, electronic, electro-mechanical etc. etc.) is the less open it is to fraud (both officially and unofficially perpetrated) or error (both innocent and culpable).

One more reason I'm glad to live in Canada...

Open Source?

[chundo]

Time to start a viable open-source voting-machine project. These guys started something promising, but it looks like development has ceased. Anybody know of a decent, active open-source electronic voting system?

-j

Here's an article

[Tarindel]

that I ran across a few weeks ago: http://www.cronus.com/electionfraud

It IS interesting to note how many dollars have flowed between Diebold and the Republican party...

Wow...

[mhayenga]

Their security there sounds a lot like their security here at UT...

For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal

The vending machines here around campus (using a diebold system) were used by almost 600 students to get "free" food... In an audit they detected it... Full text here

Poor choice of words

[PontifexPrimus]

"This is an iceberg that needs to be hacked at a good bit," Mr. Neumann said, "so this is a step forward."
Isn't that a rather poor choice of words when talking about program code? And is hacking an iceberg permissible under the DMCA?

Are Diebold ATMs more secure?

[holt_rpi]

From the NYT Article:

The systems, in which voters are given computer-chip-bearing smart cards to operate the machines, could be tricked by anyone with $100 worth of computer equipment, said Adam Stubblefield, a co-author of the paper.

"With what we found, practically anyone in the country -- from a teenager on up -- could produce these smart cards that could allow someone to vote as many times as they like," Mr. Stubblefield said.

It would be interesting to see how worried Diebold is about fraudulent misrepresentation in its voting machines as opposed to its ATMs. I wonder aloud how vigilant they are (read: how much money they spend in a year) in each area.

Just from the above quote, this doesn't sound like the kind of security that any bank would tolerate. Is this a case of lawmakers awarding contracts under duress after being wowed by cool "tecknoligee" in order to avoid being the next "Florida 2000," or is Diebold simply a victim of its own success for having potentially higher standards for commerce than voting?

[sarcasm]
It almost seems like the authentication process to make this work would need something as stringent as, say, a National ID card...

Ooh, and we could use a Poll tax to pay for the equipment!
[/sarcasm]

No Surprise Here!

[mildness]

NDAs must have expired by now so...

Almost exactly 20 years ago Chase Manhattan Bank tasked my buddy Charles (?) and I to hack thier Diebold branch alarm system.

To our surprise it used a simple lookup table. The mainframe would poll a branch asking about a specific alarm. The server located at the branch would respond with a code for "OK".

THE SAME CODE EVERY TIME!

We cut the telco lines and alligator clipped our TRS-100 (way cool early laptop) and using a BASIC program did a look-up (which my partner wrote a coolie algorithm for), responded "Everything's OK Here!", and went to lunch.

After screwing off for several hours we told our managers that we had spoofed thier branch alarm system.

They traveled to Diebold who swore up and down how great thier encryption was. The Chase guys slid our report across the table and watched the Engineers turn white as ghosts as they read it.

HAHAHAHAHA What a bunch of dumbasses!

The Moral of the Story: Don't trust your security vendors.

Cheers! (:-{)}

Bill

There is no way to do it securily.

[Convergence]

This is a computer programmed by invisible software. The only record of a vote is a little counter in the guts of the computer program. There is absolutely no way to make it secure. Any system that records votes directly electronically is wide open.

The only difference is who can commit vote fraud. Now anyone who walks up to the machine can commit vote fraud. Even if all of these bugs fixed, large classes of vote fraud remain. The only difference would be that any random person on the street couldn't cheat. However, any custodian would still be able to re-image the drive. Any programmer at Diebold would be able to embed a trapdoor. In short, anyone with exclusive access to open the machine can cause it to cheat. And this 'best case' is only if they fix all of the bugs.

Thats not a lot better. Even the writers of the paper couldn't make a cheat-proof DRE voting program. If an adversary controls the hardware, they control the software. Fundamentally, any non-trivial computer system is not trustworthy; any system whose security depends on a computer should be transformed where the security no longer depends on the correctness of the computer.

For instance, the only nominally trustworthy computer voting scheme is to have the computer be nothing other than a super-intelligent pencil. The voter uses the computer which prints out a paper ballot. The user observes and confirms the paper ballot is correct, then the ballot is dropped into a box. The computer may record results, but as the computer is untrustworthy, those results are untrustworthy. Now, the security and trustworthyness of the computer doesn't matter.

Every security researcher, including the authors of the paper advocates this scheme, but they are ignored by election officials. This includes the two professors who authored the paper, Peter Neumann, and Douglas Jones from the NY Times article, Rivest---the R in RSA--- and hundreds of others.

See: http://www.verifiedvoting.org/index.asp

This is a secure voting system. Brazil has it (and at a tenth the price). Any system without a printer requires 'trusted hardware' in an adversarial environment. Control the hardware, control the election.

Re:At least...

[Sylver+Dragon]

In the end, I agree with you that mandatory voting is dumb - but it is one of our smallest problems

I don't think I would mind mandatory voting, if, and only if, we had a "no confidence" vote on the ballot. Such that, if you didn't like any of the choices presented to you, you could vote to have a whole new slate of candidates put up(e.g. if the "no confidence" choice won, all of the parties have to put up new people and we try again.) God knows I would have voted that way back in 2000.