Critical Security Hole Found in Diebold Machines

ckswift writes "From security expert Bruce Schneier's blog, a major security hole has been found in Diebold voting machines." From the article: "The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways."

Black Box Voting & The Details

[eldavojohn]

BBV released a a nice guide to how all this works. There appears to be a software access button (bottom of page 11):

The TSx also has an unmarked button hidden in the casing. On the circuit board, this switch is labeled "battery test". The switch is physically similar to many reset buttons, necessitating application of substantial force to press the button, requiring it to be depressed by about 1/5 - 1/6 inch in order to activate the switch. This switch is also software accessible. It is completely accessible for all voters in the standard voting booth configuration. The logic behind the button is unknown, but for an attacker it presents yet another way to interact with the machine, and an exceptionally convenient button switch for an attack designed to be triggered by a voter.

Well, this seems very insecure to me. BBV criticizes the three layer architecture and states that it would be very easy to target it three different ways (at each layer):

- The application can be imagined as written instructions on a paper. If it is possible to replace these instructions, as it indeed seems, then the attacker can do whatever he wishes as long as the instructions are used.

- The operating system is the man reading the instructions. If he can be brainwashed according to the wishes of the attacker, then even correct instructions on the paper solve nothing. The man can decide to selectively do something different than the instructions. New paper instructions come and go, and the attacker can decide which instructions to follow because the operating system itself is under his control.

- The boot loader is the supreme entity that creates the man, the world and everything in it. In addition to creating, the boot loader also defines what is allowed in the world and delegates part of that responsibility to the operating system. If the attacker can replace the boot loader, trying to change the paper instructions or the man reading them does not work. The supreme entity will always have the power to replace the man with his own favorite, or perhaps he just modifies the man's eyes and ears: Every time the man sees yellow, the supreme being makes him think he is seeing brown. The supreme entity can give the man two heads and a secret magic word to trigger switching the heads.

In the world of the Diebold touch-screen voting terminals, all of these attacks look possible.

The instructions (applications and files) can be changed. The man reading the files (Windows CE Operating System and the libraries) can be changed. Or the supreme entity (boot loader) can be changed, giving total control over the operating system and the files even if they are "clean software."

Specific conceptual information is contained in the report, with details and filenames in the high-security version which is being delivered under cryptographic and/or personal signature controls to the EAC, Diebold CEO Tom Swidarski and CERT.

1) Boot loader reflashing
2) Operating system reflashing
3) Selective file replacement

In addition, the casing of the TSx machines lack basic seals and security, and within the casing additional exploitations are found.

The article talks about a "standard tool you can buy at any computer store" and I believe this is referring to a PCMCIA card (what you use in laptops). I guess these are used to boot, upgrade & ready the machines for use. They do not go into detail but I wager that using a PCMCIA card with a USB port on it, you could load your own data from a thumb/pen drive. This would be small and easy to carry in. If you had access to it outside of the voting window, you could potentially use a PCMCIA card that functions as a NIC (probably with RJ45 cable port) to use cross over cable and a laptop for a 'live' attack.

It's not a bug, it's a feature!

[TripMaster+Monkey]

Considering that Walden O'Dell, chief executive of Diebold Inc., was quoted in August of 2003 as saying that he was "committed to helping Ohio deliver its electoral votes to the president next year", this shouldn't be too surprising.

The Shock! The Surprise!

[GaryPatterson]

So the closed-source company with apparent links to the incumbent government and a record of blocking any attempts to investigate their code turn out to have security flaws?

Okay - closed-source versus open-source is a non-issue, but I expected something like this from Diebold sooner or later.

I'm seriously worried though. Here in Australia a lot of ATMs have been replaced recently with shiny new Diebold machines. I've no doubt they're harder to hack, but it's not an encouraging sign.

Re:Funny isn't it?

[typical]

They make a voting machine that is atrocious and faulty.

To be fair, even if it were someone else, voting machines that submit the vote in electronic form simply have fundamental problems with accountability. Yes, Diebold has had some atrocious engineering problems, but even if you took the best group of engineers on the planet and asked them to replace the pencil or hole punch machine with a fully electronic form, they'd still have a vastly more exploitable system than the traditional system.

I view Diebold as representative of a lot of companies that get government contracts -- obtaining unneeded pork, doing a fairly half-assed job. However, while some things (like the criminal records of people presiding over the project) were a little disturbing, I'm more willing to say that Diebold probably has nothing more malicious in mind than getting as much money as possible and not caring much as to how useful (or dangerous) their work is.

The real problem is that no voting administrator wants to be in the shoes of the Florida people, where questionable ballots exceeded the margin by which Bush won. An electronic form throws away all data other than a simple vote -- it may not be more accurate, but it covers the asses of voting administrators.

The fact that the whole system is much less accountable and more open to abuse and attacks than a physical system is more an issue that not of the involved people (voting officials and Diebold) just don't care about than one that I expect that they intend to personally exploit.

Re:What I would like to know..!

[geobeck]

These ridiculous security holes can only be intentional.

My greatest fear regarding American elections is that Diebold machines will be used for a national vote to repeal the 22nd amendment, then for the following presidential acclimation--I mean, election.

Americans, please, start a grassroots movement to outlaw the use of any electronic, and therefore hackable, voting machines. Look at Canada's election process. Sure, we have only 10% of your population, but we have substantially less than 10% of your election hassles. In Canada, paper ballots are counted manually by Elections Canada volunteers, witnessed at each vote counting station by representatives from all official parties.

And for the love of Mike, start some new political parties! You may turf out the Republicans in 2008, but your Democrats are no prize either!