Slashdot Mirror
Man-In-the-Middle Remote Attack On Diebold Voting Machines
An anonymous reader tips news of a vulnerability discovered in the Diebold Accuvote voting system, which could be used to alter voting results without leaving evidence of tampering. Quoting Salon:
"[T]he Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. ... The team's video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a "bad guy" virtually complete control over the machine. A cheap remote control unit can enable access to the voting machine from up to half a mile away. ... The video shows three different types of attack, each demonstrating how the intrusion developed by the team allows them to take complete control of the Diebold touch-screen voting machine. They were able to demonstrate a similar attack on a DRE system made by Sequoia Voting Systems as well."
>The team's video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a "bad guy" virtually complete control over the machine. If you can do this, you're going to have no protection at all. Just like paper votes, if the people who run the voting stations are corrupt, then the system can be fiddled. This shouldn't come as a surprise.
Blatant Advert: Android Apps!
Sure, and allow the kind of MASSIVE voter-intimidation of Tammaney Hall in New York City that went on in the 19th Century? Secret ballot was brought in FOR A REASON!
Go back to paper, it takes longer, but is better accountability.
The key point is SUPERVISION. Yes, the voting station staff might be corrupt, but if you have representatives from each of the parties with a stake in the election present during the entire voting and counting process, then sleight-of-hand becomes is much trickier. With a pencil-and-paper-based system, you need to distract a great number of people *on election day* (assuming the votes are counted immediately after polls close, as in the UK) in order to 'interfere' with the vote. With the electronic system, all you need is a moment alone with the machine, at basically any point after its manufacture, to make your modifications (whatever they may be - software/hardware - just preferably hard to trace) - and it suddenly doesn't matter how rigorous the supervision is, come election day. Human beings can't supervise at the electron level.
Well, the main flaw with electronic voting right now is simply that it seems rare from the press I am seeing that there are paper ballots, or receipts mind you, printed out as well. Keep in mind this might be a case of positive news of E-voting focuses on the E-part and the printers are only mentioned in the negative press attacking flaws.
Electronic voting, when the information is not tampered with, is more accurate and faster than the old paper voting. Human error can occur in counting them. See 2000 recount efforts.
The best of both worlds is an auditing system with each voting machine printing out a paper ballot that the voter can verify before turning end. Random X% precincts get hit by the auditing stick to count their votes the old fashion way to make sure they match the electronic vote counts. Perhaps fund research into an Wal-Street level algorithm that is designed to pick out precincts that vote out of proportion for their demographic makeup for that election with a certain margin of error.
by Anonymous Coward: I, for one, welcome the shift from car analogies to pizza analogies. um.. overlords?
There is, infact, a simple, straightforward way of getting all the advantages of electronic voting, while preserving the advantages of paper-voting.
Have the voting-machine print your vote as the last step, then deposit this printed vote in a ballot-box the old-fashioned way.
To verify the vote, simply count the paper-ballots the old-fashioned way, and compare the result with the results from the electronic voting.
It isn't really needed to count all the votes: picking a small fraction of voting-places randomly and checking those, has a high probability of detecting systematic attempts at cheating nationwide.
"Without evidence of tampering" obviously refers to the state of the machines if the alien circuitry is removed before inspection. The attack does not require any wires to be cut or internal components to be destroyed or removed, which would leave physical evidence. You do have a point about the screen blanking, though. Although it only blanks for a split second and I guess most users could be led to believe that this was normal behaviour. Is it suspicious enough for the regular Joe election supervisor to call off the poll and open up the machine?
If you can blank the screen, then it should be feasible to actually *change* the screen's output. This attack doesn't require any knowledge of the actual election software, but if you *did* have that knowledge, you could dummy up a screen that has the "correct" votes on it, and display that instead of the votes that are actually being recorded.
Also, the "without evidence of tampering" is referring to the lack of any evidence that the machine has been tampered with after you remove the alien hardware. Gain access to the machine weeks or months before voting opens, then simply cast your vote later in the day and remove your hardware... no evidence.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
And why do they call it a "Man-In-The-Middle Remote Attack"??
"Man in the middle" refers to the fact that the alien hardware is able to intercept and modify the authorized information, between the authorized user (the voter) and the intended recipient (the cast ballot).
The "remote" portion of the descriptor refers to the fact that the "man in the middle" is using a remote control to "attack" the system; that is, the compromised unit is being controlled remotely by someone other than the person standing at the controls/interface.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
That is bad, but let us say you have a new democracy(it happens, new governments come up).
Is it possible to have a national ID and password which would let you vote on issues without the need for public elected officials?
One reason for representative government is that everyone could not vote on every single issue for the state because they could not all fit in one place and have discourse. The Internet could let everyone meet in one place. A whole new government style could be formed that has limited representative for figure head events.
God spoke to me
Encryption and authentication, performed by who? The machine? That can be broken if you have access to the machine, like in this case.
One could give personal certificates (in the form of a smart card, for example) to voters and require each vote to be signed using it, so votes would be impossible to forge, but that eliminates the anonymity of the process.
Dilbert RSS feed
this is true. I made a replica of a Diebold voting machine and crammed an atari 2600 into it. If anyone wanted to vote for an independent, they had to first solve jungle hunt. Totally hacked the voting process.
What they're saying is that no soldering on the original hardware, nor replacement of any components is necessary. Some previous attacks required the removal of the storage media (compact flash, if I remember right).
The unit they demonstrated simply requires unplugging two things, and putting their unit in between. After the election is complete, they'd simply need to access the units again, remove the component, and all is well.
Most "void if broken" seals can be easily replicated. It's just a matter of getting a replacement seal in time. For the most part, people are dumb. If you do a good job of cleaning off the seal, they'd never notice it is missing.
Serious? Seriousness is well above my pay grade.
what part of 'remote control from half a mile away' does supervision deter?
The part where you have to break the seals on the machine, take it completely apart, hook up circuitry to it, close it back up, and re-seal the now broken tamper-proof tape, let the election run, break back in, break the seals on the machine again, pull your electronics back out of the machine to eliminate evidence and then reseal the machine and fix the tamper-proof seals again.
Given how last year we saw articles on how dead easy these things were to get into despite the fancy looking lock, this attack is still falls in the category of "could conceivably happen".
Why "representatives from each of the parties"? Why not "who wants to attend can attend"?
That's how it works for most elections anyway. If you want to watch the election, go to the voting hall and sit there. Watch the empty voting boxes being sealed. Watch the breaking fo the seal for the count. Watch the count. Watch the signing of the count sheet and the resealing of the voting boxes. Put your own seal on the boxes too, if you want. Accompagne the car transporting the voting boxes to the central voting office. etc.pp.
If enough people do this in enough voting districts, large scale fraud is nearly impossible. That's how the people of the former communist East Germany were able to prove in court the voting fraud at least in the last "election"s in 1989 - enough people were at the voting halls, watched the procedure, and took notes of the results, compared them with the official results as announced the next day and found discrepancies.
The costs for simply counting the votes would be pretty small compared to setting up the rest of the election I'd imagine. Also, the costs (in more ways than just money) of letting crooked people get into power are massive.
which is totally what she said
I have to correct you, but actually it's possible to supervise all voting boxes until the last recount is done. If you understand any german (or the english your favourite online translator generates from german), you might have a look at Voting Fraud of Dachau to see it in action.
If you go in to e-voting expecting it to make elections cheaper, you're coming at it from the wrong perspective. If the goal of e-voting is not to make it more secure and accessible, then there's no point in doing it. Elections are a minimal cost in the scheme of things, and endangering their validity in order to save a few measly thousands-of-percent of the budget is insane.
Alternative attack vector: In a constituency wherein a majority statistically favors your opposition, just use a pen or whatever, to damage the "void if broken" seals. Presto; you've now cast doubt on the integrity of the votes in that ballot.
If you recounted the paper votes and it was different than the electronic tally, then it would be very clear very quickly that something was wrong.
Really dumb idea.
Not everyone has an email address. And, I'm sure that the people without email address are predominately from the lower economic stratus. So, that's one source for bias in your exit polling idea.
Also, the vast majority of people wouldn't bother registering for this exit poll, so it would take a relatively small effort to get the supporters of one side to disproportionally register, leading to an inaccurate exit poll.
Finally, anyone in a position to capture these email messages with the special code could sell them to the highest bidder.
Your idea would do nothing to make an exit poll more accurate, but it would throw valid elections into doubt.
Every voter registers his email address with the election council.
There's your first problem. Not all voters have access to a computer, and many don't have an email address.
At the last step, instead of paper print, you send out an email with a secret code associated with that email.
Which, since email is plaintext, can be intercepted.
Now all news channels/NGOs/Etc conduct exit polls as before and your voter can go and enter the secret code/email address to each one of those exit polls
If a voter can demonstrate their individual vote at any location other than the polling place, then their vote can be bought or coerced. Imagine, say, an employer saying "Vote against this business tax increase if you want to keep your job."
I am officially gone from
This is true for all nerdy arguments - if something isn't 100% perfect then it's obviously completely useless.
Usually we ignore the real world practicalities (I believe there's an XKCD cartoon about breaking 4096 bit encryption with a $5 wrench which illustrates this point nicely).
OTOH the Diebold contract should have been cancelled a long time ago and the people forbidden from ever working in security. They're seriously incompetent.
Me? I think electronic voting is basically flawed because information can be tampered with and leave no trace. I want something physical that can be audited later.
My plan:
I'd have the machines print out little cards with a plain text version of the votes on one side and QR codes printed on the other. You can check your vote is correct, fold it in half (it's pre-scored and has glue dots) so that only the QR codes are visible then drop it in the ballot box. The votes can be counted electronically and you have something physical which can be randomly sampled and/or audited later. Best of both worlds!
No sig today...
No. The extreme vulnerability in electronic voting is not the equivalent of hanging chads. It's the equivalent of powerful people having access to a simple method of rigging elections, as the Supreme Court and Citizens United wasn't enough.
You are welcome on my lawn.
Citizens' United is a real SCOTUS ruling which effectively removes any and all campaign finance reform rules and leaves US elections a massive, no-rules free for all. What part of that sold, indisputable fact do you fucking think is "tinfoil hat" worthy?
One day I feel I'm ahead of the wheel / the next it's rolling over me / I can get back on / I can get back on
The Supreme Court did prevent a recount from occurring and thus changed the results of the Presidential Election in 2000. You may want to spend some time considering how the world might be different if instead of playing politics they had simply ruled that all ballots in Florida must be recounted as an equal protection measure. Would the war in Iraq have happened? Would the financial crash in 2008? We will never know, but the Supreme court bears partial responsibility both disasters now since they clearly chose to decide along political lines instead of legal ones and thus tampered with the will of the people.
It's never a good sign when the legal system is picking the political leaders is a supposed democracy (democratic republic for the ignorant mouth-breathing pendants).
Fanatically anti-fanatical
I saw this discussion on another site and someone asked 'Why can they make rock solid tamper proof slot machines but not voting machines?' I realize they are not the same animal but the concepts of security and tampering must be very similar.
"Waitress I need two more boat-drinks..."
I've been a voting official; I attended the mandatory training and staffed a booth all day long for the last US presidential election.
I'm also one of the people who has totally unrestricted, totally unsupervised access to dozens of voting machines.
This has nothing to do with my status as a trained voting official; basically, I do volunteer maintenance work at local schools and Unitarian Universalist churches. Somebody has to show up at 2AM to fix busted pipes, you know - that somebody is usually me. And in order to distribute the voting machines to the polling places in time, they are generally left in locked rooms at schools and churches for several days.
I have the keys. And even if I didn't have the keys, obviously I have the skills to get into locked rooms (since I wouldn't be much of a maintenance man if I couldn't get past a door with an inoperative lock). And nobody notices or cares if I'm at the school alone for five hours late at night, because that's something I do whenever it's necessary.
My reality-based study of the subject convinces me that the current system is optimized for vote fraud. I could easily subvert a hundred machines in any election with near-zero chance of detection.
Certainly, a paper-based system could also be optimized for corruption - you're absolutely right about that! The example of hiring for-profit companies to design and build machines that record votes by inadequately punching cards is a perfect case in point.
But regardless of the efficacy of paper votes, the current generation of voting machines are fundamentally flawed and will never be capable of resisting any half-hearted attempt to subvert them. They are designed to be subverted, either intentionally or due to massive incompetence on the part of their designers.
A voting machine needs to be totally open source, and use voter-verified write-only recording media. Every voter needs to be able to look at the vote that was permanently recorded at time of voting, or the system is trivially defeated. It doesn't matter if votes are recorded on paper, chiseled in stone, or spraypainted on the wall, what matters is that audit trails are not written to trivially rewritable media (magnetic or flash, for example) and that operational hardware and software designs are available to all enfranchised citizens for examination and review.
Random sampling is not sufficient. All votes must be equal. All votes must be counted.
I've always wondered why there isn't a hybrid system - make your electronic vote print out a receipt, validate the receipt and drop the receipt in the box. If someone manages to compromise the electronic system, you've got a paper trail backup. If someone manages to compromise the paper system, you've got the electronic one.
Isn't defense in depth the order of the day here?
A random sample is not sufficient to eliminate the possibility of the vote counting machine having been tampered with. Particularly if it is randomly selected by a pseudo random number generator. The most that electronic counting can provide is a rapid estimation of the real vote count. All votes must be verified to prevent fraud. Democracy is far too important to take chances with.
How many more can you think of off the top of your head.
Think of the last 30 years. Now realize that you can only think of 2 criminal corporations that were actually punished.
Maybe you can come up with 3 or 4 or 5. In a quarter-century. Now are you starting to see my point? If corporations are "persons" then they are persons who are allowed to break the law with impunity. And do you want someone who breaks the law with impunity being able to buy elections?
Regarding a solution: what's wrong with publicly financed elections? The technology exists to get a message out without spending billions on TV commercials. The technology exists to create a level playing field. Why should money be the mechanism by which elections are won? Is that really a smart way to have elections? Wouldn't it be better for all of us if we took the money out of elections? Maybe we wouldn't have perpetual campaigns. Maybe there would be a possibility of people actually governing. Maybe we wouldn't see such a perversion of the media. We wouldn't see entities with lots of money being the only ones who get to participate in setting the public agenda.
I assume you believe that money = speech. Forget about the fact that this was not the Founders' intention. They were eloquent and logical men. If they wanted corporations to have personhood, they would have put it in the Constitution. One sentence. If they wanted money to equal speech, they could have added that, too. Just a few words. They don't mention free markets, they don't mention capitalism either (and it had been a concept with which the founders were familiar), but that's another discussion. Do you really want to codify the notion that people without money are not allowed to participate in public life? Do you really want a handful of corporations to have the loudest voices? The greatest influence? Does that sound like something Jefferson and Franklin and Madison would have wanted?
You are welcome on my lawn.