All of Maryland and Georgia-will employ the AccuVote-TS model. More than 33,000 of the TS machines are in service nationwide.
The machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces.
Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.
Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.
AccuVote-TS machines are susceptible to voting-machine viruses-computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.
While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.
RABA TECHNOLOGIES LLC. TRUSTED AGENT REPORT: DIEBOLD ACCUVOTE-TS VOTING SYSTEM (report prepared for Department of Legislative Services, Maryland General Assembly, Annapolis, Md., January 2004). http://www.raba.com/press/TA_Report_AccuVote.pdf
The general lack of security awareness, as reflected in the Diebold code, is a valid and troubling revelation. In addition, it is not evident that widely accepted standards of software development were followed.
Knowing the password, a smart card can be replicated, and the voter can vote multiple times. RABA was able to guess the passwords quickly, and access each card's contents (Supervisor Card, Voter Card, and Security Key Card). Given access to the cards' contents it became an easy matter to duplicate them, to change a voter card to a supervisor card (and vice versa) and to reinitialize a voter card so that it could be used to vote multiple times.
The use of hardcoded passwords is surprising both as an inferior design principle and in light of them being published openly in the Hopkins report. It must be assumed these passwords are well known.
The contents of these cards are neither encrypted nor digitally signed. Thus, for example, the PIN associated with a Supervisor Card23 can be read directly from the card – provided the password is known. This means creating Supervisor Cards is a simple task: a perpetrator could program his card with an arbitrary PIN that the AccuVote-TS would readily accept.
It is reasonable to assume that a working key to the AccuVote hardware is available to an attacker. The hardware consists of a touch-screen voting terminal with two locked bays. Maryland has ordered approximately 16,000 AccuVote-TS terminals each equipped with two locking bays and supplied with two keys accounting for 32,000 locks and keys. Surprisingly, each lock is identical and can be opened by any one of the 32,000 keys. Furthermore, team members were able to have duplicates made at local hardware stores.
One team member picked the lock in approximately 10 seconds. Individuals with no experience (in picking locks) were able to pick the lock in approximately 1 minute.
A sampling of the vulnerabilities found as a result of poor physical security coupled with software that fails to use robust encryption and authentication include six methods of attack. (Not reproduced herein.)
The GEMS server lacks several critical security updates from Microsoft. The team was able to remotely upload, download and execute files with full system administrator privileges.
The server enables the "autorun" feature. Given physical access to the server, one can insert a CD that will automatically upload malicious software, modify or delete elections, or reorder ballot definitions.
The machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces.
Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.
Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.
While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.
RABA TECHNOLOGIES LLC. TRUSTED AGENT REPORT: DIEBOLD ACCUVOTE-TS VOTING SYSTEM (report prepared for Department of Legislative Services, Maryland General Assembly, Annapolis, Md., January 2004). http://www.raba.com/press/TA_Report_AccuVote.pdf
The general lack of security awareness, as reflected in the Diebold code, is a valid and troubling revelation. In addition, it is not evident that widely accepted standards of software development were followed.
Knowing the password, a smart card can be replicated, and the voter can vote multiple times. RABA was able to guess the passwords quickly, and access each card's contents (Supervisor Card, Voter Card, and Security Key Card). Given access to the cards' contents it became an easy matter to duplicate them, to change a voter card to a supervisor card (and vice versa) and to reinitialize a voter card so that it could be used to vote multiple times.
The use of hardcoded passwords is surprising both as an inferior design principle and in light of them being published openly in the Hopkins report. It must be assumed these passwords are well known.
The contents of these cards are neither encrypted nor digitally signed. Thus, for example, the PIN associated with a Supervisor Card23 can be read directly from the card – provided the password is known. This means creating Supervisor Cards is a simple task: a perpetrator could program his card with an arbitrary PIN that the AccuVote-TS would readily accept.
It is reasonable to assume that a working key to the AccuVote hardware is available to an attacker. The hardware consists of a touch-screen voting terminal with two locked bays. Maryland has ordered approximately 16,000 AccuVote-TS terminals each equipped with two locking bays and supplied with two keys accounting for 32,000 locks and keys. Surprisingly, each lock is identical and can be opened by any one of the 32,000 keys. Furthermore, team members were able to have duplicates made at local hardware stores.
One team member picked the lock in approximately 10 seconds. Individuals with no experience (in picking locks) were able to pick the lock in approximately 1 minute.
A sampling of the vulnerabilities found as a result of poor physical security coupled with software that fails to use robust encryption and authentication include six methods of attack. (Not reproduced herein.)
The GEMS server lacks several critical security updates from Microsoft. The team was able to remotely upload, download and execute files with full system administrator privileges.
The server enables the "autorun" feature. Given physical access to the server, one can insert a CD that will automatically upload malicious software, modify or delete elections, or reorder ballot definitions.
Next Page 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
