The Corpus Callosum

Just Trash It and Start Over

That
is the conclusion of the most review review of the security of the
Dielbold voting machines in California.  Most damning is the
finding that many of the previously-reported vulnerabilities have not
been fixed.

face="Helvetica, Arial, sans-serif">…Although we present
several previously unpublished vulnerabilities, many of the weaknesses
that we describe were first identified in previous studies of the
Diebold system (e. g., [26], [17], [18], [19], [33], [23], and
[14]). Our report confirms that many of the most serious flaws that
these studies uncovered have not been fixed in the versions of the
software that we studied.

Since many of the vulnerabilities in the Diebold system result from
deep architectural flaws, fixing individual defects piecemeal without
addressing their underlying causes is unlikely to render the system
secure. Systems that are architecturally unsound tend to exhibit
“weaknessin- depth”—even as known flaws
in them are fixed, new ones tend to be discovered. In this sense, the
Diebold software is fragile.

Due to these shortcomings, the security of elections conducted with the
Diebold system depends almost entirely on the effectiveness of election
procedures. Improvements to existing procedures may mitigate some
threats in part, but others would be difficult, if not impossible, to
remedy procedurally. Consequently, we conclude that the safest way to
repair the Diebold system is to reengineer it so that it is secure by
design.


The Hart machines fare no better.  The vulnerabilities include
the only feature-not-a-bug problem:

face="Helvetica, Arial, sans-serif">…Network interfaces in
the Hart system are not secured against direct attack. Voters can
connect to unsecured network links in a polling place to subvert
eSlates, as well as to eavesdrop on cast votes and to inject new votes.
Poll workers can connect to JBCs or eScans over the management
interfaces and perform back-office functions such as modifying the
device software. The impact of this is that a malicious voter could
potentially take over one or more eSlates in a precinct and a malicious
poll worker could potentially take over all the devices in a precinct.
The subverted machines could then be used to produce any results of the
attacker’s choice, regardless of voter input. We emphasize
that these are not bugs in the Hart software, but rather features
intentionally designed into the system which can be used in a fashion
for which they were never intended.


Addintionally, the Hart InterCivic system uses some unsecured network
connections.  Those that are secured, use a single symmetric
cryptographic key that is itself not secured.  

The Sequoia systems are just as bad:

face="Helvetica, Arial, sans-serif">…We found significant
security weaknesses throughout the Sequoia system. The nature of these
weaknesses raises serious questions as to whether the Sequoia software
can be relied upon to protect the integrity of elections. Every
software mechanism for transmitting election results and every software
mechanism for updating software lacks reliable measures to detect or
prevent tampering. We detail these weaknesses, and their implications,
in Chapters 3 and 4.

In certain cases, audit mechanisms may be able to detect and recover
from some attacks, depending on county-specific procedures; other
attacks may be more difficult to detect after-thefact even with very
rigorous audits.

There were numerous programming, logic, and architectural errors
present in the software we reviewed.


Sequoia’s problems include the following:

  • Unfortunately,
    in  every case we examined the cryptography is easily
    circumvented. Many cryptographic functions are implemented incorrectly,
    based on weak algorithms with known flaws, or used in an ineffective or
    insecure manner.
  • The
    access control and other computer security mechanisms that protect
    against unauthorized use of central vote counting computers and polling
    place equipment are easily circumvented.
  • The
    software suffers from numerous programming errors, many of which have a
    high potential to introduce or exacerbate security weaknesses. These
    include buffer overflows, format string vulnerabilities, and type
    mismatch errors. In general, the software does not reflect defensive
    software engineering practices normally associated with high-assurance
    critical systems. 


Many of the problems with Sequoia machines were first published in
2006, and have not been fixed.

HT: href="http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/54349.html">Black
Box Voting.  Source material is from the href="http://www.sos.ca.gov/elections/elections_vsr.htm">California
Secretary of State.

Comments

  1. #1 Flyspeck
    August 3, 2007

    A chilling thought — maybe the systems are vulnerable on purpose.

    What if 50 million people vote for Goober and 50 million vote for Bubba, but the machine tallies come up with Goober ahead 30 million?

    How could this be contested, by rerunning the totalizing? That would only produce the same outcome — or different, depending on the scheme at work.

    There would be no paper ballots to validate the results.

    And the Supreme Court would declare Goober the winner, and declare any recounts invalid in advance.

  2. #2 andy
    August 4, 2007

    And that is exactly what the Rethuglicans want.

The site is currently under maintenance and will be back shortly. New comments have been disabled during this time, please check back soon.