Removable memory cards used by voting machines can be infected with a virus and used to spread corrupted software
On September 13, computer security researchers at Princeton University's Center for Information Technology Policy released a security analysis of the Diebold AccuVote-TS direct recording electronic (DRE) touch screen voting machine. That analysis identified extremely serious security vulnerabilities in the Diebold hardware and software. In laboratory tests using actual Diebold hardware and software, the researchers demonstrated that these vulnerabilities could be exploited by malicious individuals to corrupt the results of elections conducted on these machines and that such corruption would be nearly impossible to detect.
Nearly 33,000 AccuVote-TS touch screen voting machines are currently in use in the United States, and they are used statewide in both Maryland and Georgia. Given the extremely serious nature of these vulnerabilities and the widespread use of these machines, it is imperative that responsible public officials respond promptly to address the concerns raised by the Princeton study.
To promote informed discussion of these issues, this page provides links to the Princeton study itself, initial reactions to that study by computer security and voting systems experts, Diebold's response to the study, and rebuttals to that response. Several links to related news releases and articles are also provided.
The Princeton Study
Abstract plus links to full report and demonstration video
Full report in PDF-format
Initial Response from computer security and voting systems technology experts
Dr. David Dill, Professor of Computer Science, Stanford University, and founder of VerifiedVoting.org and The Verified Voting Foundation states: "The Princeton report is the most thorough analysis yet of security issues with the Diebold AccuVote-TS. The leader of the team authoring the report, Prof. Edward Felten, is a very well-known and highly respected computer security expert and the Director of Princeton's Center for Information Technology Policy. Their report is careful, authoritative, and devastating.
It is not at all surprising that it is possible to write malicious vote-stealing code that is difficult to detect -- I said so in 2003, because it's obvious to anyone with the necessary technical expertise, even without knowing the details of the computer systems in question. Since 2003, hundreds of other computer scientists, including Prof. Ed Felten, signed the "Resolution on Electronic Voting" at VerifiedVoting.org because they agreed.
However, it seems that many people, including election officials and politicians, have been reluctant to accept these conclusions. The Princeton report, and especially the online video, should remove all doubt. They demonstrate several ways that malicious code can be written and installed, quickly and easily, on a widely-used electronic voting machine. The video demonstration will be especially valuable for convincing skeptics of the feasibility and potential terrible consequences of such an attack.
In addition to demonstrating frightening new attacks, such as a vote-changing virus that can gradually spread from machine-to-machine after being released, the report also confirms many previous findings, including those of the Johns Hopkins/Rice report in 2003, the RABA report in 2004, and the reports by Harri Hursti and Herbert Thompson of Black Box Voting in 2006."
Dr. Michael Fischer, Professor of Computer Science, Yale University, Vice Chair of the State of Connecticut's former Voting Technology Standards Board, and a founding member of TrueVoteCT states:
"Although I have been saying for some time how vulnerable all computerized voting systems are, the vulnerabilities in the Diebold TS DRE machine, and the ease with which the Princeton team was able to compromise those machines surprised even me. Here are the things I learned reading the paper that I didn't know or hadn't really thought through before.
• I had not thought of spreading malicious code via a memory-card virus, although in retrospect that should have been obvious. Computer viruses predated the Internet. They used to be spread from PC to PC via floppy disks. We used to be warned about booting our PC's with untrustworthy disks in the floppy drive, just as now we're warned against clicking on untrustworthy links on a web page. The more things change, the more they stay the same. Viruses can spread much faster now with the Internet, but spread they did, even in the old days.
• The reason the virus attack is so pernicious is that it really can be used to infect large numbers of machines by a single person, without that person being an insider in a voting machine company or a poll worker. All it takes is somebody who has access to one memory card for a short period of time -- a shipping clerk, a town hall employee, almost anybody. It's enough to corrupt the memory card that will later be inserted into the voting machine. It isn't necessary to have direct access to the machine at all. This makes chain of custody for both memory cards and the machines themselves all the more important. It also makes it really crucial for election officials to have access to the contents of the memory cards so that they can verify that the cards do not contain malicious code before they are inserted into the voting machines. Such verification software would be easy, almost trivial, to write, especially with Diebold's cooperation as to data formats and such. Accordingly, Diebold should publicly disclose the data format of the memory cards so that the contents of those cards can be independently verified by elections officials.
• The fact that a virus can be spread by an innocent technician attempting to install legitimate software updates is yet another pernicious fact about viruses and the really bad security architecture of the Diebold machine. This means that really stringent update procedures need to be followed that include booting the machine off of a safe EPROM rather than booting the machine normally. I don't know how much control elections officials can exert over Diebold technicians, but it's absolutely essential that correct procedures be followed.
• Of course, this attack focuses attention again on the fact that the malicious code could originate anywhere along the chain from the Diebold-produced GEMS software to the vendor-produced memory cards all the way down to the individual precinct. If someone manages to infect the GEMS election management machine, then it could be made to copy the malicious code to each memory card it programs. Without a way to view what is actually on the memory card (and without procedures requiring that it be done), technicians or elections officials could be producing infected memory cards without any knowledge of what they were doing.
• I had always assumed that to alter votes, a malicious attacker would somehow get hold of the source code to the election software and then modify it. This left open the question of how they would obtain the source code. One can always reverse engineer the executable code, but that's a costly and time-consuming process. The Princeton team came up with a much simpler solution. They run the Diebold software unmodified, but they run their attack software in parallel with it. The attack software simply polls the memory card from time to time to see if any new votes have been recorded. If they have, it takes the opportunity to alter the votes as it sees fit. Since it changes both copies of the ballot and the audit log file, it leaves no trace of its actions. By operating this way, it doesn't really need to know how the election software works; it only needs to know how the votes are stored in memory.
• The Princeton report describes two attacks: a vote-altering attack and a Denial-of-Service (DoS) attack. I had never thought much about DoS attacks in conjunction with voting machines since such an attack leaves an obvious trail of its existence. Hence, I had assumed that nobody would be motivated to simply disable voting machines during an election. But now I can think of several possible motivations: (a) To bias the election outcome by attacking all machines in precincts with certain voting patterns. (b) To bias the election by selectively attacking any machine that shows a sufficiently strong vote for an opposing candidate. (c) To attack all machines indiscriminately in order to further erode the public trust in electronic voting machines, either out of a "white knight" belief that this is in the country's best interest or in order for a vendor of a different kind of technology to gain a competitive advantage. If a widespread DoS were to occur on election day, it would cause a major disruption in the functioning of our democracy and probably result in having to hold a new election without the use of high-tech machines.
• The technical report showed how much valuable information the researchers were able to gain by having access to an actual AccuVote-TS machine. Previous studies that had disclosed many of the vulnerabilities upon which the Princeton work was based relied on much more limited access to the hardware and software. We'll never have secure machines if the vendors succeed in keeping the inner workings of their machines secret from the security experts. Fortunately, history shows that that is nearly impossible for them to do so, despite their best efforts. Similarly, it is nearly impossible to keep such things secret from the bad guys, which is why secrecy is not the road to security."
Diebold's Response to Princeton Study
Press release format
Rebuttal's to Diebold's Response to the Princeton Study
Dr. David Dill, Professor of Computer Science, Stanford University, and founder of VerifiedVoting.org and The Verified Voting Foundation states:
"As in previous cases, Diebold has fired up its disinformation machinery to try to discredit the Princeton report. Among other points, it dusts off the argument, used since 2003, that the researchers examined out-of-date software. In past instances, it was shown later that newer versions of the program had many of the same security flaws. Furthermore, the Princeton report, like the Johns Hopkins/Rice report before it, observes that many of the problems cannot be fixed without a complete re-engineering of the system, which has obviously not happened.
However, we must not lose sight of the really important questions. 'Why should we trust a company and regulatory system that allowed these machines to be used in previous elections?' and 'Why should we trust anything that Diebold says?'"
Dr. Douglas Jones, Associate Professor of Computer Science at the University of Iowa, former chair of the State of Iowa's Board of Examiners for Voting Machines and Electronic Voting Systems, and a member of the advisory board of VerifiedVoting states:
A virus was introduced to a machine that is never attached to a network.
This response dodges the question, expressing a complete misunderstanding of the nature of viruses by implying that viruses are irrelevant if there is no network. First, viruses originally emerged as a threat in the era of the Apple II personal computer, where they were spread on floppy disks that were hand carried between machines. What matters, clearly, is the presence of communication, not wires. Communication by hand carried disks, or PCMCIA cards, creates an environment in which the possibility of viruses is worthy of investigation.
The current generation AccuVote-TS software - software that is used today on AccuVote-TS units in the United States - has the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more.
Diebold has not released to the public sufficient information to allow an assessment of the competence with which these measures were applied. As a result, we cannot determine whether these are applied in an effective way, or whether they are as ineffective as the use of DES was back in 1997.
In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines - every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.
See Avi Rubin's report. See the report from Cleveland [PDF] on the frequency with which these measures were used effectively. See Ed Felten's comments on the denial of service attack that security seals offer. I commented on the same with regard to the ES&S iVotronic in my comments on the pre-election tests in Miami in 2004.
If you take seals seriously, you must inventory seal numbers at the time applied and insist on recording the seal numbers at the time they are broken. Auditors must routinely check that these records are properly maintained, and any seal found broken should disqualify the machine it is attached to. Jurisdictions don't do this, and the seals being used are so flimsy that if they did, someone could shut down a polling place by careful use of their thumbnail. In sum, the use of seals, as it is being done now, is about cosmetics, not about security.
Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis.
Diebold owes the public a list of the third party security analyses that have found their system to be secure. None of the analyses I'm aware of drew positive conclusions. Certainly the redacted SAIC study, [ed note: The redacted SAIC report was originally posted here on Maryland's website, but has since been removed.] the Compuware study [PDF], and the Raba study [PDF] all found major flaws. I've spoken with authors of the Raba study who were livid about the way Diebold lobbied them during the writing of their report to soften the wording, and then misrepresented the results in their public relations campaign that followed. The SAIC study is still not available in unredacted form. Does this mean that it still documents weaknesses that have yet to be corrected?
Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day.
Indeed. I agree completely. They should feel secure. Or at least, that is what we owe them. I wish we could follow through on that promise."
Comment on This Article
You must login to leave comments...
Other Visitors Comments
You must login to see comments...