It would seem obvious that protecting the integrity of election
results would be the paramount goal of a company that provides voting
equipment, but a recent
a report by Harri Hursti last week that documents extremely serious flaws
in the design of touchscreen voting terminals from Diebold Election Systems
that could lead to an unscrupulous person or organization having complete
control of the software on those systems.
An attacker with physical access to the voting terminal can permanently
change the programming of a terminal in a way that is difficult or
impossible to detect. With a PCMCIA memory card, phillips-head screwdriver,
and 5 minutes of time, any portion of the
software that runs on the terminal can be modified. It is not just the
voting application that can be replaced; the operating system
and even the bootloader can also be changed via this mechanism.
No tamper resistance or detection mechanisms are included in the
terminal hardware making it impossible to tell whether it was opened
to access the PCMCIA slot. There is no cryptographic or other
authentication of the code that is to be loaded, just some very simple
integrity checking (checksum or CRC presumably) of the binary.
Evidently, Diebold decided to make field upgrades simpler at the cost of
providing little to no protection against abuse.
It is well understood by security experts that preventing physical access
to computers is the first step in securing them. Unfortunately, election
officials and polling place workers are not typically security experts and
the access to the terminals is not strictly limited. In fact, they are
regularly taken to polling places (schools, churches, etc.) or to the homes
of polling place supervisors several days in advance of an election. In
addition, because the bootloader code can be modified, a clever attacker
could install code that survived any number of software upgrades, waiting
to be activated at the proper time. Diebold even conveniently provides an
external switch, accessible to a voter, that could be used to trigger the
This is not the first time that Diebold security has been
found to be woefully
inadequate and, once again, the company does not seem to understand the
problem. A spokesman for Diebold, David Bear, had this to say:
For there to be a problem here, you're basically assuming a premise
where you have some evil and nefarious election officials who would sneak
in and introduce a piece of software, I don't believe these evil elections
Bear tries to deflect the criticism by claiming that it is only election
officials who could make these changes, but there are actually a huge
number of ways that it could happen. Simply showing up at the county
clerk's office in an official looking Diebold uniform would probably be
enough to get access to the machines in many areas.
Unfortunately, it is not just Diebold that misses the implications of this
kind of threat; various election officials, many of whom spent a great deal
of taxpayer money buying Diebold voting equipment, also downplay the threat.
Several elections, including a primary last Tuesday in Pennsylvania, are going
on as scheduled using the equipment, seemingly without any concern that
the terminals could have been tampered with.
For the most part, this is a hardware problem: the Diebold terminals
were not designed to be tamper-proof, instead they were designed to be
easy to access. This is something for the various advocates of other
voting technologies, including open
source voting, to consider. Having the source code to the binary that
is supposed to be installed is not sufficient, there needs to be some
way to ensure that it is the software that is currently running. Having a way
to resist tampering with the hardware and to detect attempts to tamper
with the hardware are also mandatory for any voting system.
There seems to be a great deal of resistance to the idea of having a paper
trail that can be verified by the voter as a backup system, at least from
the voting equipment vendors, but this would seem to be the most sensible
check on the proper functioning of the equipment. It still provides the
instant gratification of vote counts that seem to be required, but also
allows for an auditable recount should one be necessary.
approach to security and the resistance to an auditable paper trail might
lead a cynical person to believe that those in power like things exactly
as they are.
to post comments)