An attacker with physical access to the voting terminal can permanently change the programming of a terminal in a way that is difficult or impossible to detect. With a PCMCIA memory card, phillips-head screwdriver, and 5 minutes of time, any portion of the software that runs on the terminal can be modified. It is not just the voting application that can be replaced; the operating system and even the bootloader can also be changed via this mechanism.
No tamper resistance or detection mechanisms are included in the terminal hardware making it impossible to tell whether it was opened to access the PCMCIA slot. There is no cryptographic or other authentication of the code that is to be loaded, just some very simple integrity checking (checksum or CRC presumably) of the binary. Evidently, Diebold decided to make field upgrades simpler at the cost of providing little to no protection against abuse.
It is well understood by security experts that preventing physical access to computers is the first step in securing them. Unfortunately, election officials and polling place workers are not typically security experts and the access to the terminals is not strictly limited. In fact, they are regularly taken to polling places (schools, churches, etc.) or to the homes of polling place supervisors several days in advance of an election. In addition, because the bootloader code can be modified, a clever attacker could install code that survived any number of software upgrades, waiting to be activated at the proper time. Diebold even conveniently provides an external switch, accessible to a voter, that could be used to trigger the dormant code.
This is not the first time that Diebold security has been found to be woefully inadequate and, once again, the company does not seem to understand the problem. A spokesman for Diebold, David Bear, had this to say:
Bear tries to deflect the criticism by claiming that it is only election officials who could make these changes, but there are actually a huge number of ways that it could happen. Simply showing up at the county clerk's office in an official looking Diebold uniform would probably be enough to get access to the machines in many areas.
Unfortunately, it is not just Diebold that misses the implications of this kind of threat; various election officials, many of whom spent a great deal of taxpayer money buying Diebold voting equipment, also downplay the threat. Several elections, including a primary last Tuesday in Pennsylvania, are going on as scheduled using the equipment, seemingly without any concern that the terminals could have been tampered with.
For the most part, this is a hardware problem: the Diebold terminals were not designed to be tamper-proof, instead they were designed to be easy to access. This is something for the various advocates of other voting technologies, including open source voting, to consider. Having the source code to the binary that is supposed to be installed is not sufficient, there needs to be some way to ensure that it is the software that is currently running. Having a way to resist tampering with the hardware and to detect attempts to tamper with the hardware are also mandatory for any voting system.
There seems to be a great deal of resistance to the idea of having a paper trail that can be verified by the voter as a backup system, at least from the voting equipment vendors, but this would seem to be the most sensible check on the proper functioning of the equipment. It still provides the instant gratification of vote counts that seem to be required, but also allows for an auditable recount should one be necessary. The lackadaisical approach to security and the resistance to an auditable paper trail might lead a cynical person to believe that those in power like things exactly as they are.
|Created:||May 11, 2006||Updated:||May 17, 2006|
|Description:||There a bug involving Apache 1.3.35 and glib concerning wildcards in Include directives. If an Include statement is issued in an already included file, Apache can be caused to crash.|
|Package(s):||kernel||CVE #(s):||CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864|
|Created:||May 12, 2006||Updated:||July 13, 2006|
|Description:||Multiple vulnerabilities in the Linux have been found.
|Created:||May 15, 2006||Updated:||May 17, 2006|
|Description:||Several cross-site scripting vulnerabilities have been discovered in phpLDAPadmin, a web based interface for administering LDAP servers, that allows remote attackers to inject arbitrary web script or HTML.|
|Package(s):||quagga||CVE #(s):||CVE-2006-2223 CVE-2006-2224 CVE-2006-2276|
|Created:||May 15, 2006||Updated:||July 24, 2006|
|Description:||Paul Jakma discovered that Quagga's ripd daemon did not properly
handle authentication of RIPv1 requests. If the RIPv1 protocol had
been disabled, or authentication for RIPv2 had been enabled, ripd
still replied to RIPv1 requests, which could lead to information
Paul Jakma also noticed that ripd accepted unauthenticated RIPv1 response packets if RIPv2 was configured to require authentication and both protocols were allowed. A remote attacker could exploit this to inject arbitrary routes. (CVE-2006-2224)
Fredrik Widell discovered that Quagga did not properly handle certain invalid 'sh ip bgp' commands. By sending special commands to Quagga, a remote attacker with telnet access to the Quagga server could exploit this to trigger an endless loop in the daemon (Denial of Service). (CVE-2006-2276)
|Created:||May 16, 2006||Updated:||May 17, 2006|
|Description:||It was possible to bypass vnc authentication in version 4.1.1.|
|Created:||May 15, 2006||Updated:||May 17, 2006|
|Description:||David Maciejak noticed that webcalendar, a PHP-Based multi-user calendar, returns different error messages on login attempts for an invalid password and a non-existing user, allowing remote attackers to gain information about valid usernames.|
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds