|
|
Log in / Subscribe / Register

Security

Diebold election insecurity systems

May 17, 2006

This article was contributed by Jake Edge.

It would seem obvious that protecting the integrity of election results would be the paramount goal of a company that provides voting equipment, but a recent report (PDF) indicates otherwise. BlackBoxVoting.org released a report by Harri Hursti last week that documents extremely serious flaws in the design of touchscreen voting terminals from Diebold Election Systems that could lead to an unscrupulous person or organization having complete control of the software on those systems.

An attacker with physical access to the voting terminal can permanently change the programming of a terminal in a way that is difficult or impossible to detect. With a PCMCIA memory card, phillips-head screwdriver, and 5 minutes of time, any portion of the software that runs on the terminal can be modified. It is not just the voting application that can be replaced; the operating system and even the bootloader can also be changed via this mechanism.

No tamper resistance or detection mechanisms are included in the terminal hardware making it impossible to tell whether it was opened to access the PCMCIA slot. There is no cryptographic or other authentication of the code that is to be loaded, just some very simple integrity checking (checksum or CRC presumably) of the binary. Evidently, Diebold decided to make field upgrades simpler at the cost of providing little to no protection against abuse.

It is well understood by security experts that preventing physical access to computers is the first step in securing them. Unfortunately, election officials and polling place workers are not typically security experts and the access to the terminals is not strictly limited. In fact, they are regularly taken to polling places (schools, churches, etc.) or to the homes of polling place supervisors several days in advance of an election. In addition, because the bootloader code can be modified, a clever attacker could install code that survived any number of software upgrades, waiting to be activated at the proper time. Diebold even conveniently provides an external switch, accessible to a voter, that could be used to trigger the dormant code.

This is not the first time that Diebold security has been found to be woefully inadequate and, once again, the company does not seem to understand the problem. A spokesman for Diebold, David Bear, had this to say:

For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software, I don't believe these evil elections people exist.

Bear tries to deflect the criticism by claiming that it is only election officials who could make these changes, but there are actually a huge number of ways that it could happen. Simply showing up at the county clerk's office in an official looking Diebold uniform would probably be enough to get access to the machines in many areas.

Unfortunately, it is not just Diebold that misses the implications of this kind of threat; various election officials, many of whom spent a great deal of taxpayer money buying Diebold voting equipment, also downplay the threat. Several elections, including a primary last Tuesday in Pennsylvania, are going on as scheduled using the equipment, seemingly without any concern that the terminals could have been tampered with.

For the most part, this is a hardware problem: the Diebold terminals were not designed to be tamper-proof, instead they were designed to be easy to access. This is something for the various advocates of other voting technologies, including open source voting, to consider. Having the source code to the binary that is supposed to be installed is not sufficient, there needs to be some way to ensure that it is the software that is currently running. Having a way to resist tampering with the hardware and to detect attempts to tamper with the hardware are also mandatory for any voting system.

There seems to be a great deal of resistance to the idea of having a paper trail that can be verified by the voter as a backup system, at least from the voting equipment vendors, but this would seem to be the most sensible check on the proper functioning of the equipment. It still provides the instant gratification of vote counts that seem to be required, but also allows for an auditable recount should one be necessary. The lackadaisical approach to security and the resistance to an auditable paper trail might lead a cynical person to believe that those in power like things exactly as they are.

Comments (28 posted)

New vulnerabilities

apache: denial of service

Package(s):apache CVE #(s):
Created:May 11, 2006 Updated:May 17, 2006
Description: There a bug involving Apache 1.3.35 and glib concerning wildcards in Include directives. If an Include statement is issued in an already included file, Apache can be caused to crash.
Alerts:
Slackware SSA:2006-130-01 apache 2006-05-11

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864
Created:May 12, 2006 Updated:July 13, 2006
Description: Multiple vulnerabilities in the Linux have been found.
  • An error in the Stream Control Transmission Protocol (SCTP) code that uses incorrect state table entries when certain ECNE chunks are received in CLOSED state, could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • An error exist when handling incoming IP-fragmented SCTP control chunks, which could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
  • A vulnerability has been identified due to an input validation error when processing arguments containing backslash ("\\") characters passed to certain commands (e.g. "cd"), which could be exploited by authenticated attackers to escape chroot restrictions for a CIFS or SMBFS mounted filesystem.
Alerts:
Red Hat RHSA-2006:0580-01 kernel 2006-07-13
Red Hat RHSA-2006:0579-01 kernel 2006-07-13
Debian DSA-1103-1 kernel-source-2.6.8 2006-06-27
SuSE SUSE-SA:2006:028 kernel 2006-05-31
Red Hat RHSA-2006:0493-01 kernel 2006-05-24
Mandriva MDKSA-2006:086 kernel 2006-05-18
Trustix TSLSA-2006-0026 kernel 2006-05-12

Comments (none posted)

phpldapadmin: cross-site scripting

Package(s):phpldapadmin CVE #(s):CVE-2006-2016
Created:May 15, 2006 Updated:May 17, 2006
Description: Several cross-site scripting vulnerabilities have been discovered in phpLDAPadmin, a web based interface for administering LDAP servers, that allows remote attackers to inject arbitrary web script or HTML.
Alerts:
Debian DSA-1057-1 phpldapadmin 2006-05-15

Comments (none posted)

quagga: multiple vulnerabilities

Package(s):quagga CVE #(s):CVE-2006-2223 CVE-2006-2224 CVE-2006-2276
Created:May 15, 2006 Updated:July 24, 2006
Description: Paul Jakma discovered that Quagga's ripd daemon did not properly handle authentication of RIPv1 requests. If the RIPv1 protocol had been disabled, or authentication for RIPv2 had been enabled, ripd still replied to RIPv1 requests, which could lead to information disclosure. (CVE-2006-2223)

Paul Jakma also noticed that ripd accepted unauthenticated RIPv1 response packets if RIPv2 was configured to require authentication and both protocols were allowed. A remote attacker could exploit this to inject arbitrary routes. (CVE-2006-2224)

Fredrik Widell discovered that Quagga did not properly handle certain invalid 'sh ip bgp' commands. By sending special commands to Quagga, a remote attacker with telnet access to the Quagga server could exploit this to trigger an endless loop in the daemon (Denial of Service). (CVE-2006-2276)

Alerts:
Fedora FEDORA-2006-845 quagga 2006-07-22
Fedora FEDORA-2006-843 quagga 2006-07-22
Red Hat RHSA-2006:0533-01 zebra 2006-06-01
Red Hat RHSA-2006:0525-01 quagga 2006-06-01
Gentoo 200605-15 quagga 2006-05-21
Debian DSA-1059-1 quagga 2006-05-19
Ubuntu USN-284-1 quagga 2006-05-15

Comments (1 posted)

vnc: authentication bypass

Package(s):vnc CVE #(s):
Created:May 16, 2006 Updated:May 17, 2006
Description: It was possible to bypass vnc authentication in version 4.1.1.
Alerts:
Fedora FEDORA-2006-557 vnc 2006-05-16
Fedora FEDORA-2006-558 vnc 2006-05-16

Comments (none posted)

webcalendar: information disclosure

Package(s):webcalendar CVE #(s):CVE-2006-2247
Created:May 15, 2006 Updated:May 17, 2006
Description: David Maciejak noticed that webcalendar, a PHP-Based multi-user calendar, returns different error messages on login attempts for an invalid password and a non-existing user, allowing remote attackers to gain information about valid usernames.
Alerts:
Debian DSA-1056-1 webcalendar 2006-05-15

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds