Dan Wallach from Rice University was here on Monday and gave a talk on e-voting. One of the examples in his talk was interesting enough that I thought I would share it with you, both as an introductory example of how security analysts think, and as an illustration of how badly Diebold botched the design of their voting system.
One of the problems in voting system design is making sure that each voter who signs in is allowed to vote only once. In the Diebold AccuVote-TS system, this is done using smartcards. (Smartcards are the size and shape of credit cards, but they have tiny computers inside.) After signing in, a voter would be given a smartcard – the “voter card” – that had been activated by a poll worker. The voter would slide the voter card into a voting machine. The voting machine would let the voter cast one vote, and would then cause the voter card to deactivate itself so that the voter couldn’t vote again. The voter would return the deactivated voter card after leaving the voting booth.
This sounds like a decent plan, but Diebold botched the design of the protocol that the voting terminal used to talk to the voter card. The protocol involved a series of six messages, as follows:
terminal to card: “My password is [8 byte value]”
card to terminal: “Okay”
terminal to card: “Are you a valid card?”
card to terminal: “Yes.”
terminal to card: “Please deactivate yourself.”
card to terminal: “Okay.”
Can you spot the problem here? (Hint: anybody can make their own smartcard that sends whatever messages they like.)
As most of you probably noticed – and Diebold’s engineers apparently did not – the smartcard doesn’t actually do anything surprising in this protocol. Anybody can make a smartcard that sends the three messages “Okay; Yes; Okay” and use it to cast an extra vote. (Do-it-yourself smartcard kits cost less than $50.)
Indeed, anybody can make a smartcard that sends the three-message sequence “Okay; Yes; Okay” over and over, and can thereby vote as many times as desired, at least until a poll worker asks why the voter is spending so long in the booth.
One problem with the Diebold protocol is that rather than asking the card to prove that it is valid, the terminal simply asks the card whether it is valid, and accepts whatever answer the card gives. If a man calls you on the phone and says he is me, you can’t just ask him “Are you really Ed Felten?” and accept the answer at face value. But that’s the equivalent of what Diebold is doing here.
This system was apparently used in a real election in Georgia in 2002. Yikes.
More on E-Voting
To follow up on yesterday’s e-voting post:
Ed Felten at Freedom
to Tinker has some posts on problems with e-voting,
especially concering protocol
design.
These two posts are so amazing that I was moved to Photoshop:
http://www.vastlyimportant.com/vastly/2004/10/whats_taking_so.html
Another Broken Diebold Protocol
Yesterday I wrote about a terribly weak security protocol in the Diebold AccuVote-TS system (at least as it existed in 2002), as reported in a talk by Dan Wallach. That wasn’t the only broken Diebold protocol Dan discussed. Here’s another one which may…
smart cards are used in other systems… notably, the Diebold AccuVote-TSx, AVS WinVote, the Avante Votetrakker (EVC-308SPR) and the Sequoia AVC Edge (used almost as much as the TS).
Avi noted in his experience as a poll worker that the total number of people that enter a precinct is routinely compared with the total votes across machines (in Maryland) with the AccuVote-TS. Presumably, if someone came in with a vote-many card (in the third to last paragraph in your post above) and voted many times on one machine right after one of these checks, it wouldn’t be detected until the next such check – an hour later.
What would happen next? That machine would be taken out of service. I can imagine that the raw vote data (ballot images or vote vectors) would then be examined… I’m not sure if they could tell which votes were suspect (if a large number of identical votes were cast, they could be suspect). However, getting rid of any votes afterwards would risk disenfranchising the number of votes invalidated.
We’re in real trouble here… as Cindy Cohn said last night, “Pray for a landslide.” (It’s much harder to fudge large numbers of votes)