Yesterday I wrote about a terribly weak security protocol in the Diebold AccuVote-TS system (at least as it existed in 2002), as reported in a talk by Dan Wallach. That wasn’t the only broken Diebold protocol Dan discussed. Here’s another one which may be even scarier.
The Diebold system allows a polling place administrator to use a smartcard to control a voting machine, performing operations such as closing the polls for the day. The administrator gets a special administrator smartcard (a credit-card-sized computing device) and puts it into the voting machine. The machine uses a special protocol to validate the card, and then accepts commands from the administrator.
This is a decent plan, but Diebold botched the design of the protocol. Here’s the protocol they use:
terminal to card: “What kind of card are you?”
card to terminal: “Administrator”
terminal to card: “What’s the password?”
card to terminal: [Value1]
terminal to user: “What’s the password?”
user to terminal: [Value2]If Value1=Value2, then the terminal allows the user to execute administrative commands.
Like yesterday’s protocol, this one fails because malicious users can make their own smartcard. (Smartcard kits cost less than $50.) Suppose Zeke is a malicious voter. He makes a smartcard that answers “Administrator” to the first question and (say) “1234” to the second question. He shows up to vote, signs in, goes into the voting booth, and inserts his malicious smartcard. The malicious smartcard tells the machine that the secret password is 1234; when the machine asks Zeke himself for the secret password, he enters 1234. The machine will then execute any administrative command Zeke wants to give it.
For example, he can tell the machine that the election is over.
This system was apparently used in the Georgia 2002 election. Has Diebold fixed this problem, or the one I described yesterday? We don’t know.
UPDATE (1:30 PM): Just to be clear, telling a machine that the election is over is harmful because it puts the machine in a mode where it won’t accept any votes. Getting the machine back into vote-accepting mode, without zeroing the vote counts, will likely require a visit from a technician, which could keep the voting machine offline for a significant period. (If there are other machines at the same precinct, they could be targeted too.) This attack could affect an election result if it is targeted at a precinct or a time of day in which votes are expected to favor a particular candidate.
Agent White: You’re probably thinking of one specific type of smartcard that has the limitations you describe. Smartcards in general can be programmed to do whatever one wants them to do.
More on E-Voting
To follow up on yesterday’s e-voting post:
Ed Felten at Freedom
to Tinker has some posts on problems with e-voting,
especially concering protocol
design.
I used the Indian electronic voting machine about 5 months ago during the national elections. There’s no software, its all firmware and the general public can download the firmware programming to determine impartiality.
Diebold,IMHO, is way too complicated for a simple thing like voting.
These two posts are so amazing that I was moved to Photoshop:
http://www.vastlyimportant.com/vastly/2004/10/whats_taking_so.html
I don’t like the sound of this at all. I would prefer hanging chads any day over the potential for corruption here. I have a feeling this election is going to be a mess. It certainly won’t stop me from voting but I don’t have a good feeling about this.
Agent White, smart cards send whatever they are programmed to send. Some carry digital certificates, some carry plain ASCII. Some are encrypted, some aren’t. Some do extensive checking of the data they are sent, some just say “Here I am!”. There is _nothing_ inherently secure about a smart card. Just look into DirecTV’s dismal history if you don’t believe me. It is entirely up to the developer to design a “secure” system.
There is absolutely nothing about smart cards, per se, that prevents them from working exactly as described in the article.
the pin doesn’t matter. if the user creates their own card they’ll of course know the pin. and the pin/password is not the weak point of this description.
the weak point is that there’s no secure check on the contents of the card itself to validate it as a real admin card. it would seem from this description that the software assumes that something calling itself an admin card is actually an admin card.
Yet Another Flaw found in the Diebold Electronic Voting Machines
Freedom to Tinker: Another Broken Diebold Protocol The Diebold voting machines are so ridiculously insecure. To even use the word “secure” when discussing them is difficult without a grin or a grimace, and still, they will be used in elections…
Got to admit I was thinking where’s the encryption. Just because the pin’s on the card doesn’t mean you can easily make your own. ATM cards have the pin on stored them, they still need account numbers and accounts to work.
This is complete bullshit. Anyone that knows how smartcards work can tell you this.
Smartcards can’t send data prior to the digital certificate being unencrypted by the user’s PIN.
They don’t send passwords, they send digital certificates. Anyone who reads this and believes this, do your homework and you’ll see how this cannot be true.
Wow.
Thanks for posting these; most people don’t realise just *how* broken the Diebold design is.
to be honest, I think a more effective attack in terms of destroying votes, would be to turn up to “vote” just before polls close, attack the locks, remove the PCMCIA card recording the votes, and make off with it. In 2003, those locks used the same key for all machines at any given polling station.
also, the Raba Technologies testing team said that they could remotely dial in to voting terminals and gain administrative control. I wonder if that’s been fixed…
There’s other things you can do in administrator mode… you can print out a results tape (totals for races on that machine… this is noisy and the printer might not print with the printer door closed) you can also transfer the votes from one PCMCIA flash card to another one (after ending the election and setting the station in accumulator mode).
Ending the election on a machine is definitely a bid deal though… presumably, this tells the software to tell the PCMCIA card to not allow any further votes cast. These PCMCIA cards are not the kind of thing included with voting materials for a precinct… a technician (preferably from the county) would have to bring another one out (and do anything that would be required of the machine to get it back up and running… including a logic and accuracy test).