March 29, 2024

Archives for September 2006

Security Analysis of the Diebold AccuVote-TS Voting Machine

Today, Ari Feldman, Alex Halderman, and I released a paper on the security of e-voting technology. The paper is accompanied by a ten-minute video that demonstrates some of the vulnerabilities and attacks we discuss. Here is the paper’s abstract:

Security Analysis of the Diebold AccuVote-TS Voting Machine

Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
Princeton University

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities – a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures.

9/11

Five years ago this morning I was in a hotel room in Minneapolis, getting dressed. I flipped on the TV and saw smoke streaming from a skyscraper. Nobody knew yet what it meant.

My plan had been to meet a colleague in the lobby and walk over to our meeting. Everybody in the lobby area was watching the big-screen TV in the bar. It’s there that I saw the second plane hit.

There was nothing to do but go to the meeting. Not much got accomplished and we all spent much of the day in my hosts’ conference room watching a projected image of CNN. Much later I visited the same room and found a big painting of a firefighter hanging near where I had stood that day.

My wife and I had just moved to Palo Alto, California for a sabbatical year. The attacks affected folks in Palo Alto and Princeton quite differently. In Palo Alto, it happened during breakfast. Families were together; many learned of the attacks by phone from East Coast friends and relatives, and spent the morning watching together. In Princeton, adults were at work and kids at school; most kids learned of the attacks from parents who had had a few hours to think about what to say. In Princeton, the horrible question was: Who do we know who works There? Many people commute from Princeton to New York. The social network buzzed. Exactly where does M work? Exactly which train does he ride?

We didn’t lose any close friends, but at least two people I knew died. Later, reading the 9/11 report, I learned that one of them had been killed horribly by the hijackers to intimidate the other passengers. Several people we know were scarred. One man, who had been staying in a hotel across the street from the Trade Center, was haunted by images of falling bodies. A new doctor who had emergency duty at a Lower Manhattan hospital sent an email that I wish you could read.

As for myself, I was stuck in Minneapolis. As the week went on with no definite date of departure, we extended our meetings, trying to put our time to use. The hotel quickly emptied, as cancellations flooded in and those who could get home bolted. The few remaining guests bonded with the staff. One morning in the coffee shop, I was the only customer. The waitress sat down at my table and we had a long talk about what it all meant. I visit that hotel occasionally, and it still feels different to me than every other hotel in the world.

Eventually the airports reopened and I was on one of the first flights out of Minneapolis. The security screeners were jittery and ultra-vigilant, but also polite. I was disconcerted to note that nobody ever checked my ID that morning. When I mentioned this to the flight attendant, she quietly told me not to bring it up again.

I was happy to be at home and looked forward to some quiet time. Little did I know that I was about to be called to Washington for the final settlement talks in the Microsoft antitrust case. A month working in a DOJ building, in immediate post-9/11, post-anthrax Washington, is an experience not soon forgotten. Perhaps I’ll write about that next year.

E-Voting, Up Close

Recently the Election Science Institute released a fascinating report on real experience with e-voting technologies in a May 2006 primary election in Cuyahoga County, Ohio (which includes Cleveland). The report digs beneath the too-frequent platitudes of the e-voting debates, to see how , poll workers and officials actually use the technology, what really goes wrong in practice, and how well records are kept. The results are sobering.

Cuyahoga County deserves huge credit for allowing this study. Too often, voting officials try to avoid finding problems, rather than avoiding having problems. It takes courage to open one’s own processes to this kind of scrutiny, but it is the best way to improve. Cuyahoga County has done us all a service.

The election used Diebold electronic voting systems with Diebold’s add-on voter verified paper trail (VVPT) facility. One of the most widely discussed parts of the report describes ESI’s attempt to reconcile the VVPT with the electronic records kept by the voting machines. In about 10% of the machines, the paper record was spoiled: the paper roll was totally blank, or scrunched and smeared beyond reconstruction, or broken and taped back together, or otherwise obviously wrong. Had the election required a recount, this could have been a disaster – roughly 10% of the votes would not have been backed by a useful paper record, and Ohio election law says the paper record is the official ballot.

What does this teach us? First, the design of this particular VVPT mechanism needs work. It’s not that hard to make a printer that works more than 90% of the time. Printer malfunctions can never be eliminated completely, but they must be made very rare.

Second, we need to remember why we wanted to augment electronic records with a VVPT in the first place. It’s not that paper records are always more reliable than electronic records. The real reason we want to use them together is that paper and electronic recordkeeping systems have different failure modes, so that the two used together can be more secure than either used alone. In a well-designed system, an adversary who wants to create fraudulent ballots must launch two very different attacks, against the paper and electronic systems, and must synchronize them so that the fraudulent records end up consistent.

Third, this result illustrates why it’s important to audit some random subset of precincts or voting machines as a routine post-election procedure. Regular integrity-checking will help us detect problems, whether they’re caused by glitches or malicious attacks.

There’s much more in the ESI report, including a summary of voting machine problems (power failures, inability to boot, broken security seals, etc.) reported from polling places, and some pretty pointed criticism of the county’s procedural laxity. The best system is one that can tolerate these kinds of problems, learn from them, and do a better job next time.

Lost Comments

Yesterday somebody defaced this site. This trashed the database that backs the site, so we had to restore it from a backup. Everything seems to be back to normal, except that any comments submitted after the backup (about two days ago) were lost. Sorry for the inconvenience.