November 24, 2024

Posts Comments

Archives for 2007

More California E-Voting Reports Released; More Bad News

August 3, 2007 by

Yesterday the California Secretary of State released the reports of three source code study teams that analyzed the source code of e-voting systems from Diebold, Hart InterCivic, and Sequoia.

All three reports found many serious vulnerabilities. It seems likely that computer viruses could be constructed that could infect any of the three systems, spread between voting machines, and steal votes on the infected machines. All three systems use central tabulators (machines at election headquarters that accumulate ballots and report election results) that can be penetrated without great effort.

It’s hard to convey the magnitude of the problems in a short blog post. You really have read through the reports – the shortest one is 78 pages – to appreciate the sheer volume and diversity of severe vulnerabilities.

It is interesting (at least to me as a computer security guy) to see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities. They store votes in a way that compromises the secret ballot.

Some of these are problems that the vendors claimed to have fixed years ago. For example, Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was “resolved in subsequent versions of the software”. Yet the current version still uses at least two hard-coded passwords – one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).

Similarly, Diebold in 2003 ridiculed (p. 6) the idea that their software could suffer from buffer overflows: “Unlike a Web server or other Internet enabled applications, the code is not vulnerable to most ‘buffer overflow attacks’ to which the authors [Kohno et al.] refer. This form of attack is almost entirely inapplicable to our application. In the limited number of cases in which it would apply, we have taken the steps necessary to ensure correctness.” Yet the California source code study found several buffer overflow vulnerabilities in Diebold’s systems (e.g., issues 5.1.6, 5.2.3 (“multiple buffer overflows”), and 5.2.18 in the report).

As far as I can tell, major news outlets haven’t taken much notice of these reports. That in itself may be the most eloquent commentary on the state of e-voting: reports of huge security holes in e-voting systems are barely even newsworthy any more.

Filed Under: Other Topics, Privacy & Security Tagged With: ,

Where are the California E-Voting Reports?

August 1, 2007 by

I wrote Monday about the California Secretary of State’s partial release of report from the state’s e-voting study. Four subteams submitted reports to the Secretary, but as yet only the “red team” and accessibility teams’ reports have been released. The other two sets of reports, from the source code review and documentation review teams, are still being withheld.

The Secretary even held a public hearing on Monday about the study, without having released all of the reports. This has led to a certain amount of confusion, as many press reports and editorials (e.g. the Mercury News editorial) about the study seem to assume that the full evaluation results have been reported. The vendors and some county election officials have encouraged this misimpression – some have even criticized the study for failing to consider issues that are almost certainly addressed in the missing reports.

With the Secretary having until Friday to decide whether to decertify any e-voting systems for the February 2008 primary election, the obvious question arises: Why is the Secretary withholding the other reports?

Here’s the official explanation, from the Secretary’s site:

The document review teams and source code review teams submitted their reports on schedule. Their reports will be posted as soon as the Secretary of State ensures the reports do not inadvertently disclose security-sensitive information.

This explanation is hard to credit. The study teams were already tasked to separate their reports into a public body and a private appendix, with sensitive exploit-oriented details put in the private appendix that would go only to the Secretary and the affected vendor. Surely the study teams are much better qualified to determine the security implications of releasing a particular detail than the lawyers in the Secretary’s office are.

More likely, the Secretary is worried about the political implications of releasing the reports. Given this, it seems likely that the withheld reports are even more damning than the ones released so far.

If the red team reports, which reported multiple vulnerabilities of the most serious kind, are the good news, how bad must the bad news be?

UPDATE (2:45 PM EDT, August 2): The source code review reports are now up on the Secretary of State’s site. They’re voluminous so I won’t be commenting on them immediately. I’ll post my reactions tomorrow.

Filed Under: Other Topics, Privacy & Security Tagged With: ,

California Study: Voting Machines Vulnerable; Worse to Come?

July 30, 2007 by

A major study of three e-voting systems, commissioned by the California Secretary of State’s office, reported Friday that all three had multiple serious vulnerabilities.

The study examined systems from Diebold, Hart InterCivic, and Sequoia; each system included a touch-screen machine, an optical-scan machine, and the associated backend control and tabulation machine. Each system was studied by three teams: a “red team” did a hands-on study of the machines, a “source code team” examined the software source code for the system, and a “documentation team” examined documents associated with the system and its certification. (An additional team studied the accessibility of the three systems – an important topic but beyond the scope of this post.)

(I did not participate in the study. An early press release from the state listed me as a participant but that was premature. I ultimately had to withdraw before the study began, due to a scheduling issue.)

So far only the red team (and accessibility) reports have been released, which makes one wonder what is in the remaining reports. Here are the reports so far:

The bottom-line paragraph from the red team overview says this (section 6.4):

The red teams demonstrated that the security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results.

The red teams all reported having inadequate time to fully plumb the systems’ vulnerabilities (section 4.0):

The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a “lower bound”; all team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities. In particular, Abbott’s team [which studied the Diebold and Hart systems] reported that it believed it was close to finding several other problems, but stopped in order to prepare and deliver the required reports on time. These unexplored avenues are presented in the reports, so that others may pursue them. Vigna’s and Kemmerer’s team [which studied the Sequoia system] also reported that they were confident further testing would reveal additional security issues.

Despite the limited time, the teams found ways to breach the physical security of all three systems using only “ordinary objects” (presumably paper clips, coins, pencil erasers, and the like); they found ways to modify or overwrite the basic control software in all three voting machines; and they were able to penetrate the backend tabulator system and manipulate election records.

The source code and documentation studies have not yet been released. To my knowledge, the state has not given a reason for the delay in releasing these reports.

The California Secretary of State reportedly has until Friday to decide whether to allow these systems to be used in the state’s February 2008 primary election.

[UPDATE: A public hearing on the study is being webcast live at 10:00 AM Pacific today.]

Filed Under: Other Topics, Privacy & Security Tagged With: ,

DRM for Chargers: Possibly Good for Users

July 26, 2007 by

Apple has filed a patent application on a technology for tethering rechargeable devices (like iPods) to particular chargers. The idea is that the device will only allow its batteries to be recharged if it is connected to an authorized charger.

Whether this is good for consumers depends on how a device comes to be authorized. If “authorized” just means “sold or licensed by Apple” then consumers won’t benefit – the only effect will be to give Apple control of the aftermarket for replacement chargers.

But if the iPod’s owner decides which chargers are authorized, then this might be a useful anti-theft measure – there’s little point in stealing an iPod if you won’t be able to recharge it.

How might this work? One possibility is that when the device is plugged in to a charger it hasn’t seen before, it makes a noise and prompts the user to enter a password on the iPod’s screen. If the correct password is entered, the device will allow itself to be recharged by that charger in the future. The device will become associated with a group of chargers over time.

Another possibility, mentioned in the patent, is that there could be a central registry of stolen iPods. When you synched your iPod with your computer, the computer would get a digitally signed statement from the registry, saying that your iPod was not listed as stolen. The computer would pass that signed statement on to the iPod. If the iPod went too long without seeing such a statement, it would demand that the user do a synch, or enter a password, before it would allow itself to be recharged.

How can we tell whether a DRM scheme like this is good for users. One sure-fire test is whether the user has the option of turning the scheme off. You don’t want a thief to be able to disable the scheme on a stolen iPod, but it’s safe to let the user disable the anti-theft feature the first time she syncs her new iPod, or later by entering a password.

We don’t know yet whether Apple will do this. But reading the patent, it looks to me like Apple has thought carefully about the legitimate anti-theft uses of this technology. That’s a good sign.

Filed Under: Uncategorized Tagged With: , ,

Why No Phoneless iPhone?

July 20, 2007 by

I know the iPhone is like so last week, but I want to ask one more question about it: why does Apple insist on users registering for an AT&T account? Officially at least, you have to agree to a two-year contract with AT&T cellular before you can activate your iPhone, even if you will never use it as a phone. (There are ways around this, but Apple seems to wish they didn’t exist.) Which is a shame, because the iPhone is a pretty nice WiFi-enabled portable computer that (to me at least) is less attractive because it’s tied to a two-year AT&T contract.

Of course AT&T is giving Apple a cut of its revenue from the contract. According to rumor, the cut is $3 per month for each user, or $11 per month for users who switch to AT&T from other carriers. Given that about half of iPhone customers switch from other carriers, that’s an average of $7 per month per user, or about $170 total over two years.

But that $170 doesn’t answer the question, because Apple could still sell a phoneless iPhone for, say, $800 while the AT&T iPhone costs $600. If you think Apple still comes out behind at $800, then feel free to pick a larger number. There must be some price point at which Apple is happy to sell a phoneless iPhone, right?

I can see only two reasons why it might be rational for Apple to refuse to offer such a product. It can’t be difficult technically – all they have to do is change the activation procedure so that it doesn’t require the user to sign up for an AT&T contract. But there are two possible reasons.

The first is that the market for a phoneless iPhone is too small, at the price point that they would have to offer. If hardly anyone would buy the device at $800, then it might not be worth the trouble to create another option in the product line. This seems unlikely.

The other reason – the only other possible reason, as far as I can tell – is that the mere existence of a phoneless iPhone makes the original iPhone much less attractive to customers, and that this effect is big enough to offset the extra revenue Apple could get by charging an even bigger premium for the phoneless version.

Why might this be? Maybe Apple thinks the iPhone will look less attractive if the value of the contract lock-in (and hence the cost of lock-in to the customer) is made obvious. Or maybe Apple wants to differentiate the iPhone from other phone handsets by making it the only handset that isn’t obviously subsidized by a carrier. Or maybe Apple is keeping a space in its product line open for a future product introduction. Apple and Steve Jobs are clever enough about these things that there must be some good reason.

Filed Under: Uncategorized Tagged With: