Dan Wallach from Rice University was here on Monday and gave a talk on e-voting. One of the examples in his talk was interesting enough that I thought I would share it with you, both as an introductory example of how security analysts think, and as an illustration of how badly Diebold botched the design of their voting system.
One of the problems in voting system design is making sure that each voter who signs in is allowed to vote only once. In the Diebold AccuVote-TS system, this is done using smartcards. (Smartcards are the size and shape of credit cards, but they have tiny computers inside.) After signing in, a voter would be given a smartcard – the “voter card” – that had been activated by a poll worker. The voter would slide the voter card into a voting machine. The voting machine would let the voter cast one vote, and would then cause the voter card to deactivate itself so that the voter couldn’t vote again. The voter would return the deactivated voter card after leaving the voting booth.
This sounds like a decent plan, but Diebold botched the design of the protocol that the voting terminal used to talk to the voter card. The protocol involved a series of six messages, as follows:
terminal to card: “My password is [8 byte value]”
card to terminal: “Okay”
terminal to card: “Are you a valid card?”
card to terminal: “Yes.”
terminal to card: “Please deactivate yourself.”
card to terminal: “Okay.”
Can you spot the problem here? (Hint: anybody can make their own smartcard that sends whatever messages they like.)
As most of you probably noticed – and Diebold’s engineers apparently did not – the smartcard doesn’t actually do anything surprising in this protocol. Anybody can make a smartcard that sends the three messages “Okay; Yes; Okay” and use it to cast an extra vote. (Do-it-yourself smartcard kits cost less than $50.)
Indeed, anybody can make a smartcard that sends the three-message sequence “Okay; Yes; Okay” over and over, and can thereby vote as many times as desired, at least until a poll worker asks why the voter is spending so long in the booth.
One problem with the Diebold protocol is that rather than asking the card to prove that it is valid, the terminal simply asks the card whether it is valid, and accepts whatever answer the card gives. If a man calls you on the phone and says he is me, you can’t just ask him “Are you really Ed Felten?” and accept the answer at face value. But that’s the equivalent of what Diebold is doing here.
This system was apparently used in a real election in Georgia in 2002. Yikes.