November 21, 2024

Report Claims Very Serious Diebold Voting Machine Flaws

[This entry was written by Avi Rubin and Ed Felten.]

A report by Harri Hursti, released today at BlackBoxVoting, describes some very serious security flaws in Diebold voting machines. These are easily the most serious voting machine flaws we have seen to date – so serious that Hursti and BlackBoxVoting decided to redact some of the details in the reports. (We know most or all of the redacted information.) Now that the report has been released, we want to help people understand its implications.

Replicating the report’s findings would require access to a Diebold voting machine, and some time, so we are not in a position to replicate the findings at this time. However, the report is consistent with everything we know about how these voting machines work, and we find it very plausible. Assuming the report is accurate, we want to summarize its lessons for voters and election administrators.

Implications of the Report’s Findings

The attacks described in Hursti’s report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools. The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes.

Hursti’s findings suggest the possibililty of other attacks, not described in his report, that are even more worrisome.

In addition, compromised machines would be very difficult to detect or to repair. The normal procedure for installing software updates on the machines could not be trusted, because malicious code could cause that procedure to report success, without actually installing any updates. A technician who tried to update the machine’s software would be misled into thinking the update had been installed, when it actually had not.

On election day, malicious software could refuse to function, or it could silently miscount votes.

What can we do now?

Election officials are in a very tough spot with this latest vulnerability. Since exploiting the weakness requires physical access to a machine, physical security is of the utmost importance. All Diebold Accuvote machines should be sequestered and kept under vigilant watch. This measure is not perfect because it is possible that the machines are already compromised, and if it was done by a clever attacker, there may be no way to determine whether or not this is the case. Worse yet, the usual method of patching software problems cannot be trusted in this case.

Where possible, precincts planning on using these machines should consider making paper backup systems available to prepare for the possibility of widespread failures on election day. The nature of this technology is that there is really no remedy from a denial of service attack, except to have a backup system in place. While voter verified paper trails and proper audit can be used to protect against incorrect results from corrupt machines, they cannot prevent an attack that renders the machines non-functional on election day.

Using general purpose computers as voting machines has long been criticized by computer scientists. This latest vulnerability highlights the reasoning behind this position. This attack is possible due to the very nature of the hardware on which the systems are running. Several high profile studies failed to uncover this. With the current technology, there is no way to account for all the ways that a system might be vulnerable, and the discovery of a problem of this magnitude in the midst of primary season is the kind of scenario we have feared all along.

Timeline and Perspective

This is not the first time Diebold has faced serious security issues – though this problem appears to be the worst of them all. Here is a capsule history of Diebold security studies:

2001: Doug Jones produces a report highlighting design flaws in the machines that became the Diebold touchscreen voting machines.
July 24, 2003: Hopkins/Rice study finds many security flaws in Diebold machines, including ones that were pointed out by Doug Jones.
September 24, 2003: SAIC study finds serious flaws in Diebold voting machines. 2/3 of the report is redacted by the state of Maryland.
November 21, 2003: Ohio’s Compuware and InfoSentry reports find critical flaws in Diebold touchscreen voting machines
January 20, 2004: RABA study finds serious security vulnerabilities in Diebold touchscreen voting machines.
November, 2004: 37 states use Diebold touchscreen voting machines in general election.
March, 2006: Harri Hursti reports the most serious vulnerabilities to date discovered.

None of the previously published studies uncovered this flaw. Did SAIC? It might exist in the unredacted report, but to date, nobody outside of Maryland officials and SAIC has been able to see that report.

We believe that the question of whether DREs based on commodity hardware and operating systems should ever be used in elections needs serious consideration by government and election officials. As computer security experts, we believe that the known dangers and potentially unknown vulnerabilities are too great. We should not put ourselves in a position where, in the middle of primary season, the security of our voting systems comes into credible and legitimate question.

Comments

  1. There was a much much worse debacle in the early 80s during the reagan election, where people visited the machines and altered the software. There was a hidden government inquest, where they discovered that the machines indeed had their software altered, which could indeed have changed the results, but a not-guilty verdict was reached on the basis that the machines did not record backup data, so it could not be proven that the results were indeed bogus. As a result the pilot scheme of the electronic voting machines was not repeated. Until the Bush Jr election.

  2. David Milum says

    David Milum, Forsyth County Citizen’s Oversight Committee
    4300 Jot Em Down Road
    Cumming, Ga. 30028

    Georgia Secretary of State
    Karen C. Handel

    Ref; July 15 primary election in Forsyth County, voting machine problems

    Dear Madam Secretary,

    I have added a link below to an article about voting machine failures within the Forsyth County/Concord Voting District on July 15, 2008. Hopefully this link on a story written by the Forsyth County News will refresh your memory of the previous letter I sent you regarding faulty voting machines the day of the July election.

    http://newmedia.forsythnews.com/news/article/303/

    Gary Smith, unfortunately for us our Voter Registrar, reported that out of 450 voting machines spread between the county’s 33 precincts; five had to be shut down during the election. Being a mechanic and security software installer by trade I fully understand that machines are not infallible by any means but let me further preface my thoughts with this; I am not looking to find fault with our current voting machines, the faults are there all right as one has to only recognize them for what they are. As we all know this is an inherent problem anytime we depend on machines doing what a human can do better, albeit at a much slower pace. All machines are only as good as their creator makes them. Likewise, the software that makes these machines perform is only as trustworthy as the managers who see over and collate the work product.

    Here is my major concern in a nutshell Madam Secretary; a representative with Kennesaw State University’s Center for Election Systems came to Cumming to test the voting machines in question. [Actually six machines were malfunctioning that day to my current knowledge] Using a testing script supplied by your Secretary of State’s office, James Long ran several tests on the two machines. Both, he said, “worked exactly the way they’re supposed to.”

    If they [both] worked as they were supposed to on the day of re-testing after the election, then please explain to me why [six] machines on that day of July 15, 2008 did not perform as they were supposed to. Did something magical happen after these machines were shut down on July 15? I was an eye witness that this statement of certification most certainly did not apply to these same machines malfunctioning on July 15. I was standing right there within ten to fifteen feet of [three] Voters who were having the problems. I did not imagine it, the poll workers did not imagine it, and most assuredly the troubled Voters didn’t imagine it either. The problems were real and they successfully chilled any confidence that I or these other Voters will ever have for these faulty machines. They, very simply in my opinion, are not anywhere close to being trustworthy. To me there is absolutely no difference in an armed soldier holding a gun on me to keep me from voting and a faulty machine blessed by State officials ripping my vote off, either way I have been robbed of my vote. And the most important and frightening aspect of all is; those machines were not altered whatsoever upon re-certification but State blessed and sent on their merry way to other unsuspecting Voters who will be harmed by them. In other words; nothing was changed to keep those machines from doing exactly what they did on July 15, Zip, zilch, zero, nada.

    Registrar Gary Smith said that he wants more voters to know how they can help with the process. He further quoted; “It’s hard for us to be mind readers, if the public has an issue with anything, they need to immediately tell the poll manager or poll worker that they have a problem, so we can deal with it right then, not three days later, because three days later I can’t do anything about it and I want to be able to take care of it right there.” Madam Secretary as you know I addressed these problems the very day of the election and while I was standing there at the machines, as did several Voters. Now we have for ourselves at least [six] machines that were giving trouble on July 15 back on the line come November election time. The young man who did the re-testing certifies that nothing is wrong with these machines. The best words I can muster are “hogwash” or maybe “in a pig’s ear” they are certifiable. How utterly insulting on the intelligence of any Voter! Is this kind of brush-off treatment what we can continue to expect from your office?

    I am honestly shocked that you felt it was not necessary to respond to my letter about faulty voting machines as all United States Citizens have the Right of Redress; that is, if we write to you with a problem in government the honorable and respectful thing to do is answer those letters. I had to find out that the State was addressing the voter machine problems in Forsyth County that I brought forth to you by hearing it second handed from someone who talked to a person who stumbled upon an article in the Forsyth County News. I have to tell you Madam Secretary that not only am I taken back by your lack of attention in addressing the Citizens of this State I am also troubled at the lack of protocol involved when a Citizen brings to your attention a grave matter that affects our Voting Rights in Georgia.

    With respect due in such matters of the relationship between Citizen Voters and our State employees I will kindly remind you of your responsibility and oath to keep our most scared trust safe. When I write letters that ask for a response I fully expect to get one. Respectfully, you work for me and not visa versus. I realize this might sound harsh to you but many paid employees of the Citizens have cultivated the notion that the Citizens are subservient to our own employees but as you can clearly see I am of a very differing opinion.

    If any public servant wants my respect they have to earn it, as it does not automatically come with the title. These voter machine problems are very serious to me and millions of Voters across this country. Obviously, this will only serve to get worse instead of better. It’s bad enough that the Citizens of Forsyth County can’t trust their own county Voter Registrar but even worse when State officials are so lax that they might be suspect in a possible attempt to cover for these faulty machines.
    I want you to tell me why these machines will remain online regardless of the documented problems incurred by the Voters. And yes Madam, I would like a written response to this communication please.

    Respectfully,

    David Milum

  3. I read a few stories as early as 2 weeks ago about the Diebold electronic voting machines. In one of the articles that I read, the Diebold machines can apparently have their security defeated in under 2 minutes and have absolutely no trace remain that they have been tampered with. It is pretty scary on a couple of accounts: One, that a company that has committed itself to security, strong boxes and secured electronics to have failed on such a gross scale, and two, that the public doesn’t seem more outraged at this failure.

    It seems more a sign of the times – that the general public simply doesn’t care what goes on in politics. We, as a general population aren’t questioning things as fundamental as honesty and accountability in voting, nor are we demanding that our “elected” officials be held to the laws that bind all of us. As a rule, it seems we are more concerned with fitting in and doing what we are told. And we are being told that we need to fall in line, don’t question our “leaders” and be good little boys and girls.

    It is not surprising to me that Diebold has failed on such a grand scale. While I am generally not a subscriber to every conspiracy theory that passes before me, it would not be beyond belief that the “flaw” was a “designed flaw.” While we as a general public are pretty gullible, there is still a strong element of intelligent, self-thinking voters that see beyond the propaganda of the current political regimes. This group of “free-thinkers” can still threaten those regimes’ stability of power. It is not inconceivable that the voting machines were purposefully designed to be tampered with to maintain the status quo, or sway the vote on things that the current regime finds convenient.

    Just looking at the number of things the current political regimes have gotten away with in the last 6 years should be evidence enough that not everything is legitimate in politics. Some examples of this are: the Dade County Voting Scandal in the 2000 Presidential Election; the NSA/AT&T scandal of illegal wiretaps and data collection; and the obviously planned and devious outing of Valerie Plame as a CIA operative as revenge for her husband’s honesty in reporting that Iraq did not have a nuclear capability. Those are, of course, national politics. A simple example of local political shenanigans are casino and OTB licensing in Niles, and the Cook County Board President’s replacement.

    I say it is conceivable Diebold designed their voting machines to be manipulated as part of a conspiracy because our society is increasingly following the paths of Mussolini, Romania’s Iron Guard, Spain’s Falange, and the Germans in the 1930’s and 40’s. We say the word Fascism with a spit, but fascism is increasingly in our society and it is evident every time a black man walks or drives in a white neighborhood, every time we board an airplane, visit a court house, or walk under the blue flashing police boxes mounted in our nation’s communities. We experience fascist forms every time we mail a letter or package at the Post Office, when we send an email or make a phone call and when applying for a driver’s license or passport. The idea that we can be law abiding and anonymous is a thing of the past. We will increasingly see that our freedom and liberty continually erode in the face of such fascist goals.

    Without more outrage over the Diebolt voting machines lack of security and ease at which they can be tampered with, we will be forced to further succumb to government and corporate controls. We are supposed to be a nation where all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. — That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed. Unfortunately, we cannot give our consent when our votes are counted against us in conspiracy; even if for ‘the greater good.’

    As a Nation of Equals, we should be able to determine what our greater good is. Yet, it seems the current Regime thinks it more expedient to make changes to our society – by removing our freedom and liberty without our consent under the guise of security. Yet these changes have not been effected by any public law, nor voted upon by the People. They have been made by a small minority of wealthy individuals that are interested in further securing their own wealth and power – not ours. We all live here, and we all should have our say in how we are governed.

    Now is the time to stand up and defend what we hold as just and right. We must demand that our votes are counted properly, counted fairly and counted individually. Expedience, convenience and security are no longer acceptable excuses to circumvent the people’s Will. For it is our Will that makes us Free. For if we are not Free, we are not a Nation with Liberty.

  4. Although it won’t be a cure all it would seemingly be productive to have some of the computer scientists who participate in fraudulent voting machine tampering to be prosecuted and jailed for a very long time.

  5. I do not regularly follow this blog — I came to it from an article in ComputerWorld — so I apologize in advance if this idea has been discussed already…

    I regard the concept that private industry does EVERYTHING better than government as (effective) Republican brain-washing. Why not take all e-voting-machine out of the hands of dubiously-honest (or inept) private companies like Diebold? Create a small government entity whose sole responsibility is to produce a rock-solid voting machine for nationwide use. I’m sure that there are complexities that I do not understand, but I’d be surprised if it was rocket science. Offer some our nation’s best technical minds a lucrative 1-year contract to design the first-generation machine. Some might do it purely out of civic duty. Get maybe 40 software and hardware people in a building somewhere. Give them one-tenth of the money that the private firms are probably raking in. Maybe make the design public for scrutiny by outside experts. Seems to me that the result could be a rock-solid, secure, auditable system. Have private firms bid on the construction (if this can safely be done without trusting the companies). The economies of scale created by a nationwide standard, plus the elimination of any need to wine-and-dine customers (state officials), should make the result cheaper than what we have today.

    Fire away … 🙂

  6. what are the implications of this information on the diebold accuvote optical scanners?

    wouldn’t it have made sense from a purely business perspective for diebold to use cross-platform (as it were) technology whenever possible, so that what is used on one accuvote (ts) would be used on the other (opscan)?

    The Jefferson et al report of Feb 2006 indicated their belief that the TS design was actually more secure than the OS (p. 9). So where does this leave us?

    Vulnerable no matter what, but I’d like to know how this new information translates to the opscan systems.

    Hursti -May 2006: “One of (the flaws) however, seems to enable a malicious person to compromise the equipment even years before actually using the exploit, possibly leaving the voting terminal incurably compromised.”

    Jefferson et al-Feb 2006: “It is even conceivable that there is a way to exploit these vulnerabilities so that changes could persist from one election to another. For instance, if the firmware or software resident on the machine can be modified or updated by running code, then the attack might be able to modify the firmware or software in a permanent way, affecting future elections as well as the current election. In other words, these vulnerabilities mean that a procedural lapse in one election could potentially affect the integrity of a subsequent election.”

    hursti May 2006: “A major contributor to this is the ability to change the Operating System functions and libraries any application software relies on at a deep level.”

    jefferson et al Feb 2006: “There are serious vulnerabilities in the AV-OS and AV-TSx interpreter that go beyond what was previously known. If a malicious individual gets unsupervised access to a memory card, he or she could potentially exploit these vulnerabilities to modify the electronic tallies at will, change the running code on these systems, and compromise the integrity of the election arbitrarily.”

    hursti May 2006: “The file will be processed from the memory card without user interaction, overwriting the previous content and therefore destructive for future forensic studies.”

    jefferson et al Feb 2006: “p. 13: The attack could erase all traces of the attack to prevent anyone from detecting the attack after the fact.”

  7. Thanks to BlackBoxVoting for their relentless pursuit of trying to find out how these electronic “black boxes” actually work. It has been a struggle against both vendors unwilling to be forthcoming and election officials complicit in not only covering for the vendors, but failing to demand rigorous and effectvie testing.
    Some posts, and even some state election officials, have claimed that the problem can be corrected in the short term by making sure the machines are not physically accessible. In the real world of use of these machines that is easier said than done. Because some localities must get thousands of these machines distributed to hundreds of precincts they send the machines home with poll workers up to two weeks prior to the election. In other cases they are delivered to precincts (which can be a church, school, garage, etc.) for one or more days ahead of the election. Once delivered there are several ways the machines can be accessed physically, even with so-called “security” tape over the door (which historically has not even been applied adequateky) to the PCMCIA card with the election and ballot definitions on it. These machines have:
    a modem, a serial port, another port connecting the “tablet” to the bottom support module, an extra PCMCIA port that is already setup for a wireless card, and a hidden port inside that is already setup to accept a wireless card inside the case (see the Hursti Report and accompanying pictures).
    Diebold converted their AccuVote-TS touch screen machines to a Windows CE operating system in the fall of 2001. It is likely that was when these “features” were installed. The TS system also has an infrared port on it.
    Diebold made the TSx wireless capable by design. Because it takes thousands of these machines in some jurisdictions to run an election (San Diego has over 9,000), they are all stored in a warehouse, and the election and ballot definitions must be installed in everey machine for every new election, they sold the counties on the idea of using wireless to program them all at one time. That was one of the sales features being touted. Never mind that anyone else parked outside the warehouse or even a polling place could also access the machines the very same way.
    Yes, the entire voting system, from the PCMCIA card and its contents to the main election management software residing at election headquarters can be contaminated. Any time a computer system is designed so that the contents on removable medium are uploaded upstream of the most widely distributed component (the individual votng machine), it opens up the entire upstream portion of that voting system to any malicious or fraudulent code or data.
    We do not know if anything has already been introduced into these machines. We do know that it could have been and would be virtually impossible to discover. That is not an acceptable state of affairs.
    These machines should not be used in any election until the voters of this country can know with a surety that there is no resident unauthorized programming, that there cannot be any added, and ever electronic vote is confirmed with a corresponding paper ballot that the voter has verified contains there intent.
    Worse, Diebold is not alone in using removable media to hold the election, the ballot definitions, and the actual votes. It appears the election officials are aware that other voting systems may be equally vulnerable. In late March NASED (National Association of State Election Directors) issued an Addendum applying to all voting systems, requiring securing the removable medium from unauthorized physical access through certain procedures.
    The citizens of the United States have been sold defective products; poorly designed, overpriced, not suitable for their intended purpose, and shown to be unreliable and insecure. The officials whose job it is to represent the interests of the citizenry have failed their fiduciary duty. It is time for those responsible for this situation to be held accountable.

  8. enigma_foundry says

    “Probably the best defense would be an offense in this case. Crash every Diebold machine you can get your paws on. Force it to produce impossible results or start announcing things like “I am not a number, I am a free machine,” and cast all its votes for Abraham Lincoln. Maybe then people will start paying attention.”

    Agree in principle. Although I am usually very disinclined to propose violent solutions, I believe this to be a rare exception where violence (against machines, not people) to be an appropriate (perhaps the only appropriate) response of a moral individual…

  9. supercat made some excellent suggestions; the machines, though expensive, would be ideal.

    Ideal for a true democracy of course; patently not ideal for the purposes of the powers that be, as evidenced by such machines not being adopted, while Diebold ones are.

  10. enigma_foundry says

    “What a coincidence! I’ve recently uncovered some potentially devastating attacks on paper ballot voting systems. The attacks would allow anyone who had physical access to a ballot box for a few minutes to insert large numbers of fraudulent votes, which then be counted as valid, or to destroy all the previously entered votes, making them unreadable…”

    Yes but the attacks on electronic systems, as noted above, are possible to execute long before the voting occurs, and are undetectable.

    Paper balloting, by contrast, can be observed, by open ballot boxes in front of many observers, verifying that they are in fact empty, etc. This is why international observers can verify suspect elections, and certify that they are in fact legitimate.

    Now with an electronic system, lay people can no longer function as obervers, and can no longer play a role in a recount.

    Thus the election process has lost the crucial element of transparency.

    Of course, this is deliberate–because in the case of a disputed election, there can be no recount, but due to the loss of transparency their will almost certainly be riots that those in power can in turn use as an excuse for the furthering of repressive policies, chiefly as a result of these riots they will attempt to ploace limits on the freedom of the press.

  11. TheLoneDeranger says

    Probably the best defense would be an offense in this case. Crash every Diebold machine you can get your paws on. Force it to produce impossible results or start announcing things like “I am not a number, I am a free machine,” and cast all its votes for Abraham Lincoln. Maybe then people will start paying attention.

  12. enigma_foundry says

    “What a coincidence! I’ve recently uncovered some potentially devastating attacks on paper ballot voting systems. The attacks would allow anyone who had physical access to a ballot box …”

    The attack on a paper ballot system is inherently more difficult to execute and easier to check on after the fact.

    The types of paper-less systems employed lend themselves to attacks that can be executed without much of the physical difficulties that would be part of electoral fraud.

    For example, ballot boxes can be opened at the start of voting in front of many observers and they can be verified to be empty. Electronic Ballot machines cannot be opened in the same way–you are relieng on the software in the machine to say it is empty.

    Furthermore, those doing the checking must be computer specialists. Ordinary lay people are taken out of the process, which means the process has lost its transparency and therefore its validitiy…

  13. I’m not about to defend Diebold and its security practices, which are obviously in need of tightening (not to mention its PR efforts, which I gather are rife with overstated security claims). But….

    The attacks described in Hursti’s report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools. The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes.

    What a coincidence! I’ve recently uncovered some potentially devastating attacks on paper ballot voting systems. The attacks would allow anyone who had physical access to a ballot box for a few minutes to insert large numbers of fraudulent votes, which then be counted as valid, or to destroy all the previously entered votes, making them unreadable. Obviously, then, every company that has ever marketed paper ballot-based voting materials has been laughably negligent–as has any jurisdiction that has ever used them.

    Let me make a few assertions here, and see if we can all agree on them:

    1. A voting technology is not a voting system. A voting system is one or more technologies combined with a collection of procedures for using them to run elections.

    2. Any voting technology, no matter how carefully designed and implemented, is doomed to be insecure if embedded in a sufficiently broken system. (See, for example, Karlof, Sastry and Wagner.) Conversely, any voting technology, no matter how poorly designed and implemented, is probably securable (though possibly at a prohibitive cost) using sufficiently elaborate surrounding procedures.

    3. Older technologies will inevitably seem more secure than newer ones, because the procedures surrounding them have evolved, in response to attacks, to the point where known attacks have generally been mitigated, and novel attacks are unlikely.

    4. Therefore, in evaluating new voting technologies, we should treat newly discovered attacks not as refutations of the new technology, but rather as challenges to both the technology designers and the system designers to mitigate them (challenges which they may or may not be able to meet at an acceptable cost).

    ———

    There is an unfortunate tendency in the computer security research community to overplay the significance of new attacks. This weakness is understandable: attacks, unlike claims of security, are empirically verifiable, often using spiffy demos; they can have immediate and substantial real-world impact, whereas new security technologies must first be built, tested, sold, deployed, and so on; and they place security researchers in the enviable role of scolding expert rather than supplicant technology salesman.

    But we should remember that our job, first and foremost, is to provide the world with more secure systems–not simply to break things. And while I’m certainly glad that the weaknesses in voting systems like Diebold’s are being exposed, I wish security researchers would exercise a little more perspective each time they find one. After all, all technologies have such weaknesses, and new technologies inevitably have as-yet-undiscovered ones. The far more interesting question is how the ultimate result of the vulnerability discover-repair cycle for this technology and its surrounding system will end up comparing with systems based on other technologies. Security researchers should have something interesting to say about that question, but so far, I’m sad to say, ithe community has generated a lot more heat than light on the subject.

  14. The engineering hubris which we allow in the development of modern voting machines is only matched by the management hubris of the dotcom era.

    Having said that, election rigging has been rampant for a long time in the United States, and this is only one of many potential methods to employ in the game.

  15. Well, partisan; it doesn’t matter that much which party is performing a bigger fraud. The voter (and democracy) lose when elections are tampered with. What does election fraud do to the chances of independent candidates? Should a country be governed by criminals?

  16. partisan hacks rule the worls says

    I wonder who would be more likely to take advantage of such a security flaw, a democrat or a republican? There are arguments on both sides. Democrats are more upset about the current state of political affairs (and therefore arguably more likely to take such radical action), but republicans are still in control of the voting process in crucial states (Ohio, Florida, and Missouri, states that tend to be bell weather swing states) so presumably they have greater access to the voting machines and more ability to tamper with them. In the end though, if those in control do not choose to fix these problems, it would seem to show that they beleive their side is more likely to corrupt the system. Thank god it isn’t a presidential election year.

  17. As recently as the 2004 elections, several Diebold machines were in operation with their initial, factory-set passwords. (For those curious, 1111 or 11111 depending on the model.) Some model did not support a local password change, others did not receive new passwords from local officials. While this problem has been largely remedied, the password problems were less-than-secret with pass codes to machines well publicized on the internet and by-word-of-mouth.

    As an election official, I have to say that some of the best technology out there is not the most recent. Analog (tape) and simple digital recording systems are some of the best in terms of easy counting and the reliability of back-up (some with 4 back-up methods and an on-demand paper trail).

    I agree that simple level technology can be reliable, but it leaves much to be desired in the areas of voter and disibility friendliness.

  18. IMHO, for a method of voting to be really secure, every vote must be indelibly recorded on a medium which cannot be substituted without detection. Although some write-once electronic storage media exist (e.g. bipolar PROMs, or OTPROMs encased in radiation-sensitive packages) I am unaware of any systems currently being applied that use such media.

    Actually, with a few slight changes, mechanical lever-style voting machines could be made just about perfect. In particular:

    -1- The counters on the machine should be sealed modular assemblies, constructed of a transparent material to allow inspection, but impossible to open without obvious visible damage. They should feature a single sliding actuator as a count input, no means of resetting, and a large enough number of digits to make rollover entirely impossible.

    -2- The machine should include a number of ‘checksum’ counters so that the weighted total change to all counters will be the same regardless of how many or how few candidates are selected. The simplest way to accomplish this would be to have two counters for each lever–the first will increment if a ballot is cast with the lever selected, while the second will count if a ballot is cast with the lever deselected.

    -3- The counters should not be visible to a voter, but the rest of the machine, including the counters’ actuators, should be.

    Before polls open, representatives from all interested parties would vote various sample ballot patterns and confirm that all counters work properly. Then the readouts on all the counters would be logged by all party representatives, and each counter would have a seal affixed by party representatives. A transparent cover would then be closed over all the counters, sealed by all party representatives. Finally, an opaque cover would be closed and sealed and the machine opened for use.

    At the end of the day, all representatives would confirm the seals on the opaque cover; once that was done, they would open it. The seals on the transparent cover would then be confirmed, but not broken. Representatives would then record all the counts and compute a checksum to ensure that the totals are appropriate for the number of people who voted. If there is not agreement on the totals, the sealed machine would be submitted for forensic analysis which would be undertaken in the presence of representatives of all parties.

    A machine designed in this fashion should be quite practical to work with while providing exceptional fraud resistance. Once a counter has been illegitimately bumped, there’s no way to bring things back into order except by inventing a voter to account for the extra bump.

  19. Great work, Harri and greetings from Finland! (Mr. Hursti was born in Finland). Your previous report was covered here in local IT news. Let’s hope that people planning the use of voting machines in Finland will read your research.

  20. Anonymous said:
    “’…(although access to one machine could result in successful attacks against many machines)…’”

    “I’m not sure I understand. Do you mean that if I have access to one, it’s likely that it’s via the stockrom where many machines are stored? Can you clarify?”

    I’m not Prof. Felten, but this sentence from the Black Box Voting report may provide a clue.

    “It is unknown what support drivers are installed with Diebold-provided operating systems, but since additional support features can be added, a sophisticated attacker can, for example, introduce wireless capabilities to facilitate attack even if the system was not originally configured for wireless communication.”

    How one would enable wireless communications from an accessed machine to those one hadn’t accessed is unclear to me. I speculate that this information or other information regarding how the attack may be spread could be contained in redacted sections of the report.

  21. Anonymous says

    In this article, you wrote:

    “…(although access to one machine could result in successful attacks against many machines)…”

    I’m not sure I understand. Do you mean that if I have access to one, it’s likely that it’s via the stockrom where many machines are stored? Can you clarify?

    [Ed Felten replies: That was imprecise writing on our part. Machines are normally stored and used together, so the means used to get access to one will likely yield access to many. I have edited the original post to remove the portion you quoted. Sorry for any confusion.]

  22. “We believe that the question of whether DREs based on commodity hardware and operating systems should ever be used in elections needs serious consideration by government and election officials.”

    This implies that the use of non-commodity hardware and a bespoke operating system would be preferable. Is that what was meant? If so, isn’t it just “security through obscurity”? Please explain…!

  23. I nervously try to ignore claims that election results may have been tampered with in 2004. But it is incomprehensible that the primary electronic voting system is being developed by a company with a partisan interest in the outcome. Election security is so critical that those involved in it should be outrageously unbiased and transparent — and Diebold seems to be exactly the opposite.

  24. […] We believe that the question of whether DREs based on commodity hardware and operating systems should ever be used in elections needs serious consideration by government and election officials. […]

    What?!? A simple tamper-proof (or tamper-resitant) case for the commodity hardware (running a commodity operating system) would be sufficient to prevent the attacks described herein. I call FUD.

  25. I don’t think it’s fair to blame Diebold’s terrifyingly insecure voting machines on the hardware. One would think a competently designed program utilizing appropriate encryption would not be susceptible to the kinds of attacks described in the paper.

  26. Steve R. says

    Diebold has been in deep doo-doo for a long long time concerning the lack of quality of its voting machines. First, I can not believe the incompetance in programing the machines. Second, I can not believe how much Diebold was getting paid for each machine it sold.

    The problem is NOT correctly reflected by the statement “Using general purpose computers as voting machines has long been criticized by computer scientists. ” While I do not know anything about Diebold as a company, the problems with assesmblying a quality voting system appears to be structural ala the Dilbert comic strip. The sales staff sold an vaporware, the engineers were clueless, and management was preoccupied with enjoying their performance awards in Tahiti. I would suggest initiating DOGBERT award.

  27. I have evidence that this has been present since 2002… which, as Doug Jones has said, shows that the federal ITA labs are incapable of or unwilling to do even the most basic security assessment. I’ve made the evidence available to David J. and can send it to Avi or Ed with a GPG/PGP key and a call to confirm the fingerprint. It’s out there, though… -Joe