November 24, 2024

Posts Comments

Dutch E-Voting System Has Problems Similar to Diebold's

October 6, 2006 by

A team of Dutch researchers, led by Rop Gonggrijp and Willem-Jan Hengeveld, managed to acquire and analyze a Nedap/Groenendaal e-voting machine used widely in the Netherlands and Germany. They report problems strikingly similar to the ones Ari Feldman, Alex Halderman and I found in the Diebold AccuVote-TS.

The N/G machines all seem to be opened by the same key, which is easily bought on the Internet – just like the Diebold machines.

The N/G machines can be put in maintenance mode by entering the secret password “GEHEIM” (which means “SECRET” in Dutch) – just as the Diebold machines used the secret PIN “1111” to enter supervisor mode.

The N/G machines are subject to software tampering, allowing a criminal to inject code that transfers votes undetectably from one candidate to another – just like the Diebold machines.

There are some differences. The N/G machines appear to be better designed (from a security standpoint), requiring an attacker to work harder to tamper with vote records. As an example, the electrical connection between the N/G machine and its external memory card is cleverly constructed to prevent the voting machine from undetectably modifying data on the card. This means that the strategy used by our Diebold virus, which allows votes to be recorded correctly but modifies them a few seconds later, would not work. Instead, a vote-stealing program has to block votes from being recorded, and then fill in the missing votes later, with “improvements”. This doesn’t raise the barrier to vote-stealing much, but at least the machine’s designers considered the problem and did something constructive.

The Dutch paper has an interesting section on electromagnetic emanations from voting machines. Like other computers, voting machines emit radio waves that can be picked up at a distance by somebody with the right equipment. It is well known that eavesdroppers can often exploit such emanations to “see” the display screen of a computer at a distance. Applied to voting machines, such an attack might allow a criminal to learn what the voter is seeing on the screen – and hence how he is voting – from across the room, or possibly from outside the polling place. The Dutch researchers’ work on this topic is preliminary, suggesting a likely security problem but not yet establishing it for certain. Other e-voting machines are likely to have similar problems.

What is most striking here is that different e-voting machines from different companies seem to have such similar problems. Some of the technical challenges in designing an e-voting machine are very difficult or even infeasible to address; and it’s not surprising to see those problems unsolved in every machine. But to see the same simple, easily avoided weaknesses, such as the use of identical widely-available keys and weak passwords/PINs, popping up again, has to teach a deeper lesson.

Filed Under: Uncategorized Tagged With: , ,

Immunizing the Internet

October 4, 2006 by

Can computer crime be beneficial? That’s the question asked by a provocative note, “Immunizing the Internet, or: How I Learned to Stop Worrying and Love the Worm,” by an anonymous author in June’s Harvard Law Review. The note argues that some network attacks, though illegal, can be beneficial in the long run by bringing attention to network vulnerabilities and motivating organizations to address problems.

I don’t buy the note’s argument, but there is a grain of truth behind it. Vendors and independent analysts often disagree about whether a vulnerability is real or could ever be exploited in practice. One thing I’ve learned over the years is that the best (and often the only) way to resolve that debate is to demonstrate an exploit. If you can do something, people will accept that it is possible.

Our recent e-voting study is a good example. Diebold can’t seriously argue that malicious code can’t sway an election, because we have a working demo that we have shown on national TV and in front of congress.

Even when the vendor is willing to acknowledge reality and work constructively to fix a problem, a working demonstration is useful in helping the vendor cope with the problem – and in helping the good guys within the vendor organization neutralize any internal minority that wants to deny the problem. Showing the vendor a working demo can be the first step in a constructive problem-solving relationship.

(To be clear: You can build a working demo and show it to people without revealing to the public every detail of how to build the exploit. How much information to publish about a demonstration exploit is a separate issue from whether to build it in the first place.)

But some sorts of problems can’t be demonstrated without breaking the law. For example, Diebold apparently claims that there is no way to tamper with the upcoming November election in (say) Maryland. I’m convinced that claim is false, but the most direct, obvious way to prove it false would involve actually tampering with the election, which of course is unthinkable.

The note’s reasoning would imply that the penalty for tampering with the election might be reduced, especially in cases where the tampering is engineered to be obvious and to cause minimal damage, for example if it added 10,000 write-in votes for Homer Simpson to a statewide race where a candidate was running unopposed. Though such an attack would be instructive, it would still be wrong and would deserve serious punishment. If the legal lines are drawn in the right places, and if the punishment otherwise fits the crime, then we shouldn’t let attackers off easy just because their attacks were instructive.

Filed Under: Uncategorized Tagged With:

E-Voting Testimony

September 28, 2006 by

Today at 10:00 AM Eastern I’m testifying at a House Administration Committee hearing on e-voting. Here is the written testimony I submitted.

Filed Under: Uncategorized Tagged With: ,

Networking Diebold Voting Machines

September 25, 2006 by

Reacting to our report about their AccuVote-TS e-voting product, Diebold spokesmen are claiming that the machines are never networked. For example, Diebold’s official written response to our report says that the AccuVote-TS “is never attached to a network” and again that “These touch screen voting stations are standalone units that are never networked together.” This is false – AccuVote-TS systems are designed to be networked.

The Diebold manual that came with our machine explains how to network AccuVote-TS machines. The manual is called “AccuVote-TS User’s Guide: GEMS Touch Screen Client 4.1”, revision 1.0. In section 8.5, “Transfer Results”, the manual explains,

Results [of elections] are transferred are [sic] by means of a TCP/IP network connection, either directly, by modem or ethernet.

[…]

Representative tests of all results transfer configurations should be performed in the process of election confinguration, including transmissions by direct, modem, or ethernet connection.

Touch the Transfer Results button in order to activate the Transfer Results Window… Enter the network host name in the Host Name field using the [keyboard]. Enter the network user Id in the User Name field and the network password in the Password field.

Other sections of the manual contain similar text describing the transfer of election results over a network.

Appendix E of the manual lists “[s]upplies required and recommended for AccuVote-TS system operation, maintenance and logistical support”. The list includes “network cards” and “ethernet cabling”.

Diebold’s insistence that the voting machines cannot be networked is especially odd given that the conclusions in our report don’t rely in any way on the use of networking – even if Diebold’s no-networking claim were true, it would be irrelevant.

Filed Under: Uncategorized Tagged With: ,

Refuting Diebold's Response

September 20, 2006 by

Diebold issued a response to our e-voting report. While we feel our paper already addresses all the issues they raise, here is a point by point rebuttal. Diebold’s statement is in italics, our response in normal type.

Three people from the Center for Information Technology Policy and Department of Computer Science at Princeton University today released a study of a Diebold Election Systems AccuVote-TS unit they received from an undisclosed source. The unit has security software that was two generations old, and to our knowledge is not used anywhere in the country.

We studied the most recent software version available to us. The version we studied has been used in national elections, and Diebold claimed at the time that it was perfectly secure and could not possibly be subject to the kinds of malicious code injection attacks that our paper and video demonstrate. In short, Diebold made the same kinds of claims about this version – claims that turned out to be wrong – that they are now making about their more recent versions.

Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit.

This is incorrect. Far from ignoring Diebold’s “normal security procedures”, we made them a main focus of our study.

The tape and seals are discussed in our paper (e.g., in Section 5.2), where we explain why they are not impediments to the attacks we describe. The main attack does not require removal of any screws. Contrary to Diebold’s implication here, our paper accounts for these measures and explains why they do not prevent the attacks we describe. Indeed, Diebold does not claim that these measures would prevent any of our attacks.

A virus was introduced to a machine that is never attached to a network.

This is irrelevant. Our paper describes how the virus propagates (see Sections 2.2.2 and 4.3) via memory cards, without requiring any network.

By any standard – academic or common sense – the study is unrealistic and inaccurate.

This is little more than name-calling.

For an academic evaluation, ask our academic colleagues. We’d be happy to provide a long list of names.

We demonstrated these problems on our video, and again in live demos on Fox News and CNN. Common sense says to believe your eyes, not unsubstantiated claims that a technology is secure.

The current generation of AccuVote-TS software – software that is used today on AccuVote-TS units in the United States – features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more.

As above, Diebold does not assert that any of these measures would prevent the attacks described in our paper. Nor do we see any reason why they would.

These touch screen voting stations are stand-alone units that are never networked together and contain their own individual digitally signed memory cards.

As discussed above, the lack of networking is irrelevant. We never claim the machines are networked, and we explain in our paper (e.g. Sections 2.2.2 and 4.3) how the virus propagates using memory cards, without requiring a network.

Again, Diebold does not claim that these measures would prevent the attacks described in our paper.

In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines – every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.

Our paper discusses physical security, election procedures, security tape, and numbered security seals. See, for example, Sections 3.3 and 5.2 of our paper. These sections and others explain why these measures do not prevent the attacks we describe. And once again, Diebold does not assert that they would.

Diebold strongly disagrees with the conclusion of the Princeton report. Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis.

Every voter in every local jurisdiction that uses the AccuVote-Ts should feel secure knowing that their vote will count on Election Day.

Secure voting equipment and adequate testing would assure accurate voting – if we had them. To our knowledge, every independent third party analysis of the AccuVote-TS has found serious problems, including the Hopkins/Rice report, the SAIC report, the RABA report, the Compuware report, and now our report. Diebold ignores all of these results, and still tries to prevent third-party studies of its system.

If Diebold really believes its latest systems are secure, it should allow third parties like us to evaluate them.

Filed Under: Uncategorized Tagged With: ,