Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Could Crypto Resolve the Voting Machine Controversy?

By Scott M. Fulton, III, BetaNews

October 3, 2006, 2:14 PM

In a detailed analysis paper and video that are continuing to make waves, a trio of Princeton University Dept. of Computer Science researchers demonstrated last month how Diebold AccuVote-TS electronic voting machines -- the very devices recommended to end the 2000 "nightmare of the hanging chads" -- could be easily compromised by injecting malicious software through a memory card at boot time.

With mid-term elections in the U.S. just a few weeks away, and the balance of power in both houses of Congress made more tenuous with the emergence of even more political scandals, the likelihood is growing that the outcome of close elections this November may be challenged if the technology relied upon to secure those elections comes under question.

The Princeton video showed how any individual -- not necessarily an election official -- could either unlock or break into the memory card slot on a TS system, to insert malicious code that the voting machine absorbs into memory automatically as though it were a ROM upgrade. Malicious software can then flip votes as they are entered, from one party or candidate to another, altering the result as it appears on the printed tally.

The software averts detection during what Diebold considers an "integrity check," and can then delete itself, and all remnants of its misdeeds, at the time the election official presses the on-screen button to "End Election."

A few days after the demo was first posted, Princeton's Ed Felten added that the memory card slot could be broken into using the same kind of lock-picking tool used to break open hotel mini-bars.

Diebold Election Systems officials have since maintained that the AccuVote-TS system compromised by Princeton researchers Ariel J. Feldman, J. Alex Halderman and Edward W. Felten was an older model that was "two generations old," the company said, "and to our knowledge, is not used anywhere in the country."

"The current generation of AccuVote-TS software," stated Diebold President Dave Byrd, "features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more."

Whether newer versions of Diebold's software do contain these encryption features, Princeton's Ed Felten wrote for the blog Freedom to Tinker, may be totally irrelevant. "Diebold does not assert that any of these measures would prevent the attacks described in our paper," Felten wrote. "Nor do we see any reason why they would."

DieboldThe issue, Felten implies, isn't whether voting machines use encryption, but whether they're actually encrypting the most vulnerable and sensitive portions of each transaction. Since Byrd himself, for instance, contended that an AccuVote-TS never has to be networked to be usable -- and therefore cannot be exposed to a network-based attack -- the value of SSL as an asset to such a system becomes dubious.

The Princeton paper is by no means the first serious examination into the integrity of Diebold systems, as the researchers themselves state. Three years ago, researchers from the University of Iowa Dept. of Computer Science presented a paper for the USENIX Security Symposium in Washington, D.C., entitled, "The Diebold AccuVote-TS Should Be Decertified."

That paper tells the story of how researchers were first introduced to AccuVote systems through the company that originally produced it, I-Mark Systems, prior to its acquisition by Diebold in 2002.

At that time, Iowa University's Dr. Douglas Jones reported, he examined the new system for certification for use in Iowa statewide elections. The minutes of the State Board of Examiners recorded Dr. Jones' preliminary objections: "Dr. Jones also expressed concern about data encryption standards used to guarantee the integrity of the data on the machine. DES requires the use of electronic keys to lock and unlock all critical data. Currently all machines use the same key. Dr. Jones stated that this is a security problem. However, the use of a single key for all machines is not a condition that would disqualify the system under Iowa law."

Almost seven years later, Dr. Jones wrote, a reporter discovered that the source code for AccuVote systems' voting software -- by that time, produced by Diebold -- was being shared openly among employees through an unencrypted FTP site, which allowed anonymous users. The existence of the site had apparently been touted by Diebold as an asset -- a way for developers to implement rapid "technology transfers" -- during a PowerPoint presentation Diebold made in 2003 to the State of Georgia.

Dr. Jones' discovery prompted him to investigate the other areas in which AccuVote systems might be vulnerable. He found that 2003 model systems used the same single encryption key as I-Mark's 1997 editions.

Other security techniques, Dr. Jones wrote, were also similarly pointless in his view: "Their use of smartcards, it turns out, was not at all clever, but was just as bad as their use of the Federal Data Encryption Standard, ignoring almost everything known about security and key management, and open to attack by outsiders with no access to the source code because keys were transmitted to the card in plaintext form."

Next: Are Diebold's newer machines any better?

Continued. . .
1 | 2 | Next >>

Add a Comment (15 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By darkiq1966

edited Oct 6, 2006 - 1:35 AM

Did you also know that all votes that are tallied and voter info from all machines are sent over the net via a freakin dial up modem after polls are closed.

Score: 0

By prooky

posted Oct 4, 2006 - 2:59 AM

"A few days after the demo was first posted, Princeton's Ed Felten added that the memory card slot could be broken into using the same kind of lock-picking tool used to break open hotel mini-bars."

That's not entirely correct.
The article on Ed Felten's blog says it uses a standard key that is also used to lock mini-bars etc.
So no lockpicking needed.

Score: 0

By cwgroove

edited Oct 3, 2006 - 3:56 PM

Electronic Voting - (can be) Better than a classic ‘paper trail’

Synopsis:
Voter is assigned and printed a private, random file number which allows voter to check registered votes by internet or telephone (automated voice synthesis). At end of voting day, sorted file numbers are assigned internal positions (1 through total number of voters). The voter files are then available to the public per these position numbers.

Details:
When voter ‘starts’ (first interaction with machine) a random file number (6 digits or more) is generated from a fast free-running roll-over counter (same system as slot machines). While the voter is voting (touch screen, most likely) this number is sorted against previous file numbers (in the very unlikely event (1/million) that the number is already assigned, the voter will be asked to reinitiate). The file number is printed on a receipt/coupon as well as displayed (privately) on the machine. At the end of the day/voting session, votes are tabulated (as usual) and the sorted (numerical order) file numbers (pointing to each voters’ inputs/decisions) are then also given numerical position numbers (1 for lowest to n the largest where n is also the total number of voters). These voter files are then made available on the internet and/or automated telephone system so that a file can be read by accessing it either by the private file number (random) if and when the voter checks his/her own listing or by the position number which allows anyone to select an anonymous voting record. A news service, if it so desires, can easily write a program to read all the files and thus do their own recount/tally (to check it against the official publicly released post poll closing results). Each voting machine must of course, have a unique identifier prefixing the file and position numbers. Suggestions are the election district number and/or zip code (listings and maps should also be internet available).

Hardware:
The touch screen voting terminals should also be designed and manufactured per published specifications thus insuring hardware interoperability. The present machines can be used as ‘de facto’ standards to limit the number of hardware configurations (and thus software drivers) needed to be accommodated.

Refinements: (to allow challenges and prevent double sets of records)
After voting; even before polls are closed, the voter can (and possibly should) check his/her vote either at the polling place or immediately at home. If in error, this would be the most opportune time to challenge. After the polls close it's a different situation; one first checks his/her vote with the 'secret' file number. If the voting record is correct, the voter selects 'yes' (approval) which then releases the voters 'position' number. If 'no' a challenge is indicated (legal means must be developed to deal with this possibility). The voter can then (or later) check the vote record via this 'position' number to give assurances against the existence of two sets of voter records (private 'file' number vs. public 'position' number). During voter record approval, a printout (hardcopy) can be made if desired. If there seems to be errors and a possibility of a challenge exists, the hardcopy should be signed, dated, and possibly notarized and/or witnessed.
(The primary purpose of this voting system is to prevent this situation from occurring!)

Hard Copy: (the only absolutely required printout would be the voters file number, time/date, and poll location/designation)

Comparatively; public verifiable voting records, as presented in this document, are simple, quick, and easy!

Score: 0

By Grazer

posted Oct 4, 2006 - 12:40 PM

Nice write up. I also think the voter's name and registration should also be in the file, to make sure there is no double voting. Of course, as a developer that does most of my work with relational databases, I am thinking of each vote "file" as a row in a table. Each row should have to reference a voter registration entry and reference(s) to the chosen candidate(s).

Score: 0

By Banquo

edited Oct 3, 2006 - 3:24 PM

Paper ballots have been used for thousands of years. Everyone knows how to use them and there is tangible evidence of how people voted. But no, let's all switch to buggy, insecure and complicated computers. Woops, software glitch! Where did all the votes go? Oops, hacker broke into the system. Was the election rigged? Who knows. What a great idea! We're too lazy to wait for votes to be counted, we need instant satisfaction. Bah, and get off my lawn.

Oh and it's cryptography, please type out the last six letters. I hate it when people shorten it to crypto. Sounds like Superman's dog or something.

Score: 0

By DotNet_Coder

posted Oct 3, 2006 - 3:34 PM

Sure, let's stick to old tried and true ways just because they work. Where is the innovation in that? Where is the progress moving forward. Plus, paper-ballots, while being used for thousands of years, still have their downsides; the amount of money that has to be paid to count and recount the ballots; the in-accuracy (like the article says, just remember the election of 2000); the chance that a number of ballots could be lost during tranist, etc.

Yes, there are flaws and risks in moving to electronic ballots. But, with better design and better technology, this is certainly the direction that we as a nation need to move in. If I am willing to trust my money to a computer (as I do daily with my bank and my purchases), then why can we not have that same level of trust in the voting process?

~dnc

Score: 0

By pcardout

edited Oct 23, 2006 - 10:38 PM

Dear DotNet -- While your discussion of down-side of paper is true enough, the following comment

>> If I am willing to trust my money to a computer >>(as I do daily with my bank and my purchases), >>then why can we not have that same level of >>trust in the voting process?

is dangerous because it is appealing to the non-computer-literate (I don't mean you) yet misses the crucial point differentiating banking from voting. Banking occurs daily and round the world and on-line transactions are often followed by paper statements. Those folks who still balance their checkbooks will find software errors, thus improving the systems. Further, banks have no interest in defrauding their customers (because of the huge business risk if they are caught). Voting occurs rarely, and the key point is that without a verifiable paper trail, there is no way of knowing about fraud or software error. Finally, the incentive to cheat is huge, and if it can be done anonymously, the risk to the perp is low. I'll assume that your point is that, in principle, computer voting could be as straightforward and honest as computer banking, but your phrasing admits the other interpretation, which is that it already is safe and secure, which is clearly not the case.

Score: 0

By Scotch Moose

posted Oct 4, 2006 - 11:05 AM

Progress should be measured in tangible improvements not just hand waving and vaporous claims of advanced technology.

Recounting, if necessary, should be recounting not just reprinting.

If Diebold is confident in, and committed to the quality of their product, they should welcome and facilitate the independent evaluation of their voting machines. Instead, they obstruct and prevent people like Ed Felten from evaluating their product.

Score: 0

By AaronDobbins

posted Oct 3, 2006 - 3:34 PM

One would have thought paper ballots weren't a problem until the hanging chad incident of 2000. There election officials argued over whether or not a vote should actually count if the punch did not go all the way through. These arguments led to a very close race that ended in Bush's first election victory.

There, personal bias may have come into play more so than electronic voting machines, provided the electronic tallying of the votes is not laced with malicious code. The purpose is not just the speed of counting votes, but to take the human interaction and interpretation out of counting votes.

I do agree with you that both systems pose risks, but I think electronic voting is the way of the future.

Score: 0

By Banquo

posted Oct 3, 2006 - 3:42 PM

Well that is true but that was all caused by a rather stupid and flawed ballot design.

Score: 0

By tnculp

posted Oct 3, 2006 - 2:54 PM

This isn't really that complicated. A really easy solution would be include an integrity check of the system's OS. Think redundant systems. If someone tries to load a new software version from the slot, the internal memory runs an integrity check against the new software. If they don't match, then the systems locks out and alerts the officials. This way, the only way to break into this would be to physically break inside the machine, remove the flash ROM and contains the original software, and update it as well. Add some audible or silent alarms, like notification that the case has been opened, etc. and make it hell to break open in the first place.

Score: 0

By drumcat

posted Oct 3, 2006 - 3:49 PM

I know of some safes that are hard to open. That's not the point, either. Whether it's paper or electronic, it's the integrity of the process.

If you think your paper votes were hosed (Florida) or if you get turned away or messed with (Ohio), it doesn't matter whether it was paper or bits. What matters is transparency and fairness.

In reality, the best option isn't these voting machines. The key is mail-in voting. Don't make me go stand in a stupid line with some volunteers who try hard but don't have enough training. Then, after kinks get worked out, online. This is just a Diebold government handout.

Score: 0

By yohimbe9

posted Oct 3, 2006 - 3:43 PM

Sounds simple. Store a hash or something that identifies the "authentic" software. The problem is that with a proper boot-loader you could just re-write the hash with whatever you want. Or you could install a kernel patch of some sort that whenever the check is run a valid result is always returned.

Score: 0

By drumcat

posted Oct 3, 2006 - 3:50 PM

Or, you can do the simple thing -- once the physical door is opened, it must be reset by a voting official.

Score: 0

By DotNet_Coder

posted Oct 3, 2006 - 3:35 PM

I agree with your post 100%. Make the system inaccessible to outside influence and a lot of the issues of ballot tampering would go out the window.

~dnc

Score: 0

Oct 10 - 7:43 PM ET Wal-Mart changes its mind, leaves existing DRM servers up

Oct 10 - 7:05 PM ET Hands on: An amateur photographer tests out Adobe's latest Lightroom

Oct 10 - 6:52 PM ET Mobile service providers brace for the economic storm

Oct 10 - 6:24 PM ET Apple warns users about bad Nvidia graphics chips

Oct 10 - 4:21 PM ET New Norton Vista tool trades UAC for online feedback

Oct 10 - 3:23 PM ET Verizon Wireless to raise fees for service-related texts

Oct 10 - 3:04 PM ET BlackBerry Bold sales halted in UK

Oct 10 - 12:52 PM ET Internet snoop Adzilla vacates the American market

Oct 10 - 11:57 AM ET Qualcomm gains an ally in its renewed war with Broadcom

Oct 10 - 10:44 AM ET First look at latest OpenOffice merits a second