A few days ago Ed Felton announced he and his students had released a detailed security analysis of the Diebold AccuVote-TS voting machine. The executive summary and/or demonstration video is well worth a look, and the full research paper is a must-read for anyone interested in computer security.
By later that day, the president of Diebold Election Systems had issued a rebuttal. I’m a security dabbler, not an expert, but to my semi-trained eye the rebuttal looks like a bunch of smoke. I’m looking forward to hearing the Princeton authors’ response [Update 9/22: posted here], but while I’m waiting for that here’s my own take on it:
September 13, 2006 – “Three people from the Center for Information Technology Policy and Department of Computer Science at Princeton University today released a study of a Diebold Election Systems AccuVote-TS unit they received from an undisclosed source. The unit has security software that was two generations old, and to our knowledge, is not used anywhere in the country.
If they really believe their current systems are secure, they should put their machines up for independent external review so groups like Felton’s wouldn’t have to rely on leaked code and old machines for testing. I also notice this rebuttal nowhere says “yes, those were security flaws in the machines we distributed back in 2002, but we’ve fixed them since then.” And many (though not all) of the security problems cited in the report are inherent in the system’s basic architecture — it’ll take more than a software update to fix them.
Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit.
The main attack the Princeton paper talks about is one where a criminal (possibly working as a poll worker) infects the memory card used to set the list of races and candidates with a virus, or alternatively substitutes the real memory card with an infected one. Then the virus is automatically loaded onto the machine when the election parameters are set — before any numbered security tape is placed. Security tape only protects from a voter trying to infect a machine on election day, not from a substitute when the machines are still being configured for the next day’s election.
A virus was introduced to a machine that is never attached to a network.”
Remember before the Internet, when viruses were things that were transmitted from floppy to floppy? That’s what this virus does. And the election definition files and software upgrades are both transmitted via these memory cards, so if an infected machine gets a definition update then any machine that gets the update from that same card afterwards will also get the virus.
“By any standard – academic or common sense – the study is unrealistic and inaccurate.”
I suppose that could be, but he’s said nothing to make me think it’s the case.
“The current generation AccuVote-TS software – software that is used today on AccuVote-TS units in the United States – features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more.”
None of these security measures matter for the attacks described in the report. To give an analogy, the Princeton report was all about how Diebold keeps leaving the windows wide open, and this paragraph is bragging about how strong the deadbolt is on the front door.
“These touch screen voting stations are stand-alone units that are never networked together and contain their own individual digitally signed memory cards.”
This is the first statement that addresses anything in the Princeton report, as the machine they studied did not have digitally-signed memory cards. Assuming he’s not just, well, lying out his ass, that’d help against one of the attacks they mention. However, as the report points out in section 5.1, there are still many other attacks that are inherent in the design of the Diebold system’s basic architecture that can’t be fixed with simple software modifications like this. For example, a criminal could replace the EPROM chip on the motherboard directly.
“In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines – every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.”
Actually, they talk about the physical security and election procedures at length in their report. For example, they point to a recent study of the AccuVote DRE election processes showing that more than 15% of polling places reported at least one problem with seals (see Figure III-16, p. 67). They also point out the difficulty in dealing with an attack where a voter simply unlocks the machine and does nothing more than break the seal, in an attempt to invalidate votes cast in a district that tends to favor his opponent. And, just to add insult to injury, Felton today posted that the lock on the Diebold voting machines can be opened by a hotel minibar key. Some physical security.
“Diebold strongly disagrees with the conclusion of the Princeton report. Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis.”
“Third party” in this case still means companies hired by the manufacturer, and reporting directly to the manufacturer. The system isn’t made available for truly independent security analysis.
“Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day.”
Translation: nothing to see here, please pay no attention to the huge gaping hole in our security and our reputation.