Diebold Blasts Felten Study

by on September 15, 2006 · 14 comments

Diebold has released a response to the Felten study. It appears to me to be misleading in several important respects, so I thought it merited a quick fisking:

Three people from the Center for Information Technology Policy and Department of Computer Science at Princeton University today released a study of a Diebold Election Systems AccuVote-TS unit they received from an undisclosed source. The unit has security software that was two generations old, and to our knowledge, is not used anywhere in the country.

As I noted yesterday, this response would be a lot more credible if Diebold had a habit of submitting its machines to independent review. It’s hardly Felten’s fault that he had trouble getting access to a newer version of the machine.

Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit.

These precautions obviously make it more difficult to introduce malicious software into the machine, but it’s far from foolproof. Given that it only takes a minute to install Felten’s software, and that there’s no external evidence of tampering once the software has been installed, it seems likely that even the best-designed security procedure will leave opportunity for insiders to introduce malicious code. This is particularly true given that Felten developed a version of the software that could be spread via virus.

A virus was introduced to a machine that is never attached to a network.

I think they think this is some kind of contradiction in terms, but non-network virii are in fact quite common. Indeed, the first virii were spread among Macs and PCs on floppy disks in the 1980s, long before the Internet burst onto the scene. And Felten described a perfectly plausible scenario by which the virus could spread: technicians use a single memory card to install software updates on dozens of machines. If the card is placed in an infected machine, the card would become infected and the card would then infect all subsequent machines. So it’s not clear how this sentence is a refutation of anything Felten wrote. Either whoever wrote this press release didn’t read the paper, or he’s counting on reader ignorance.

By any standard – academic or common sense – the study is unrealistic and inaccurate. The current generation AccuVote-TS software–software that is used today on AccuVote-TS units in the United States – features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more. These touch screen voting stations are stand-alone units that are never networked together and contain their own individual digitally signed memory cards.

Encryption is not magic pixie dust that can be sprinkled on a computer system to make it secure. Hence, the fact that the machine employs sophisticated encryption algorithms tells us absolutely nothing about whether the machines are secure.

Depending on how it’s implemented, digitally signed memory cards could improve the security of the system–particularly if the system authenticates new software found on memory cards before allowing it to be installed on the machine. But, again, the effectiveness of such a strategy depends on the implementation details. Given how poorly the 2002 software was designed, we have little reason to take Diebold at their word when they say that the new software is well-designed.

In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines – every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.

This ignores the fact that machines can be infected at any time–weeks or even months before an election–and the infection can be virtually impossible to detect. This can be done either with direct access to machines, or by infecting memory cards that subsequently infect the machines. Given that infection takes only a minute, and that only one machine or memory card needs to be infected to start the spread of the virus, it strikes me as highly implausible that even the most stringent security procedures could prevent a determined insider from infecting a machine.

Diebold strongly disagrees with the conclusion of the Princeton report. Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis. Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day.

I would be interested in more details about the third party security analysis that has been performed. If, as Felten alleges, these analyses have been commissioned by Diebold, that hardly counts as an independent assessment. The first step would be to offer Prof. Felten the opportunity to evaluate the latest version of their machine so that he can verify their claims that the flaws he identified have been fixed.

The bottom line is that “trust us” just doesn’t cut it when it comes to the integrity of our voting system. Diebold may very well be right that the flaws Felten found were fixed in subsequent versions, but the burden of proof is on Diebold, not on Prof. Felten.

  • http://techdirt.com/ Mike Masnick

    Nice work, Tim.

    One small addition that may be worth mentioning in response to their “Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering” claim.

    If you read Avi Rubin’s recent report on working as an election judge, you see he points out that the security tape is useless. In many cases its removed by staff for other reasons and it’s nearly impossible for anyone to notice if it’s been broken.

    The whole thing is worth reading, but the key section would be this:

    For example, I carefully studied the tamper tape that is used to guard the memory cards. In light of Hursti’s report, the security of the memory cards is critical. Well, I am 100% convinced that if the tamper tape had been peeled off and put back on, nobody except a very well trained professional would notice it. The tamper tape has a tiny version of the word “void” appear inside it after it has been removed and replaced, but it is very subtle. In fact, a couple of times, due to issues we had with the machines, the chief judge removed the tamper tape and then put it back. One time, it was to reboot a machine that was hanging when a voter was trying to vote. I looked at the tamper tape that was replaced and couldn’t tell the difference, and then it occurred to me that instead of rebooting, someone could mess with the memory card and replace the tape, and we wouldn’t have noticed.

    Again, Diebold’s response to yet another security problem is sickening.

  • http://techdirt.com/ Mike Masnick

    Nice work, Tim.

    One small addition that may be worth mentioning in response to their “Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering” claim.

    If you read Avi Rubin’s recent report on working as an election judge, you see he points out that the security tape is useless. In many cases its removed by staff for other reasons and it’s nearly impossible for anyone to notice if it’s been broken.

    The whole thing is worth reading, but the key section would be this:

    For example, I carefully studied the tamper tape that is used to guard the memory cards. In light of Hursti’s report, the security of the memory cards is critical. Well, I am 100% convinced that if the tamper tape had been peeled off and put back on, nobody except a very well trained professional would notice it. The tamper tape has a tiny version of the word “void” appear inside it after it has been removed and replaced, but it is very subtle. In fact, a couple of times, due to issues we had with the machines, the chief judge removed the tamper tape and then put it back. One time, it was to reboot a machine that was hanging when a voter was trying to vote. I looked at the tamper tape that was replaced and couldn’t tell the difference, and then it occurred to me that instead of rebooting, someone could mess with the memory card and replace the tape, and we wouldn’t have noticed.

    Again, Diebold’s response to yet another security problem is sickening.

  • http://mcgath.blogspot.com Gary McGath

    My analysis is here:
    http://mcgath.blogspot.com/2006/09/diebolds-voting-machines.html

    The study specifically explains how a “virus” (not a true virus, actually) can be spread through the use of memory cards, without being networked. Diebold apparently doesn’t even grasp the issue.

    Encryption doesn’t help if the voting software can be modified, since it can just call the subroutine that adds a vote and it will perform the necessary encryption.

    The real hole in the system is that the machines can be subverted by inserting a card in a slot. The bootstrap loader itself can be replaced. It doesn’t matter how many chains and bolts are on the box, under the circumstances.

  • http://mcgath.blogspot.com Gary McGath

    My analysis is here:
    http://mcgath.blogspot.com/2006/09/diebolds-vot

    The study specifically explains how a “virus” (not a true virus, actually) can be spread through the use of memory cards, without being networked. Diebold apparently doesn’t even grasp the issue.

    Encryption doesn’t help if the voting software can be modified, since it can just call the subroutine that adds a vote and it will perform the necessary encryption.

    The real hole in the system is that the machines can be subverted by inserting a card in a slot. The bootstrap loader itself can be replaced. It doesn’t matter how many chains and bolts are on the box, under the circumstances.

  • http://www.codemonkeyramblings.com MikeT

    Count me among those who is neither surprised, nor particularly concerned about the death of democracy in America. It’s not like universal democracy has done a damn thing to make this country freer. I fail to see how a benevolent dictator could be any worse than the democratic totalitarianism we have today. The more that democracy has spread its influence, the more that our constitutional republic has waned and the more that every aspect of life has been politicized.

    As long as death squads and other related unpleasantries don’t come the average voter’s way, they won’t care about these security holes. You can explain it to them, but it’ll just be a theoretical problem until the day comes that it affects them.

    The simplest solution to the problem is to treat voter fraud for what it is: a coup d’etat accomplished quietly. I would suggest at least a decade in prison for simple voter fraud, life in prison for those who organize small fraud campaigns and the death penalty for conspiracy to commit widespread voter fraud, but that would offend the sensibilities of upperclass America, which can’t countenance the thought of executing people for a “white collar crime.”

  • http://benfulton.net/blog Ben Fulton

    Are there any studies concerning the Microvote machines that are being foisted off on Indiana residents? The company is so much smaller than Diebold that I doubt it gets the same scrutiny, but it’s important to some of us :)

  • http://www.codemonkeyramblings.com MikeT

    Count me among those who is neither surprised, nor particularly concerned about the death of democracy in America. It’s not like universal democracy has done a damn thing to make this country freer. I fail to see how a benevolent dictator could be any worse than the democratic totalitarianism we have today. The more that democracy has spread its influence, the more that our constitutional republic has waned and the more that every aspect of life has been politicized.

    As long as death squads and other related unpleasantries don’t come the average voter’s way, they won’t care about these security holes. You can explain it to them, but it’ll just be a theoretical problem until the day comes that it affects them.

    The simplest solution to the problem is to treat voter fraud for what it is: a coup d’etat accomplished quietly. I would suggest at least a decade in prison for simple voter fraud, life in prison for those who organize small fraud campaigns and the death penalty for conspiracy to commit widespread voter fraud, but that would offend the sensibilities of upperclass America, which can’t countenance the thought of executing people for a “white collar crime.”

  • http://benfulton.net/blog Ben Fulton

    Are there any studies concerning the Microvote machines that are being foisted off on Indiana residents? The company is so much smaller than Diebold that I doubt it gets the same scrutiny, but it’s important to some of us :)

  • http://www.blackboxvoting.org Bev Harris

    I was particularly interested in their claim to physical security. Our organization, Black Box Voting, examined voting machines that had just been delivered for use in Utah. These were delivered in January 2006, and were for use in the 2006 elections.

    There were only 8 screws, and none of them were secured in any way. There were no seals.

    What was especially curious is that one of our researchers, Jim March, also had the opportunity to examine a TS machine of the same vintage that the Princeton guys had. He noted that in designing the case for the older version, some attention was paid to securing the case. One screw was behind a panel that required a key to get in. This indicates that Diebold understood, at least in a rudimentary fashion, that security of the case was important.

    The newer model had LESS security. In fact, absolutely no security to prevent getting inside the case, which has all kinds of goodies.

    As an added bonus, the newer Diebold model’s locking doors over the memory card bays literally fall out when you open the case.

    When a couple of us ol’ ladies at Black Box Voting recently penetrated the optical scan machine’s case and memory card, Diebold’s response was to “scoff” at the idea that anyone would be dishonest enough to take four minutes and spend $12 on tools (allen wrench, phillips-head screwdriver, needle-nosed pliers) to actually open the case (and thereby gain the only access needed to own the election).

    I guess Princton has one up on us — Diebold criticizes their technique. All we get is “scoffs.”

    Real answers would be nice.

    Under penalty of perjury.

  • http://www.blackboxvoting.org Bev Harris

    I was particularly interested in their claim to physical security. Our organization, Black Box Voting, examined voting machines that had just been delivered for use in Utah. These were delivered in January 2006, and were for use in the 2006 elections.

    There were only 8 screws, and none of them were secured in any way. There were no seals.

    What was especially curious is that one of our researchers, Jim March, also had the opportunity to examine a TS machine of the same vintage that the Princeton guys had. He noted that in designing the case for the older version, some attention was paid to securing the case. One screw was behind a panel that required a key to get in. This indicates that Diebold understood, at least in a rudimentary fashion, that security of the case was important.

    The newer model had LESS security. In fact, absolutely no security to prevent getting inside the case, which has all kinds of goodies.

    As an added bonus, the newer Diebold model’s locking doors over the memory card bays literally fall out when you open the case.

    When a couple of us ol’ ladies at Black Box Voting recently penetrated the optical scan machine’s case and memory card, Diebold’s response was to “scoff” at the idea that anyone would be dishonest enough to take four minutes and spend $12 on tools (allen wrench, phillips-head screwdriver, needle-nosed pliers) to actually open the case (and thereby gain the only access needed to own the election).

    I guess Princton has one up on us — Diebold criticizes their technique. All we get is “scoffs.”

    Real answers would be nice.

    Under penalty of perjury.

  • Guy Hathaway

    I’ve sent this URL to everyone in my “Voters” list (all citizens of voting age in my address book, regardless of party affiliation), with my
    strongest recommendation that they do the same.
    You and a few others merit promulgation by all means, to all citizens.

    This election is the big
    one, I think. We can’t let those who are trying to steal our election process continue to gnaw away at the only means we have to employ public servants who may actually represent those of us who vote for them.

    Thank you for what you do.

  • Guy Hathaway

    I’ve sent this URL to everyone in my “Voters” list (all citizens of voting age in my address book, regardless of party affiliation), with my
    strongest recommendation that they do the same.
    You and a few others merit promulgation by all means, to all citizens.

    This election is the big
    one, I think. We can’t let those who are trying to steal our election process continue to gnaw away at the only means we have to employ public servants who may actually represent those of us who vote for them.

    Thank you for what you do.

  • Dale

    I live in Canada and have been following the ongoing electronic voting debacle that is happening in the USA (no insult meant) and I have but one thing to say to our paper based voting system.

    YEEEEEEEEAAAAAAAAAAAAHHHHHHHHHHHHHHHH!!!!!! :-)

  • Dale

    I live in Canada and have been following the ongoing electronic voting debacle that is happening in the USA (no insult meant) and I have but one thing to say to our paper based voting system.

    YEEEEEEEEAAAAAAAAAAAAHHHHHHHHHHHHHHHH!!!!!! :-)

Previous post:

Next post: