Risks to the public
ACM SIGSOFT Software Engineering Notes archive
Volume 30 , Issue 4 (July 2005) table of contents
COLUMN: Risks to the public table of contents
Pages: 19 - 35
Year of Publication: 2005
ISSN:0163-5948
Author Peter G. Neumann SRI International Computer Science Lab, Menlo Park CA
Publisher ACM Press New York, NY, USA
ACM SIGSOFT Software Engineering Notes Page 27 July 2005 Volume 30 Number 4
My note: excerpt related to voting systems, pages 27-28Election SystemsSeven voting machines under scrutiny in Wayne
County (R 23 90)
The accuracy of some Republican votes cast 17 May 2005 in
seven voting booths in three Wayne County (Pennsylvania)
voting districts is being investigated, potentially affecting the
outcome of two township supervisor races. For example, in
Lehigh Township, 163 Republicans voted, but 211 votes were
counted.
Multiple vulnerabilities in Diebold Optical Scan
(Bruce O’Dell, R 23 94)
A technical report published by BlackBoxVoting.org (4 Jul
2005) details multiple critical security vulnerabilities in the
Diebold Optical Scan voting equipment that was used to tally
approximately 25 million votes in the 2004 US election.
Harri Hursti, an independent security consultant – with the
consent of election officials in Leon County, Florida – was
able to take full control of the Diebold optical scan device
and manipulate vote totals and audit reports at will.
The Diebold Precinct-Based Optical Scan 1.94w device accommodates
a removable memory card. It had been believed
that this card contained only the electronic “ballot box”, the
ballot design and the race definitions; astonishingly enough,
the memory card also contains executable code essential to
the operation of the optical scan system. The presence of executable
code on the memory card is not mentioned in the of-
ficial product documentation. This architecture permits multiple
methods for unauthorized code to be downloaded to the
memory cards, and is wide open to exploitation by malicious
insiders.
The individual cards are programmed by the Diebold GEMS
central tabulator device via a RS-232 serial port connection
or via modem over the public phone network. There are no
checksum mechanisms to detect or prevent tampering with
the executable code, and worse yet, there are credible exploits
which could compromise both the checksum and executable.
The report notes that this appears to be in violation of Chapter
5 of the 1990 Federal Election Commission Standards for
election equipment, and therefore should never have been certified
for use.
The executable code is written in a proprietary language,
Accu-Basic. Accu-Basic programs are first compiled into
ASCII pseudocode, which is then executed by an interpreter
residing in the optical scan device. Hursti located an inexpensive
device capable of reading and updating the memory cards
advertised on the Internet, and using a publicly-available version
of the Accu-Basic compiler (found on the Internet, along
with Diebold source code and other documents, by Bev Harris
in 2003) was able to exploit these vulnerabilities – and publicly
demonstrated the ability to modify vote totals and audit
reports at will.
According to the report:
Exploits available with this design include, but are
not limited to:
1) Paper trail falsification – Ability to modify the
election results reports so that they do not match
the actual vote data
1.1) Production of false optical scan reports to facilitate
checks and balances (matching the optical
scan report to the central tabulator report),
in order to conceal attacks like redistribution of
the votes or Trojan horse scripts such as those designed
by Dr. Herbert Thompson.(19)
1.2) An ingenious exploit presents itself, for a
single memory card to mimic votes from many
precincts at once while transmitting votes to the
central tabulator. The paper trail falsification
methods in this report will hide evidence of outof-
place information from the optical scan report
if that attack is used.
2) Removal of information about pre-loaded votes
2.1) Ability to hide pre-loaded votes
2.2) Ability to hide a pre-arranged integer overflow
3) Ability to program conditional behavior based
on time/date, number of votes counted, and many
other hidden triggers.
According to public statements by elections offi-
cials(20), the paper trail produced by the precinct
optical scan has been placed into the role of a vital
safeguard mechanism. The paper report from the
optical scan machine is the key record used to con-
firm the integrity of the central tabulator record.
The exploits demonstrated in the false optical scan
machine reports (“poll tapes”) shown on page 16
do not change the votes, only the report of the
votes. When combined with the Trojan horse attack
demonstrated by Dr. Thompson, this attack
vector maintains an illusion of integrity by producing
false reports to match the contaminated
central tabulator report.
The
exploit demonstrated in the poll tape
with a true report containing false votes, shown
on page 18, changes the votes but not the report.
This example pre-stuffs the ballot box in such a
way as to produce an integer overflow. In this exploit,
a small number of votes is loaded for one
candidate, offset by a large number of votes for
the opposing candidate such that the sum of the
numbers, because of the overflow, will be zero.
The large number is designed to trigger an integer
overflow such that after a certain number of
votes is received it will flip the vote counter over
to begin counting from zero for that candidate...
combining the false report method (demonstrated
on page 16) with the pre-arranged integer overflow
(demonstrated on 18) seems to be an especially ef-
ficient exploit because it is a one-step process that
takes out both the actual process and its safeguard
at the same time, while surviving scrutiny of almost
anything short of a full manual recount.
Reportedly, at least 500 jurisdictions used the vulnerable optical
scan system in 2004; for example, the Diebold Precinct-
Based Optical Scan 1.94w system counted approximately 2.5
million votes in 30 counties, or about one-third of all the votes
in Florida, and nationwide, approximately 25 million votes.
(http://www.freddevan.com/blog/archives/00006724.html).
Although the exploits described in the report could be uncovered
if a full hand recount was performed, in practice, detection
is unlikely. Most jurisdictions limit the time frame
for contesting an election. For numerous reasons, both candidates
and election administrators are reluctant to question the
official tally, while hand recounts are expensive – with costs
borne by the contesting party. Few elections tallied by optical
scan equipment are ever fully recounted, and automatic
recounts legally triggered by a narrow margin of victory will,
of course, fail to detect large-scale manipulation that shifts results
outside the recount threshold. Finally, there are classic
problems with paper ballot chain of custody; the more time
passes, and the further a paper artifact travels from its point
of origin, the more vulnerable it is to tampering.
Therefore, the mere presence of a paper trail will not deter
or detect electronic vote manipulation by malicious insiders
unless the voter-verified paper ballot or optical scan ballot is
actually randomly audited – preferably, in-precinct, on election
night . Yet the cost and time required by a truly effective
and random audit protocol undermines the case for
electronically-assisted vote tallying. Therefore some analysts
now recommend US implementation of the Canadian system –
hand-counting of paper ballots in-precinct on Election Night,
with accommodation for the visually-impaired – as the best
countermeasure to systematic electronic election fraud.
Based on my experience in the financial services industry, discovery
of multiple security vulnerabilities of this severity in
equipment in use by any bank or brokerage house would trigger
an immediate shutdown of all the affected systems, followed
by a full internal and external audit, and, in all likelihood,
formal investigation by regulatory and law enforcement
agencies. We should accept no less from the election services
industry.
The affected Diebold optical scan equipment should be immediately
withdrawn from use in any election until independent
recertification is achieved, or a secure alternative is obtained.
All other election equipment – manufactured by Diebold or
by other vendors – should be examined, and if subject to the
same vulnerability, should also be withdrawn. An investigation
to determine how equipment with such serious vulnerabilities
to insider manipulation could ever have been certified
should also be launched, and certification and oversight procedures
enhanced.
Good people died to gain and defend our right to vote. Election
administration must not be exempt from industry best
practices for security, audit and control.
Stanley F. Quayle (R 23 95):
A $1 lottery ticket is serially numbered, with UV-encoded
information, on tamper-evident paper, and tracked with a
heavily- audited central system. Reasonable, since that ticket
could be worth hundreds of millions of dollars.
Your ballot has a level of protection equal to its projected
value: Zero. Until votes are worth something, they will continue
to be worthless.
Electronic voting in the U.S. House – oops (Richard
Schroeppel, R 23 96)
Excerpting an article about the recent US House of Representatives
vote on CAFTA, which was preceded by some pretty
intense politicking:
Hayes switched his vote, and the agreement passed 217-215.
Hayes wasn’t the only North Carolina Republican voting for
CAFTA. Sixth-term Rep. Sue Myrick, who represents a safe
Republican district in Charlotte, announced her support for
the treaty several weeks ago. Rep. Charles Taylor, who represents
western North Carolina, also had pledged a no vote
but missed the roll call. Taylor said he voted no but that it
wasn’t recorded because his electronic voting card failed.
ACM COPYRIGHT NOTICE. Copyright © 2005 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or permissions@acm.org.