Scientists call Diebold security flaw 'worst ever'

http://www.insidebayarea.com/portlet/article/html/fragments/print_article.jsp?article=3809493


Critics say hole created for upgrades could be exploited by someone with nefarious plans

Computer scientists say a security hole recently found in Diebold Election Systems' touch-screen voting machines is the "worst ever" in a voting system.

Election officials from Iowa to Maryland have been rushing to limit the risk of vote fraud or disabled voting machines since the hole was reported Wednesday.

Scientists, who have conferred with Diebold representatives, said Diebold programmers created the security hole intentionally as a means of quickly upgrading voting software on its electronic voting machines.

The hole allows someone with a common computer component and knowledge of Diebold systems to load almost any software without a password or proof of authenticity and potentially without leaving telltale signs of the change.

"I think it's the most serious thing I've heard to date," said Johns Hopkins University computer science professor Avi Rubin, who published the first security analysis of Diebold voting software in 2003. "Even describing why I think it's serious is dangerous. This is something that's so easy to do that if the public were to hear about it, it would raise the risk of someone doing it. ... This is the worst-case scenario, almost."

Diebold representatives acknowledged the security hole to Pennsylvania elections officials in a May 1 memo but said the "probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low."

California elections officials echoed that assessment Friday in a message to county elections chiefs.
-snip-
-------------------------------------


"probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low."

what the shit! we don't want "low", we want NONE

I feel it in my gut that the machines are completely accurate and trustworthy.


:hide:

This sounds to me like sticking a pcmcia or usb drive into the machine with an autorun. if that's the case it can self-reference and run a simple query that modifies votes since we know the db itself is MS Access based (IIRC). This is friggin trivial to do if im reading this correctly.

With a USB port that was easily accessible, all grades of mischief would be possible. Just plug that USB fob in and off you go with an auto-run "update". Or maybe plug in that digital camera or whatever else with a USB connection.

Or would it be even better with one of the wireless or IR ports. Link up with something in someone's pocket.

I'm referring to ne'er do wells that break into university or government or other industry computers either "for fun" or to do damage. Why not be patriotic and break into these machines in a hugely obvious way to grab the attention of everyone (even the backwash) once and for all.