Could Crypto Resolve the Voting Machine Controversy?
In a detailed analysis paper and video that are continuing to make waves, a trio of Princeton University Dept. of Computer Science researchers demonstrated last month how Diebold AccuVote-TS electronic voting machines -- the very devices recommended to end the 2000 "nightmare of the hanging chads" -- could be easily compromised by injecting malicious software through a memory card at boot time.
With mid-term elections in the U.S. just a few weeks away, and the balance of power in both houses of Congress made more tenuous with the emergence of even more political scandals, the likelihood is growing that the outcome of close elections this November may be challenged if the technology relied upon to secure those elections comes under question.
The Princeton video showed how any individual -- not necessarily an election official -- could either unlock or break into the memory card slot on a TS system, to insert malicious code that the voting machine absorbs into memory automatically as though it were a ROM upgrade. Malicious software can then flip votes as they are entered, from one party or candidate to another, altering the result as it appears on the printed tally.
The software averts detection during what Diebold considers an "integrity check," and can then delete itself, and all remnants of its misdeeds, at the time the election official presses the on-screen button to "End Election."
A few days after the demo was first posted, Princeton's Ed Felten added that the memory card slot could be broken into using the same kind of lock-picking tool used to break open hotel mini-bars.
Diebold Election Systems officials have since maintained that the AccuVote-TS system compromised by Princeton researchers Ariel J. Feldman, J. Alex Halderman and Edward W. Felten was an older model that was "two generations old," the company said, "and to our knowledge, is not used anywhere in the country."
"The current generation of AccuVote-TS software," stated Diebold President Dave Byrd, "features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more."
Whether newer versions of Diebold's software do contain these encryption features, Princeton's Ed Felten wrote for the blog Freedom to Tinker, may be totally irrelevant. "Diebold does not assert that any of these measures would prevent the attacks described in our paper," Felten wrote. "Nor do we see any reason why they would."
The issue, Felten implies, isn't whether voting machines use encryption, but whether they're actually encrypting the most vulnerable and sensitive portions of each transaction. Since Byrd himself, for instance, contended that an AccuVote-TS never has to be networked to be usable -- and therefore cannot be exposed to a network-based attack -- the value of SSL as an asset to such a system becomes dubious.
The Princeton paper is by no means the first serious examination into the integrity of Diebold systems, as the researchers themselves state. Three years ago, researchers from the University of Iowa Dept. of Computer Science presented a paper for the USENIX Security Symposium in Washington, D.C., entitled, "The Diebold AccuVote-TS Should Be Decertified."
That paper tells the story of how researchers were first introduced to AccuVote systems through the company that originally produced it, I-Mark Systems, prior to its acquisition by Diebold in 2002.
At that time, Iowa University's Dr. Douglas Jones reported, he examined the new system for certification for use in Iowa statewide elections. The minutes of the State Board of Examiners recorded Dr. Jones' preliminary objections: "Dr. Jones also expressed concern about data encryption standards used to guarantee the integrity of the data on the machine. DES requires the use of electronic keys to lock and unlock all critical data. Currently all machines use the same key. Dr. Jones stated that this is a security problem. However, the use of a single key for all machines is not a condition that would disqualify the system under Iowa law."
Almost seven years later, Dr. Jones wrote, a reporter discovered that the source code for AccuVote systems' voting software -- by that time, produced by Diebold -- was being shared openly among employees through an unencrypted FTP site, which allowed anonymous users. The existence of the site had apparently been touted by Diebold as an asset -- a way for developers to implement rapid "technology transfers" -- during a PowerPoint presentation Diebold made in 2003 to the State of Georgia.
Dr. Jones' discovery prompted him to investigate the other areas in which AccuVote systems might be vulnerable. He found that 2003 model systems used the same single encryption key as I-Mark's 1997 editions.
Other security techniques, Dr. Jones wrote, were also similarly pointless in his view: "Their use of smartcards, it turns out, was not at all clever, but was just as bad as their use of the Federal Data Encryption Standard, ignoring almost everything known about security and key management, and open to attack by outsiders with no access to the source code because keys were transmitted to the card in plaintext form."
Next: Are Diebold's newer machines any better?