Voting Machines' no touch tampering

[Guest guest]

http://www.bradblog.com/archives/00002458.htm

 

Blogged by Brad on 2/22/2006 @ 12:06pm PT...

 

Why do Diebold's Touch-Screen Voting Machines Have

Built-In Wireless Infrared Data Transfer Ports?

IrDA Protocol Can 'Totally Compromise System' Without

Detection, Warns Federal Voting Standards Website

So far, no state or federal authority -- to our

knowledge -- has dealt with this alarming security

threat

 

 

We hate to pile on... (Or do we?)

 

But, really, with all the recent discussion of

California Sec. of State Bruce McPherson's

mind-blowing about-face re-certification of Diebold --

against state law, we hasten to add -- this may be a

good time to point out one small item that we've been

meaning to mention for a while.

 

As Jody Holder's recent comment points out,

McPherson's silly " conditions " for re-certification of

Diebold in California require a few

much-less-than-adequate knee-jerk " safe guards "

towards protection of the handling of the hackable

memory cards in Diebold's voting machines. (Here's

McP's full " Certificate of Conditional

Certification " ).

 

Never mind, as Holder mentions, that the protective

seals to be required are easily peeled away without

tearing. Or that such voting machines have been stored

in poll workers houses for weeks leading up to an

election. More to the point, for the moment, there are

ways to manipulate the information on those memory

cards even without removing them or breaking the

seals. This is more of a concern than ever, since it

was recently proven, by the now-infamous Harri Hursti

hack in Leon County, FL, that changing the information

on the memory cards can force election results to be

flipped...without a trace being left behind.

 

On that note, here's the little item we've been

meaning to point out. It's a photograph from the side

of a Diebold AccuVote TSx touch-screen voting machine:

 

 

Now we have no idea what that " IrDA " port is meant to

be used for with a touch-screen voting machine, but we

do know that the IrDA (Infrared Data Association) is

an Infrared port used for wireless connection between

two devices. We used to have one on the back of our

notebook and desktop computers which we used to keep

the two systems synched up via wireless data transfers

over that Infrared port.

 

A few election watchdog groups, including some members

of the National Institute of Standards and Technology

(NIST) who works with the federal authorities on these

matters, have issued warnings about the IrDA port and

protocols on voting machines. However, little -- if

anything -- seems to have been done to mitigate the

rather obvious security threat posed, as far as we can

tell.

 

Here's how a page at Microsoft.com, last updated

December 4, 2001, explains cable-free Infrafred data

transfer on the Microsoft Windows CE operating system

(the operating system which happens to be used in

Diebold's AccuVote touch-screen voting machines --

like the one pictured above)...

 

 

Imagine the following scenario: Two notebook computers

are placed beside each other. A computer icon appears

on both desktops with the name of the peer computer

below it. Open one of the icons to display a folder

with the contents of the peer computer's desktop.

Drag-and-drop between your desktop and the open folder

to move files between the two computers.

 

 

Imagine that the only configuration that this

application required to be installed or used was the

ability for the user to enable or disable it. Imagine

that multiple such applications could be running at

the same time without interfering with each other.

 

 

Imagine that this application could run on 23 million

existing notebook computers at a transfer speed of

115Kbps, and on 14 million existing notebook computers

at 4MBps. Imagine that all applications, regardless of

the speed of the underlying hardware, would work with

all other applications at a common fastest speed.

 

 

Imagine that the other notebook computer in this

example was a digital still camera, a handheld

personal computer, a data capture device or a device

that supports electronic commerce.

 

 

As a bonus, assume that the two computers do not need

to be cabled together.

 

 

This application is currently possible under

Microsoft® Windows® CE and the Windows family of

operating systems. The underlying technology is based

on inexpensive, widely available short-range infrared

transceivers that adhere to the Infrared Data

Association (IrDA) standards. IrDA standards

(available from the IrDA at http://www.irda.org) also

enable non-Windows devices to talk to Windows-based

applications.

 

 

There ya go.

 

 

The issue of the IrDA port on touch-screen voting

machines hasn't been much discussed as far as we can

tell. VotersUnite.org issued an alert mentioning it,

with a photograph (seen at right), back on October 26,

2004. The alert warned:

 

 

3) A dangerous port on the Diebold touch screen!!

 

This from TrueVoteMD: Diebold AccuVote TS electronic

voting machines have an infrared (IrDA) port

installed. This is a remote communication port through

which another remote device could communicate with the

touch screen and change either its data or its

software or both.

 

If your county uses Diebold touch screens, let your

county officials and election judges know that it is

crucial to cover the IR port with opaque tape.

 

 

The National Institute for Standards and Technology

(NIST) -- who works with the federal Election

Assistance Commission (EAC) to develop and recommend

guidelines for electronic voting machines -- issued a

similar warning [PDF] about the Infrared ports on

voting machines in a report which warned " The use of

short range optical wireless, " like infrared,

" particularly on Election Day should not be allowed. "

 

As mentioned, since touch-screen machines have been

stored at poll workers' houses and other unsecured

locations prior to Election Day, and since data can be

transferred to the machines and their memory cards via

Infrared -- even without removing the cards or

breaking their protective seals -- the IrDA ports

would seem to be a tremendous concern.

 

The NIST report discusses such concerns and some of

the troubling security issues with IrDA protocols:

 

 

How Secure is IrDA

 

IrDA does not provide encryption at the Physical

Layer, and depends on the end systems to implement

security if any.

....

With optical, it is possible for a session to be

‘hijacked’ unless strong authentication measures are

implemented between communicating systems. When a

session is hijacked, a foreign device masquerades as a

trusted system that is authorized to exchange data.

Because the system has no way to distinguish the

masquerader from the authorized system, it will accept

anything from it as if [sic] was authorized.

 

 

The undated report -- from the EAC's own standards

body, NIST -- then goes on to describe how simple and

readily available IrDA software drivers are to obtain

for use with UNIX and most Windows Operating Systems,

including Windows CE. As well, it points out that such

software could add executable code to the machines on,

or prior to, Election Day and could then delete itself

after ithe code has completed its main purpose

[emphasis ours]:

 

 

IrDA Software

 

IrDA software drivers are available form [sic] a

number of sources for use with UNIX, Windows and other

Operating Systems (OS). Most versions of MS Windows

come with support for IrDA already included. This is

true of the MS Windows CE operating system as well as

Windows XP. Microsoft also provides a free IrDA driver

which can be downloaded from it web site. Other

suppliers of IrDA systems (e.g., Ericsson) offer their

own drivers including source code (Texas Inurnments

[sic]).

 

With the source code available, an interrupt handler

(executable code) could easily be added. For example,

when the voting terminal receives a special bit

configuration (caused by holding down multiple keys

concurrently) that is outside the usually accepted

range, a special interrupt could be generated invoking

a handler that could be programmed to perform any

desired function. This would require a small amount of

code and could easily be hidden; such code would be

difficult to discover.

 

If such code was installed in the driver, which is

considered to be Commercial-Off-The-Shelf (COTS) [even

if compiled and installed by the voting system

manufacturer] it would not be examined by the ITAs

[the federal Independent Testing Authorities].

 

Code in such a handler could be designed to place the

voting terminal in a mode where it downloads and

install [sic] an executable module, thus allowing

unapproved logic to be added to the voting machine

while in use on Election Day. Obviously this

executable could perform any function the programmer

desired including deleting itself when finished. The

only recourse is to disallow communications with the

voting terminal during use. It might be augured [sic]

that such code could be added the day before Election

Day.

 

 

Obviously, that last paragraph is very troubling. But

also note the section about COTS.

 

The source code for that " Commercial-Off-The-Shelf "

software is what Diebold recently argued that they

couldn't provide to North Carolina after they changed

their law to require all voting machine vendors to

submit such code in order to receive state

certification. Diebold went to state court arguing

they shouldn't be forced to supply the source code for

COTS software. Eventually, they lost that battle, and

notified North Carolina they preferred to pull out of

the state entirely (if the state wouldn't change the

law for them) rather than complying with the state law

requiring the submission of all such source code.

 

And another comment posted to NIST's voting website

[PDF] by James C. Johnson on October 5, 2005, also

discusses the concern, revealing that the use of the

IrDA protocols could be used at any time, even after

final " Logic and Accuracy " tests have been performed,

and thus " totally compromising the system " :

 

 

In Diebold System's AccuVote TS systems these [irDA]

ports are supported using Microsoft's Windows CE with

Winsock. This makes the application interface easy to

program to, and all required drivers are already

installed in the OS.

 

It is interesting that the VVSG [Voluntary Voting

System Guidelines] currently under development, while

mentioning this technology does nothing to restrict or

prevent its use, not even on Election Day.

 

It is understandable that communications technology be

used for pre election preparation, but is totally

irresponsible and inexcusable to allow it to be used

during an election. The presence of this technology

makes it possible to upload to the voting system

anything that is desired after the final " Logic and

Accuracy " test have been performed, thus totally

compromising the system.

 

 

Perhaps some of you have additional thoughts on this

matter. Like why such a port would be needed, or even

present, on a touch-screen voting machine at all. And

why the existence of such a port -- to our knowledge

-- has hardly been discussed at all in conjuction with

these machines. Especially in light of the

now-infamous Leon County, FL " hack test " proving that

executable code can be added to Diebold's memory cards

resulting in a completely flipped election...as we've

said...without a trace being left behind.