Diebold touch-screen voting machines can be programmed for fraud years in advance

[Guest guest]

A

New report reveals that Diebold touch-screen voting machines

can be programmed for fraud years in advance

Fri, 12 May 2006 19:00:15 -0400 (EDT)

 

 

US: New report reveals that Diebold touch-screen voting machines can

be programmed for fraud years in advance.

 

Black Box Voting 2006 May 11

 

 

 

http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/27675.html

 

5-11-06: Three-level security flaws f...

 

Black Box Voting » Latest Consumer Reports from Black Box Voting »

5-11-06: Three-level security flaws found in Diebold touch-screens «

Previous Next »

 

Thread Last Poster Posts Pages Last Post

Start New Thread

Author Message

 

 

Bev Harris

Board Administrator

Username: Admin

 

Posted on Thursday, May 11, 2006 - 12:34 pm: Edit Post Delete Post

View Post/Check IP Move Post (Moderator/Admin Only)

Due to the nature of this report it is distributed in two different

versions. Details of the attack are only in the restricted

distribution version considered to be confidential. Fewer than 50

words have been redacted in the version below.

 

Overview

 

Click " more " for link to full report

 

Note: Please refrain from speculation or public discussion of

inappropriate technical details.

 

This document describes several security issues with the Diebold

electronic voting terminals TSx and TS6. These touch-pad terminals are

widely used in US and Canadian elections and are among the most widely

used touch pad voting systems in North America. Several

vulnerabilities are described in this report.

 

One of them, however, seems to enable a malicious person to compromise

the equipment even years before actually using the exploit, possibly

leaving the voting terminal incurably compromised.

 

These architectural defects are not in the election-processing system

itself. However, they compromise the underlying platform and therefore

cast a serious question over the integrity of the vote. These exploits

can be used to affect the trustworthiness of the system or to

selectively disenfranchise groups of voters through denial of service.

 

http://www.blackboxvoting.org/BBVtsxstudy.pdf (327 KB)

Critical Security Alert: Diebold TSx and TS6 voting systems

by Harri Hursti, for Black Box Voting, Inc.

 

Three-layer architecture, 3 security problems

 

Each can stand alone or combine for 3-layer offense in depth

 

As an oversimplification, the systems in question have three major

software layers: boot loader, operating system and application

program. As appropriate for current designs, the first two layers

should contain all hardware specific implementations and

modifications, while the application layer should access the hardware

– the touch pad, memory card, the network etc. – only via services and

functions provided by the operating system and therefore be

independent of the hardware design. Whether the architecture in

question follows these basic guidelines is unknown.

 

Based on publicly available documentation, source code excerpts and

testing performed with the system, there seem to be several backdoors

to the system which are unacceptable from a security point of view.

These backdoors exist in each of these three layers and they allow the

system to be modified in extremely flexible ways without even basic

levels of security involved.

 

In the worst case scenario, the architectural weaknesses incorporated

in these voting terminals allow a sophisticated attacker to develop an

" offense in depth " approach in which each compromised layer will also

become the guardian against clean-up efforts in the other layers. This

kind of deep attack is extremely persistent and it is noteworthy that

the layers can conceal the contamination very effectively should the

attacker wish that. A quite natural strategy in these types of

situations is to penetrate, modify and make everything look normal.

 

Well documented viral attacks exist in similar systems deploying

interception and falsification of hash-code calculations used to

verify integrity in the higher application levels to avoid detection.

The three-level attack is the worst possible attack. However, each

layer can also be used to deploy a stand-alone attack. The TSx systems

examined appear to offer opportunities for the three-level attack as

well as the stand-alone attacks.

 

It is important to understand that these attacks are permanent in

nature, surviving through the election cycles. Therefore, the

contamination can happen at any point of the device's life cycle and

remain active and undetected from the point of contamination on

through multiple election cycles and even software upgrade cycles.

 

Here is a rough analogy:

 

- The application can be imagined as written instructions on a paper.

If it is possible to replace these instructions, as it indeed seems,

then the attacker can do whatever he wishes as long as the

instructions are used.

 

- The operating system is the man reading the instructions. If he can

be brainwashed according to the wishes of the attacker, then even

correct instructions on the paper solve nothing. The man can decide to

selectively do something different than the instructions. New paper

instructions come and go, and the attacker can decide which

instructions to follow because the operating system itself is under

his control.

 

- The boot loader is the supreme entity that creates the man, the

world and everything in it. In addition to creating, the boot loader

also defines what is allowed in the world and delegates part of that

responsibility to the operating system. If the attacker can replace

the boot loader, trying to change the paper instructions or the man

reading them does not work. The supreme entity will always have the

power to replace the man with his own favorite, or perhaps he just

modifies the man's eyes and ears: Every time the man sees yellow, the

supreme being makes him think he is seeing brown. The supreme entity

can give the man two heads and a secret magic word to trigger

switching the heads.

 

In the world of the Diebold touch-screen voting terminals, all of

these attacks look possible.

 

The instructions (applications and files) can be changed. The man

reading the files (Windows CE Operating System and the libraries) can

be changed. Or the supreme entity (boot loader) can be changed, giving

total control over the operating system and the files even if they are

" clean software. "

 

Specific conceptual information is contained in the report, with

details and filenames in the high-security version which is being

delivered under cryptographic and/or personal signature controls to

the EAC, Diebold CEO Tom Swidarski and CERT.

 

1) Boot loader reflashing

2) Operating system reflashing

3) Selective file replacement

 

In addition, the casing of the TSx machines lack basic seals and

security, and within the casing additional exploitations are found.

 

Conclusions and Recommendations

 

Because there is no way of having chain of custody or audit trail for

machines, the machines need to be reflashed with a known good version

(assessing the risks potentially inherited). Ideally this should be

done by the proper governmental authorities rather than being outsourced.

 

After that, extensive chain of custody management has to be

established to make sure that machines do not potentially get

recontaminated. Less than five minutes is required for contamination.

 

The bootloader needs to be re-engineered.

 

The cases need to be properly and permanently sealed.

 

Further study is warranted around these issues and others in the May

15, 2006 Supplemental Report for the Emery County TSx study.

 

While these flaws in design are not in the vote-processing system

itself, they potentially seriously compromise election security. It

would be helpful to learn how existing oversight processes have failed

to identify this threat.

 

A secondary report will be released on May 15, 2006. This report

contains approximately 12 other areas of secondary concern to the

problems described in this initial report.

 

PERMISSION TO REPRINT GRANTED, WITH LINK TO http://www.blackboxvoting.org

 

Black Box Voting is a nonpartisan, nonprofit 501c(3) organization

focusing on investigations related to ensure accurate and fair

elections. This organization is supported entirely by citizen donations.

To support this work:

http://www.blackboxvoting.org/donate.html

Mailing Address:

Black Box Voting, Inc.

330 SW 43rd St Suite K

PMB 547

Renton WA 98055