RSS feed
A study concerning the security of Diebold's voting machines is getting considerable attention on the Internet. I'm not a security specialist, know nothing about Windows CE, and haven't personally examined either the machines or their code; but if the article isn't just inventing facts, it provides a strong indication that the machines tested are hopelessly insecure, considering how great the incentive to compromise them is.
The article shows that the machines have features which are very helpful for service technicians, but seriously compromise security. Even the bootstrap loader is not secure. Depending on how internal jumpers and switches are set, the boot loader may be taken from the on-board flash memory, which can be modified, or from an external flash slot. Even if it boots from EPROM, it looks for a replacement boot loader in a PC card slot. If the boot loader code is replaced, there's zero hope for trustworthiness after that.
The memory card slot is protected by a lock and key. But, according to the report, "[t]he lock is easily picked -- one member of our group, who has modest locksmithing skills, can pick the lock consistently in less than 10 seconds." It's also noted that in some cases, all the machines in a state have the identical keys.
The voting software is launched as a Windows CE application. There is, according to the report, no provision for verifying that it has not been altered. (In any case, a subverted boot loader could install software that reports a known good checksum instead of the actual one.)
Because of the design, it's possible to design malicious software and put it on a memory card, such that it will install itself on the voting machine and propagate itself to any other memory card which is later installed. This could result in the spreading of malicious code to large numbers of machines starting from just one or a few compromised cards. (The report incorrectly and repeatedly refers to such software as a "virus"; this does give me some concern about how well the authors understand security issues.)
If I were proposing a design for a voting machine, I would recommend that the executable code be in ROM. That would eliminate a great many attack vectors. If the machine needs to be upgraded, physically plug in a new ROM chip, after checksumming it on a separate device. Have the machine print a paper record of the votes as they are cast, so that it doesn't lose all its votes if it crashes. KISS: Keep it simple, stupid.
If the main points of the report's analysis are confirmed, then Diebold's voting machines should not be used in any election.
Diebold has issued a rebuttal, which is available here. It isn't a substantive response. It states that the unit tested "has security software that was two generations old," but does not state what has changed since then. The design, not details of the implementation, is the problem.
The rebuttal states: "A virus was introduced to a machine that is never attached to a network." If Diebold is willing to accept this misuse of the word, I won't argue, since in any case the article shows that the company doesn't even understand security issues! The report clearly explains why no network is needed to propagate malicious code among the machines.
The rebuttal talks about how hard it is to open the machine, yet doesn't address the point that it isn't necessary to open the machine in order to compromise it.
The one thing that's worse than a product with security problems is a manufacturer that can't even grasp what the security problems being addressed are. Diebold simply doesn't have a clue.
3 comments:
I virus is a program fragment that propagates by modifying (infecting) existing files or media -- in this case the bootloader and memory cards.
A worm, in contrast, is a program that propagates over a network and installs itself without having to modify any existing files.
I'd consider a virus to be something that modifies files, not something that writes files to a file-structured device. In this case, the malware would operate by replacing, not modifying, the boot loader.
Oh, well, how many bits can dance on the head of a pin?
The criticisms of existing vote recording machines are valid enough, but don't get to the root of the issue. The whole idea of vote recording machines is fundamentally wrong. That's why they're illegal in New Hampshire. We passed a law this year requiring all votes to be recorded on paper ballots.
If the voter marks the ballot by hand, and sees the marks with his/her own eyes, there is zero possibility that any machine could have tampered with the vote. There is no interfering machine between the voter and the legal record of the election.
A machine can't save time in the vote recording process, for either the voter or the election officials, and a pen is incomparably cheaper and more reliable than a complex piece of machinery and computer hardware. Thus, the economics of election administration decisively favor hand-marked paper ballots. There is also much less risk of long lines and voters turned away from the polls, as happened in Ohio recently; a cash-strapped community can afford enough curtained voting booths much more easily than it can afford enough vote recording machines.
This is not to suggest that it's impossible to tamper with paper-ballot elections; there are textbooks on the subject. But New Hampshire has spent 300 years refining its statutes and methods to protect electoral integrity, and knows how to cope with such attacks. Any election system, though, depends for its integrity on the officials who manage it and the citizens who oversee them.
New Hampshire still allows optical-scan ballot counting machines. The next challenge will be to bring openness and verifiability to their design and programming. The Secretary of State's staff, members of the legislature, and political volunteers are working on that.
Post a Comment