[ISN] Diebold Hack Hints at Wider Flaws

[InfoSec News]

http://www.wired.com/news/evote/0,2645,69893,00.html

By Kim Zetter
Dec. 21, 2005 

Election officials spooked by tampering in a test last week of Diebold
optical-scan voting machines should be equally wary of optical-scan
equipment produced by other manufacturers, according to a computer
scientist who conducted the test.

Election officials in Florida's Leon County, where the test occurred,
promptly announced plans to drop Diebold machines in favor of
optical-scan machines made by Election Systems & Software, or ES&S.  
But Hugh Thompson, an adjunct computer science professor at the
Florida Institute of Technology who helped devise last week's test,
believes other systems could also be vulnerable.

"Looking at these systems doesn't send off signals that ... if we just
get rid of Diebold and go to another vendor we'll be safe," Thompson
said. "We know the Diebold machines are vulnerable. As for ES&S, we
don't know that they're bad but we don't know that they're (good)  
either."

Thompson and Harri Hursti, a Finnish computer scientist, were able to
change votes on the Diebold machine without leaving a trace. Hursti
conducted the same test for the California secretary of state's office
Tuesday. The office did not return several calls for comment.

Information about the vulnerability comes as states face deadlines to
qualify for federal funding to replace punch-card and lever machines
with new touch-screen or optical-scan machines. In order to get
funding, states must have new machines in place by their first federal
election after Jan. 1, 2006.

Optical-scan machines have become the preferred choice of many
election officials due to the controversy over touch-screen voting
machines, many of which do not produce a paper trail. Optical-scan
machines use a paper ballot on which voters mark selections with a pen
before officials scan them into a machine. The paper serves as a
backup if the machine fails or officials need to recount votes.

The hack Thompson and Hursti performed involves a memory card that's
inserted in the Diebold machines to record votes as officials scan
ballots. According to Thompson, data on the cards isn't encrypted or
secured with passwords. Anyone with programming skills and access to
the cards -- such as a county elections technical administrator, a
savvy poll worker or a voting company employee -- can alter the data
using a laptop and card reader.

To test the machines, Thompson and Hursti conducted a mock election on
systems loaded with a rigged memory card. The election consisted of
eight ballots asking voters to decide, yes or no, if the Diebold
optical-scan machine could be hacked.

Six people voted "no" and two voted "yes." But after scanning the
ballots, the total showed one "no" vote and seven "yes" votes.

Diebold did not return several calls for comment.

Thompson said in a real race between candidates someone could pre-load
50 votes for Candidate A and minus 50 votes for Candidate B, for
example. Candidate B would need to receive 100 votes before equaling
Candidate A's level at the start of the race. The total number of
votes on the machine would equal the number of voters, so election
officials wouldn't become suspicious.

"It's self-destroying evidence," he said. "Once ... the machine gets
past zero and starts counting forward for Candidate B, there's no
record that at one point there were negative votes for Candidate B."

Thompson said a second vulnerability in the cards makes it easy to
program the voting machine so that it thinks the card is blank at the
start of the race. This is important because before voting begins on
Election Day, poll workers print a report of vote totals from each
machine to show voters that the machines contain no votes.

"The logic to print that zero report is contained on the memory card
itself," Thompson said. "So all you do is alter that code ... to
always print out a zero report (in the morning)."

David Jefferson, a computer scientist at Lawrence Livermore National
Laboratory and chair of California's Voting Systems Technical
Assessment and Advisory Board, said that programming software on a
removable memory card raises grave concerns.

"The instant anyone with security sensibility hears this, red flags
and clanging alarms happen," Jefferson said. "Because this software
that is inserted from the memory module is not part of the code base
that goes through the qualification process, so it's code that escapes
federal scrutiny."

The vote manipulation could conceivably be caught in states where
election laws require officials to conduct a 1 percent manual recount
to compare digital votes against paper ballots. Parallel monitoring,
in which officials pull out random machines for testing on Election
Day, might also catch vote manipulation.

But Thompson says machines could be programmed to recognize when
they're being tested so as not to change votes during that time. And a
manual recount that only examines 1 percent of machines might not be
broad enough.

"The question is, if you have altered a memory card in just one of the
polling places or even just on one machine, what are the chances that
the machine would fall under that 1 percent?" Thompson said. "That's
kind of scary."