|
Home
Up
| | COMPUTER FRAUD ARTICLE 11 11. Diebold-SERIOUS SECURITY CONCERNS Diebold, one of the major DRE vendors, has been at the center of a political maelstrom because of intemperate remarks made in 2003 by its CEO, Walden O’Dell. But that little PR problem pales in comparison to the security problems uncovered when Bev Harris (http://www.scoop.co.nz/mason/stories/HL0302/S00036.htm) announced in February 2003 that she had discovered Diebold voting machine software on an open FTP Web site. Computer science professors Aviel Rubin (Johns Hopkins University) and Dan Wallach (Rice University), and their students Tadayoshi Kohno and Adam Stubblefield, subsequently analyzed some of that software and published their findings in a paper, sometimes referred to as the “Hopkins paper,” presented at the May 2004 IEEE Symposium on Security and Privacy (http://avirubin.com/vote/analysis/index.html). One of the more shocking revelations made in that paper is that Diebold uses a single DES key to encrypt all of the data on a storage device. Consequently, an attacker with access to the source code would have the ability to modify voting and auditing records. Perhaps even more surprising, Diebold had been warned in 1997 about its sloppy key management by Douglas Jones, a professor of computer science at the University of Iowa and a member of the Iowa Board of Examiners for Voting Machines and Electronic Voting Equipment (http://www.cs.uiowa.edu/~jones/voting/dieboldftp.html): [N]either the technical staff nor salespeople at Global Election Systems [purchased by Diebold in 2001] understood cryptographic security. They were happy to assert that they used the federally approved data encryption standard, but nobody seemed to understand key management; in fact, the lead programmer to whom my question was forwarded, by cellphone, found the phrase key management to be unfamiliar and he needed explanation. On continued questioning, it became apparent that there was only one key used, companywide, for all of their voting products. The implication was that this key was hard-coded into their source code! Because of the security issues raised in the Hopkins paper, the State of Maryland, which had just committed to purchasing Diebold DREs, commissioned a study of Diebold machines by Science Applications International Corporation (SAIC). The SAIC report (http://www.dbm.maryland.gov/dbm_publishing/public_content/dbm_search/ technology/toc_voting_system_report/votingsystemreportfinal.pdf) is a very fast read, since only about one-third of it was made public. (According to Frank Schugar, project manager for SAIC, the report was redacted by Maryland, not by SAIC. The Electronic Privacy Information Center has submitted a public records request to obtain the unredacted version.) Even the limited amount of information that was released in the report, however, is quite damning. For example, the report states that the Diebold system is so complicated that even if all of the problems were fixed, there still could be security risks because of poorly trained election officials. In November 2003, the Maryland Department of Legislative Services commissioned yet another study of Diebold machines by RABA Technologies (http://www.raba.com/press/TA_Report_AccuVote.pdf). The Trusted Agent report, released in January 2004, based on a “red team” effort to hack Diebold voting systems, revealed physical security problems such as the use of identical keys on security panels covering PCMCIA and other sockets on the machines—as well as locks that could be picked in a few seconds. Unfortunately, when DRE vendors tout the virtues of DREs to election officials, they tend to gloss over security issues related to short- and long-term storage of the machines, as well as machine access control before and after elections. Meanwhile, the State of Ohio, which had been considering the purchase of Diebold DREs for the entire state, hired Compuware to test hardware and software and InfoSentry to conduct a security assessment. The Compuware study uncovered yet another hardwired password, this time involving the supervisor’s card, used to start up each voting machine on Election Day as well as to terminate the voting process at the end of the day. When the card is inserted into the DRE, the election official must enter the same password or PIN that has been hardwired into the card—but not into the voting software. Consequently, anyone who is able to obtain a supervisor’s card, or who manages to create a fake card with a different password, would be able to conduct a denial-of-service attack by prematurely halting the voting machines, thereby denying some voters the opportunity to vote. http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=219 |