E-Vote Still Flawed, Experts Say
By Kim Zetter for WiredNews
Computer security experts hired to hack electronic voting machines manufactured by Diebold Election Systems found that flaws in the machines could result in malicious insiders or outsiders stealing an election.
The findings, released in a report late Thursday afternoon, culminated a weeklong test undertaken by security experts at Raba Technologies, a firm hired by Maryland's legislative services department to hack the voting machines. The report (PDF) stated that the Diebold machines did accurately count the votes but could be compromised.
The authors concluded that Diebold's software would need to be rewritten to satisfy security standards but could be made sufficiently secure in time for Maryland's March primary election.
Raba's "red team" exercise marked the first time someone tested the security of the Diebold voting machines during a simulated election environment using the same procedures Maryland will perform in its upcoming primary.
For one week, the team had access to six touch-screen voting machines and a server containing the tabulation software known as GEMS (for Global Election Management System). Diebold also permitted the team to examine the source code for software running on the systems and server. The state set the systems up exactly as it intends to use them in March, which includes using modems to send votes over phone lines to county servers for tabulation.
William Arbaugh, a University of Maryland assistant professor of computer science who participated in the test, graded the system an "F," "with the possibility of raising it to a 'C' with extra credit that is, if they follow the recommendations we gave them."
"I was really surprised with the totality of the problems we found. Just about everywhere we looked we found them," Arbaugh said.
Diebold officials could not be reached directly for comment. But in a press release, the company said Thursday that the study "validates" the Diebold election systems for the primary.
Diebold President Bob Urosevich said in the release that the Raba Technologies report confirmed "the accuracy and security of Maryland's voting procedures and our voting systems as they exist today."
"They took a study that was highly critical of them and claimed victory. I don't understand the continuous need to insist that things are OK," said Avi Rubin, director of the Information Security Institute at Johns Hopkins University and author of an earlier report critical of the Diebold system.
The Raba report focused on smart-card security, the process for uploading votes to a county server and on the server software used for counting the votes and issuing results.
Arbaugh said the researchers found a "gauntlet" of problems, including a security hole that let them remotely dial in to the voting terminals and get administrative control of the machines.
"We could have done anything we wanted to," Arbaugh said. "We could change the ballots (before the election) or change the votes during the election."
They also were able to perform a man-in-the-middle attack, which involves intercepting votes being sent by modem to the server, changing the votes and sending on the new votes to the server.
The red team confirmed many of the findings that Rubin and his colleagues at Johns Hopkins and Rice universities made in their report in July.
That report (PDF) said that the smart-card reader used in the Diebold system was so badly designed that an intruder could program an off-the-shelf card and vote numerous times on a machine.
Although there are safeguards to detect this officials can compare the number of votes cast on machines to the number of voter signatures on the register roll an excess number of votes would cast doubt on an election and likely result in all votes on a suspect machine being discounted.
The Raba researchers concluded that for less than $750 someone could purchase and program a card for this purpose. Furthermore, the red team was able to easily guess the passwords for the smart cards. Even if they could not guess them, they noted, Diebold had written the passwords into its source code, a version of which was leaked on the Internet last January after Diebold failed to secure a company FTP server.
The Raba report is actually the second report commissioned by Maryland. In September, the state commissioned Science Applications International Corporation, or SAIC, to audit the Diebold machines after the Johns Hopkins report came out.
After the SAIC report (PDF) also indicated problems with the system, Maryland officials said at the time that the system would be fine after Diebold made a few changes suggested in the report.
The SAIC report recommended, among other things, that Diebold encrypt vote files before they are sent to the server.
However, according to Arbaugh, the company did this, but did not add a function for authentication. Without authentication, county servers could not verify that votes they receive are coming from a legitimate voting machine.
"Encryption doesn't do any good if you don't add authentication. Because (someone) can crack the encryption then and change the votes," said Arbaugh. "That was the biggest surprise to see that they had gone to the trouble to add encryption but they didn't add authentication or integrity, which would have been fairly easy to do."
Arbaugh concluded that the changes were "either window dressing or carelessness; I'm not sure which." He and his team also found that they gained easy access to the computer card on the voting systems simply by picking the lock on the compartment on the side of the machine. Once inside they could plug a keyboard into the machine and gain access to the Windows CE operating system to change the ballot definition file or install a Trojan horse.
Arbaugh said he was surprised because the SAIC report had recommended that the state seal the locks with tamper-evident tape. That had not been done.
Maryland officials were not available for comment, but Linda Lamone, administrator of the state board of elections, told a local TV station that they were now planning to seal the locks.
"(The machines) are going to look like someone who has duct tape wrapped around them," she said.
Karl Aro, director of Maryland's legislative services department, told the television station he was pleased with the report from Raba.
"It is a validation that the system is ready to work in March," he said.
While there are potential security flaws, Aro said if election officials in each precinct follow through on the procedures being put in place to avert fraud in the election system, "it will be secure."
Rubin, however, said it's likely officials are downplaying the risks laid out in the report to avoid alarming voters.
"I cannot understand why the state is so interested in defending these machines if all these reports are finding these security problems," he said.
Arbaugh, however, commended the state for commissioning the report.
"The state went out on a limb and agreed to make the results public before the report was even done. I'm sure they were hoping for an 'A' instead of an 'F,' but there was absolutely going to be no whitewash on this. Never were we told to not report or discuss the results," he said.
Arbaugh believes the state commissioned a second report because the SAIC researchers had focused on reading the code and examining election procedures rather than doing hands-on testing of the Diebold system. As a result, the first report left questions unanswered.
While he said he was disappointed that Diebold had not taken basic measures to build a secure system, he believed that the Raba recommendations would make the systems secure enough for the March primary.
"I think the election's going to have the same level of insurance that past elections have had. That's the step in the right direction anyway. At least it shouldn't be any worse," he said.