Report Challenges Security Of Electronic Voting!
2006 MID-TERM ELECTION FRAUD FLASH ALERT!
YET ANOTHER MAJOR REPORT CHALLENGES SECURITY OF ELECTRONIC VOTING / UCONN VOTER CENTER REPORT: DIEBOLD AV-OS IS VULNERABLE TO SERIOUS HACKER ATTACKS! / WILL BUSH's NEOCONS STEAL THEIR 3rd ELECTION AND GET AWAY WITH IT?!
By Avi Rubin, Avi Rubin's Blog
Friday, November 3, 2006
A powerful new report: http://voter.engr.uconn.edu/voter/Reports.html was released yesterday about the Diebold AccuVote Optical Scan voting terminal (AV-OS). This is a thorough and independent security analysis of the machines that will be used in Connecticut to count votes on November 7. It is based on hands-on experimentation with the system, and is thus more like the Princeton study of the Accuvote TS than my team's earlier source code analysis.
Like the Princeton team, the UConn researchers had no access to any internal documentation from the vendor, no source code, or any other information that would have given them an advantage over a random attacker who happened to get access to the machine. Everything they needed to know to perform the attacks was done by reverse engineering the system and observing its behavior.
The evaluation was done as part of an evaluation on behalf of the state of Connecticut. They should be commended for not only allowing, but for requesting this study. The report published on their web site explains the attacks in enough detail to be convincing, but some low level details are reserved for another copy of the paper that is only available from the authors by request.
The authors show that "even if the memory card is sealed and pre-election testing is performed, one can carry out a devastating array of attacks against an election using only off-the-shelf equipment and without having ever to access the card physically or opening the AV-OS system box."
The attacks presented in the paper include manipulating the count so that no votes for a particular candidate are counted, swapping votes for two candidates, and reporting the results incorrectly based on biases that are triggered under certain conditions. The attacks in this paper are cleverly designed to make a compromised machine appear to work correctly when the system's audit reports are evaluated or when the machine is subjected to pre-election testing.
Besides manipulation of the voting machine totals and reports, the authors explain how any voter can vote an arbitrary number of times using (get this), Post-it notes, if the voter is left unattended. The attacks are possible because of serious security vulnerabilities that could have been prevented with proper security design.
For example, if a serial cable is connected to the AV-OS, an attacker with a laptop can easily obtain a dump of the memory card contents. The dump is obtained in cleartext because the system performs no authentication of any computer that is connected on that port. The dump can be very useful for an attacker, for example, to reconstruct the password and audit records associated with the memory card.
The communication between the voting machine and the GEMS tabulation system is unencrypted and unauthenticated. Instead, they use a CRC as a checksum. In our 2003 report, we identified this as a weakness in the Diebold Accuvote TS because CRCs are easily broken. The authors of the new report show how to spoof the GEMS server to the AV-OS, which forms the basis of many of their attacks.
The authors also validate some of the attacks presented earlier by Harri Hursti. They report that the executable code on the memory cards (!!) can be changed so that the counter values change. Reading this report was a hair raising experience for me. Diebold has clearly not learned any of the lessons from our 2003 report, and it is startling to see that their optical scan ballot counter is as vulnerable to tampering, vote rigging, and incorrect tabulation as the DRE.
The big difference, of course, is that optical scanners can be audited. Ballots counted by hand can be compared to the totals of the AV-OS, and machines tabulating incorrectly can be identified. This report highlights the dangers of trusting any component of a voting system that is software based, and the importance of widespread random audits.
With optical scan technologies, we can have a secure election even if the systems cheat, due to the opportunity to audit and perform recounts. With DREs, we are left with whatever results the machines compute. I strongly urge everyone to read this new report out of Uconn: http://voter.engr.uconn.edu/voter/Reports.html .
ELECTRONIC VOTING NEWS & INFORMATION: http://tinyurl.com/pf5ol
"Republics are created by the virtue, public spirit, and intelligence of the citizens.
They fall, when the wise are banished from the public councils,
because they dare to be honest,
and the profligate are rewarded, because they flatter the people,
in order to betray them."
"Most people would sooner die than think;
in fact, they do so."
- Bertrand Russell
luck for the rulers that men
do not think."
reason! Tyranny hates honor! This is because
Tyranny is overcome by REASON and HONOR.
It is Folly and Fear that is the food of Tyrants.
Tyranny thrives in a climate of dishonor and tolerance for dishonor.
Turn on the lamp of truth and justice and tyrants flee to hide."
- Reinhold Sommerstedt
"Such is the irresistible nature
that all it asks,
and all it wants, is the liberty of appearing."
"When I despair, I remember that all through
history the way of truth and
love has always won. There have been tyrants and murderers and for a time
they seem invincible but in the end, they always fall -- think of it, ALWAYS."
-- “Mahatma” (Great Soul) Gandhi
When freedom is corrupted by
"Those who vote decide nothing.
Those who count the vote
- Joseph Stalin
Worldwide LOVE Foundation
all rights well-rounded
the heart & mind of
High touch HEART of high tech
with a higher understanding of LOVE
Defining, Refining, Combining and Shining
Our God-given Gifts and Talents via Net Standards
For Net Freedom based on LOVE-centric Net worth.
SUPPORT THE LOVE NETWORK
To love with all your heart and all your mind and all your soul,
and your Netizen neighbor in our Global Village as thyself.