Tuesday, October 31, 2006

UConn VoTeR center report: Diebold AV-OS is vulnerable to serious attacks

A powerful new report was released yesterday about the Diebold AccuVote Optical Scan voting terminal (AV-OS). This is a thorough and independent security analysis of the machines that will be used in Connecticut to count votes on November 7. It is based on hands-on experimentation with the system, and is thus more like the Princeton study of the Accuvote TS than my team's earlier source code analysis. Like the Princeton team, the UConn researchers had no access to any internal documentation from the vendor, no source code, or any other information that would have given them an advantage over a random attacker who happened to get access to the machine. Everything they needed to know to perform the attacks was done by reverse engineering the system and observing its behavior. The evaluation was done as part of an evaluation on behalf of the state of Connecticut. They should be commended for not only allowing, but for requesting this study. The report published on their web site explains the attacks in enough detail to be convincing, but some low level details are reserved for another copy of the paper that is only available from the authors by request.

The authors show that "even if the memory card is sealed and pre-election testing is performed, one can carry out a devastating array of attacks against an election using only off-the-shelf equipment and without having ever to access the card physically or opening the AV-OS system box." The attacks presented in the paper include manipulating the count so that no votes for a particular candidate are counted, swapping votes for two candidates, and reporting the results incorrectly based on biases that are triggered under certain conditions.

The attacks in this paper are cleverly designed to make a compromised machine appear to work correctly when the system's audit reports are evaluated or when the machine is subjected to pre-election testing. Besides manipulation of the voting machine totals and reports, the authors explain how any voter can vote an arbitrary number of times using (get this), Post-it notes, if the voter is left unattended.

The attacks are possible because of serious security vulnerabilities that could have been prevented with proper security design. For example, if a serial cable is connected to the AV-OS, an attacker with a laptop can easily obtain a dump of the memory card contents. The dump is obtained in cleartext because the system performs no authentication of any computer that is connected on that port. The dump can be very useful for an attacker, for example, to reconstruct the password and audit records associated with the memory card. The communication between the voting machine and the GEMS tabulation system is unencrypted and unauthenticated. Instead, they use a CRC as a checksum. In our 2003 report, we identified this as a weakness in the Diebold Accuvote TS because CRCs are easily broken. The authors of the new report show how to spoof the GEMS server to the AV-OS, which forms the basis of many of their attacks.

The authors also validate some of the attacks presented earlier by Harri Hursti. They report that the executable code on the memory cards (!!) can be changed so that the counter values change.

Reading this report was a hair raising experience for me. Diebold has clearly not learned any of the lessons from our 2003 report, and it is startling to see that their optical scan ballot counter is as vulnerable to tampering, vote rigging, and incorrect tabulation as the DRE. The big difference, of course, is that optical scanners can be audited. Ballots counted by hand can be compared to the totals of the AV-OS, and machines tabulating incorrectly can be identified. This report highlights the dangers of trusting any component of a voting system that is software based, and the importance of widespread random audits. With optical scan technologies, we can have a secure election even if the systems cheat, due to the opportunity to audit and perform recounts. With DREs, we are left with whatever results the machines compute.

I strongly urge everyone to read this new report out of UConn.