Tuesday, July 31, 2007

Florida SAIT report highlights more Diebold problems

The Florida Secretary of State has just released a report from the Security and Assurance in Information Technology Laboratory (SAIT) at Florida State University titled "Software Review and Security Analysis of the Diebold Voting Machine Software". This report is the output of a study that Florida commissioned to determine whether flaws reported in previous studies of voting systems, including my group's study, had been fixed yet. I was a reviewer of this report, and my graduate student, Ryan Gardner, played a key role in the study. The group was led by Alec Yasinsac who led the previous FSU study on voting machine security for Florida.

I am pleased to see that there are so many studies of voting systems being performed. In this past year, Connecticut, California, and now Florida have conducted thorough reviews, and all of them have highlighted serious problems with the voting systems. All this is happening as the House is considering federal legislation to improve the auditability of voting equipment.

Once again this new report shows serious, serious problems with Diebold, and that they clearly have not fixed some of the most egregious problems. One of the weaknesses that our report in 2003 pointed out was that Diebold used a single, fixed encryption key for all encryption in the system. Diebold has moved from using DES to AES. However, the key management is just as bad as before, and possibly worse. Here is an excerpt from the new report released today.

The system key is generated by computing an MD5 hash of the machine serial number. Its value is never changed after generation. Since the machine serial number is public, the system key is also essentially public. Anyone who knows this procedure can generate the system key and can access anything it protects, including the data encryption key and anything that it is used to encrypt.

This is arguably worse than having a fixed static key in all of the machines. Because with knowledge of the machine's serial number, anyone can calculate all of the secret keys. Whereas before, someone would have needed access to the source code or the binary in the machine.

Other attacks mentioned in the report include swapping two candidate vote counters and many other vote switching attacks. The supervisor PIN is protected with weak cryptography, and once again Diebold has shown that they do not have even a basic understanding of how to apply cryptographic mechanisms. Quoting once again:

The supervisor PIN is now stored on supervisor smart cards as a keyed hash of the actual PIN. Specifically, the PIN is concatenated with part of the data encryption key (the first 64 bits), and an MD5 sum is computed over the resulting string. The first 4 bytes of the MD5 are stored on the smart card. The most significant weakness of this approach again concerns the key management of the data encryption key as described in Section The key can be compromised by an adversary with sufficient access to a voting terminal, and an adversary with it can find the PIN using a simple brute force computation. Again, the act of using the same key for more than one purpose is generally considered poor practice within the cryptographic community. Moreover, the input to the hash function is 64 bits of the 128-bit data encryption key. Using only 64 bits of the 128-bit AES key in this manner may allow an adversary to recover the data encryption key significantly faster than exhaustive search.

So, Diebold is doing some things better than they did before when they had absolutely no security, but they have yet to do them right. Anyone taking any of our cryptography classes at Johns Hopkins, for example, would do a better job applying cryptography. If you read the SAIT report, this theme repeats throughout.

In my opinion, in his letter to Diebold the Secretary of State of Florida, Kurt Browning downplays the severity of this report.

A toast to Peter Honeyman

My former Ph.D. advisor, Peter Honeyman won the prestigious Lifetime Achievement Award from the USENIX Association. I first heard about this from Matt Blaze of the USENIX board and a former colleague of mine at AT&T, and I was absolutely thrilled. I can think of nobody more deserving. As the recipient of his mentorship, I am delighted that he was called out for his role mentoring students for this honor. From the USENIX web site:

Dr. Peter Honeyman has had a profound and lasting impact on the field of computer science. While many know Peter for his seminal contributions to computing systems, such as Honey DanBer UUCP and Disconnected AFS, it is his efforts as a mentor that we wish to honor with the USENIX Lifetime Achievement Award. Peter's often highly unconventional stewardship of the countless students, researchers, and advisees he has touched is the stuff of graduate student legend. His penetratingly insightful (and potentially hazardous) questions and comments, combined with a paradoxically unflinching loyalty, consistently have led those under his tutelage to the pinnacle of achievement in security, systems, and networking. Peter's questioning during conferences and doctoral defenses, although sometimes frightening, always demanded better from those of us who attempt to advance science.

Peter has a page with some pictures of the event. I was unable to attend the ceremony when he received his award because I was on vacation with my family in Israel, but I made a video tribute for him that was shown at the conference.

Debunking the "laboratory" defense

Yesterday, there was a hearing in California about the e-voting machines that were studied in the top to bottom review. I watched some of the proceedings that were broadcast on the web, and I read some of the press coverage, such as this article in the San Jose Mercury News. I'm struck (although not surprised) by the way the vendors attack the study results. As the top to bottom review concluded that the systems were highly vulnerable to all kinds of attacks, the vendors stand to lose business and revenue if the machines are decertified, so you would expect them to attack the study with everything they have.

Reading the news coverage of the hearing, it is clear that there is a common theme in the attacks on the study. Quoting the article:

Sequoia Voting Systems, which is used in Alameda, Santa Clara and Santa Cruz counties, called the review an "unrealistic, worst-case scenario" performed in a laboratory environment by computer security experts with unfettered access to the machines.

Several other people use the term "laboratory environment" in criticizing the study. I think these criticisms miss the point. Most, if not all of the vulnerabilities identified in the studies are weaknesses that are well known in the security literature and which can be avoided with proper design and implementation. The source code reviews have not been published yet, so I cannot comment on what was found there, but looking at the red team reviews, I can say that we know how to design systems that avoid the problems that were found there. So, regardless of whether these were broken in a laboratory or in a polling station, the fact is that vendors are not utilizing well-known security technology in designing their systems.

Rather than using technology provided by incompetent vendors who don't bother to hire real security experts to build voting systems, we should insist that these machines be scrapped. The debate should focus on whether or not the machines utilize the best available security, rather than on whether the proof that they are insecure was identified in a lab or somewhere else. If the vendors focused as many resources on improving the security of their systems as they do in criticizing the studies, then they wouldn't have to point out that the studies were done in a laboratory because studies that embarrass them would be less likely to exist.

Saturday, July 28, 2007

More on California Top to Bottom

I should point out that only the red team reports have been released so far. (As the SoS web site states, "The document review teams and source code review teams submitted their reports on schedule. Their reports will be posted as soon as the Secretary of State ensures the reports do not inadvertently disclose security-sensitive information.") The red teams are groups of talented white hat hackers who approach the system as though they were mailicious parties looking to disrupt the election. These reports do not take into account flaws in the source code. The source code analysis reports, which are akin to the study that my research team performed in 2003 about Diebold, will be very revealing because they will shed light on how Diebold responded to the flaws that we found four years ago. Considering that I had two (very talented) graduated students looking at the code for about a week, I fully expect that this team of professionals who spent a month will uncover much more serious problems.

It's important to keep in mind, as the California report states, that any security problems reported by them constitute a lower bound on the problems that exist. The reason is that they were limited in both time and in the information available to them. Some of the material they needed was given to them only a couple of weeks before their final deadline. Furthermore, in a real world scenario, hackers would not have a month to do the analysis and produce a report. They would probably skip the report and could spend many months developing their attacks.

Friday, July 27, 2007

California Top to Bottom results

The Secretary of State of California, Debra Bowen has released the results of their top to bottom review of the Sequoia, Diebold, and Hart voting systems. This is perhaps the most anticipated voting system analysis ever. I just read the executive summary of the report, and the results are devastating for these machines. In all cases, the analysts were able to rewrite the firmware on the machines. This means that an attacker could change every aspect of the behavior of the voting systems. In a sense, these voting machines provide no protection against the most basic attack, which is the complete an unobservable reprogramming of the all the functionality of the voting machines.

One of the attacks against Sequoia that got my attention was that the team was able to determine when the machine was in test mode and thus could cheat but behave correctly whenever the machine was not in a real election. This undermines the common argument made by some that the machines are tested extensively. The analysts were able to defeat the physical security, bypassing the seals, on Sequoia and on Diebold. This undermines another argument often made by supporters of the machines that nobody could have undetectable access to the machines.

There are many other examples of attack that are much more serious than what I expected from this report - and I was expecting a lot. I don't see how anybody can possible condone continuing to use these e-voting machines, given the results that are summarized in the executive summary of the report. I will now read the detailed reports, and if I have anything more to say, I'll blog again over the weekend.

What is really disturbing is that these tests are taking place after the machines have been certified and deployed. This kind of top to bottom testing should be done before any voters actually vote on them.

Sunday, July 22, 2007

ISE researchers find serious security vulnerabilities in iPhone

The day after the iPhone was released, I purchased mine and blogged about it here. Although I still love my iPhone for its beautiful interface, well thought out features, and incredible screen, I'm now disappointed that it was not built more securely.

Researchers at my consulting company, Independent Security Evaluators (ISE) have found serious security vulnerabilities in the iPhone. They were able to take complete control of the iPhone device and run arbitrary shell code (see NYT article). To demonstrate this, they built an exploit that downloads personal information such as SMS text transcripts, address book entries, and email from the iPhone whenever a user visits a particular web site or connects to a particular WiFi network. However, the vulnerability can be exploited in many other ways. For example, an exploit could be written that would cause the iPhone to make an unnoticeable phone call to an attacker, who would then be able to monitor conversations by the victim. In other words, the iPhone could be turned into a bugging device.

We contacted Apple on July 17 and sent them all of the details of the vulnerability. We also promised not to release any specific technical details of the vulnerability that would allow someone else to exploit it until our Black Hat presentation on August 2. This gave them plenty of time to produce a fix, and we showed Apple how to patch the vulnerability.

However, we are disclosing the fact that the iPhone is vulnerable. Why are we doing that? Well, I believe that there is a social responsibility to report it when a device is vulnerable to attackers. People buy these things and use them in ways that put their identity and their online accounts at risk, and by exposing these vulnerabilities, we can make users better judges of how to use their high tech devices. In addition, vendors are much more likely to produce devices that are more secure if they know that independent security experts such as my team at ISE are likely to try to break them and to expose any vulnerabilities we find. Just look at the history of Microsoft's software security problems. They started paying attention when they were repeatedly embarrassed by the exposure of vulnerabilities. Now they put more effort into writing secure code than almost anyone.

Tuesday, July 17, 2007

EVT 2007

Our NSF sponsored center, ACCURATE is putting on its second Electronic Voting Technology workshop (EVT '07) on August 6, 2007 in Boston. The program chairs are David Wagner and Ray Martinez, and they have put together a fantastic program. I encourage everyone who can to attend.

Friday, July 13, 2007

Report from Blue Ribbon Panel in Riverside County, California

A report has been released by a Blue Ribbon Panel that was appointed by the Board of Supervisors of Riverside County in California. The panel held several public hearings, meetings with the registrar of voters, a meeting with the Board of Supervisors, three group study and writing meetings, and a presentation by Sequoia Services, the vendor of the DRE with VVPAT that is used in Riverside county.

I found the report to be extremely well thought out and well written. The panel was clearly open minded and considered all of the post 2006 election data and observations. The top conclusion of the panel was:

    "Move as quickly as possible to a hybrid voting system whereby able-bodied voters make their preferences on paper ballots which are then counted by optical scanners."

The report details shortcomings and failures in the Sequoia Edge system used in 2006, and explains why the hybrid system would overcome these. I believe that this report, along with the top to bottom review that Secretary of State Bowen is conducting will result in California moving to much more secure, reliable, auditable and transparent election systems. According to this report, the hybrid systems will also result in faster results and less waiting time at the polls.

Sunday, July 01, 2007

Giving into the force

After reading endless articles and reviews of the iPhone, I decided that the slow Edge network from AT&T was a non-starter and that I was not going to get an iPhone. Many of my friends were surprised, as I am usually very excited about new gadgets. I was always on the waiting list for the newest Treo, and given what a Mac fanatic I am, an iPhone seemed like a no brainer.

This past week, old friends came out of the woodwork to ask me when I was getting my iPhone and if I was planning on sleeping in line. It was a big topic of conversation at work. I replied that I was going to be patient, and that I thought the drawbacks were serious, so I was not going to do it.

Well, this weekend was Ann's birthday, and I took her to NYC to a couple of Broadway shows while our babysitter stayed home with the kids. (After our 2 week vacation in Israel, a break from the little ones was necessary for our sanity anyway.) On Friday night, the Apple stores opened their doors to the masses for iPhones sales, and all of the major media covered it. Enthusiastic early adopters who waited in line for several days were shown on TV walking out with their new iPhones to massive applause. We watched from our hotel in the city on CNN. Our hotel was several blocks from the Apple store, and on Saturday morning, I was so drawn to it that Ann and I decided to go our separate ways for a few hours. She went shopping for shoes at Macy's, and I walked to the Apple store. It was really quite a sight. I found a table with an iPhone and played with it for about 5 minutes. My heart was racing as I began observing all of the features and the interface first hand. I was soon in line to buy my own without really understanding why. I had decided earlier that I was going to wait until the next version of the phone came out with fewer bugs and hopefully a faster network. After all, it wouldn't kill me to wait a few months. I've been fine with my Treo.

As I walked back to the hotel with my new iPhone bag, people on the street stopped me to talk and ask me if I really had an iPhone in there. Several made me pull out the box and show it to them. In the elevator in the hotel, people asked me about it. By the time I met up with Ann, I had already connected it to my laptop and downloaded a new version of iTunes to my computer that supported the phone. At breakfast this morning, I was playing with it, and the people at the table next to me started asking me about it. I decided that one of the undocumented features of this phone is that it makes people friendly.

Anyway, my Treo 750 that I used to love so much is now a paper weight. Yes, the iPhone has some serious drawbacks, but my love affair with it has begun, and when I leave it in the other room for a few minutes, I already miss it.