Avi Rubin wrote:
I just posted a blog entry about a new report out of UConn that I
think is of similar magnitude to the Princeton report, only this time
the subject is the Accuvote AV-OS (optical scanner).
Tuesday, October 31, 2006
UConn VoTeR center report: Diebold AV-OS is vulnerable to serious attacks
A powerful new report was released yesterday about the Diebold AccuVote
Optical Scan voting terminal (AV-OS). This is a thorough and independent
security analysis of the machines that will be used in Connecticut to count
votes on November 7. It is based on hands-on experimentation with the
system, and is thus more like the Princeton study of the Accuvote TS than my
team’s earlier source code analysis. Like the Princeton team, the UConn
researchers had no access to any internal documentation from the vendor, no
source code, or any other information that would have given them an
advantage over a random attacker who happened to get access to the machine.
Everything they needed to know to perform the attacks was done by reverse
engineering the system and observing its behavior. The evaluation was done
as part of an evaluation on behalf of the state of Connecticut. They should
be commended for not only allowing, but for requesting this study. The
report published on their web site explains the attacks in enough detail to
be convincing, but some low level details are reserved for another copy of
the paper that is only available from the authors by request.
The authors show that “even if the memory card is sealed and pre-election
testing is performed, one can carry out a devastating array of attacks
against an election using only off-the-shelf equipment and without having
ever to access the card physically or opening the AV-OS system box.” The
attacks presented in the paper include manipulating the count so that no
votes for a particular candidate are counted, swapping votes for two
candidates, and reporting the results incorrectly based on biases that are
triggered under certain conditions.
The attacks in this paper are cleverly designed to make a compromised
machine appear to work correctly when the system’s audit reports are
evaluated or when the machine is subjected to pre-election testing. Besides
manipulation of the voting machine totals and reports, the authors explain
how any voter can vote an arbitrary number of times using (get this),
Post-it notes, if the voter is left unattended.
The attacks are possible because of serious security vulnerabilities that
could have been prevented with proper security design. For example, if a
serial cable is connected to the AV-OS, an attacker with a laptop can easily
obtain a dump of the memory card contents. The dump is obtained in cleartext
because the system performs no authentication of any computer that is
connected on that port. The dump can be very useful for an attacker, for
example, to reconstruct the password and audit records associated with the
memory card. The communication between the voting machine and the GEMS
tabulation system is unencrypted and unauthenticated. Instead, they use a
CRC as a checksum. In our 2003 report, we identified this as a weakness in
the Diebold Accuvote TS because CRCs are easily broken. The authors of the
new report show how to spoof the GEMS server to the AV-OS, which forms the
basis of many of their attacks.
The authors also validate some of the attacks presented earlier by Harri
Hursti. They report that the executable code on the memory cards (!!) can be
changed so that the counter values change.
Reading this report was a hair raising experience for me. Diebold has
clearly not learned any of the lessons from our 2003 report, and it is
startling to see that their optical scan ballot counter is as vulnerable to
tampering, vote rigging, and incorrect tabulation as the DRE. The big
difference, of course, is that optical scanners can be audited. Ballots
counted by hand can be compared to the totals of the AV-OS, and machines
tabulating incorrectly can be identified. This report highlights the dangers
of trusting any component of a voting system that is software based, and the
importance of widespread random audits. With optical scan technologies, we
can have a secure election even if the systems cheat, due to the opportunity
to audit and perform recounts. With DREs, we are left with whatever results
the machines compute.
I strongly urge everyone to read this new report out of UConn.