← Back to Archives

BBV report on DESI DRE vulnerabilities...

elections

So BBV just released their report ("SECURITY ALERT: May 11, 2006 - Critical Security Issues with Diebold TSx" authored by Harri Hursti) on the vulnerabilities of the DESI AccuVote-TS and AccuVote-TSx DRE voting machines. This is an amazing piece of work on all fronts: BBV coordinating the effort, Harri and his company doing the analysis, and all parties ensuring responsible communication of the results. It has spurred California, Iowa and Pennsylvania to issue warnings to local election officials and a number of articles in the popular press: 1, 2, 3.

The extent of the vulnerability is so wide that the report refers to it allowing "offense in depth" -- a play on the "defense in depth" strategy advocated by computer scientists and the NSA1. By offense in depth they mean that any of three levels -- the bootloader (a small piece of software that loads all the other software), the operating system (the "foundation" of a computerized system) and/or voting application (what voters and poll workers interact with) -- could be used as a method of attack and possibly even "clean up" or conceal attacks in layers above.

It appears that the only immediate solution is to have a "trusted" copy of the machine's software loaded on each machine and then the machine completely sequestered until election day. (There's one important caveat: if the bootloader is corrupted, it may not allow itself to be written over by a new bootloader.) There will be no more allowing machines to be sent home with poll workers or delivering machines early to polling places... the BBV report shows how one could easily access the memory cards -- without damaging tamper-evident tape -- by simply taking the back of the machine off with a screwdriver.

Also, as some have commented in other places, this is a good time to have DESI DRE machines with a paper trail. The contents of a contemporaneous paper trail are essentially independent of the software and should be correct if voters take the trouble to check their contents.

To be sure, there are plenty of attacks that can be accomplished by exploiting this vulnerability that would render a paper trail useless. For example, here are a few attacks that are reasonably independent from a paper trail:

  • usability attacks that simply make it harder for certain groups of voters to express their preferences.
  • simple denial of service attacks (erasing the software, for example).
  • "vote-jumping" attacks where both the paper and electronic records are mis-recorded (banking on people not looking at the paper).
  • an attack that would subtly cause differences between paper trails and electronic records. (also counting on non-checking of paper... although this will show up in terms of irreconcilability. However, a few jurisdictions have the "paper always rules" kinds of laws.)

However, not having some sort of permanent, independent record of each vote greatly increases the opportunity for mischief. In that light, it is somewhat disappointing to see Georgia's response that "We are confident the robust and vigorous program of physical and operational security procedures we currently have in place in Georgia- including multiple audits and reviews to assure compliance- erects a strong barrier to prevent outsiders from accessing our voting equipment without our knowledge or without being detected." (from here). What's it going to take? A hacked election?

I've also found evidence that these vulnerabilities have been present since about 2002. Which goes to show, as Doug Jones has said, that the federal certification laboratories are incapable of or unwilling to conduct even the most basic of security assessments.

It's probably a good day to be in the tamper-evident tape or paper ballot printing business.

1Defense in depth. In Security Recommendation Guides. National Security Agency, 2003.

UPDATE [2006-05-12T12:29:06]: Bev pointed out that it would be very difficult to ensure that a corrupt bootloader would, in fact, replace itself with a new bootloader when asked.