OVC Reporting "WORST EVER SECURITY FLAW FOUND IN DIEBOLD TS"

Subject: WORST EVER SECURITY FLAW FOUND IN DIEBOLD TS VOTING MACHINE
Contact: Alan Dechert
Reference: http://www.openvotingfoundation.org/ts


SACRAMENTO, CALIFORNIA -- "This may be the worst security flaw we have seen in touch screen voting machines," says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.

"Diebold has made the testing and certification process practically irrelevant," according to Dechert. "If you have access to these machines and you want to rig an election, anything is possible with the Diebold TS -- and it could be done without leaving a trace. All you need is a screwdriver." This model does not produce a voter verified paper trail so there is no way to check if the voter's choices are accurately reflected in the tabulation.

Open Voting Foundation is releasing 22 high-resolution close up pictures of the system. This picture , in particular, shows a “BOOT AREA CONFIGURATION” chart painted on the system board. (note: after clicking this link, remove the comma at the end of the url in the address bar an hit enter.)

The most serious issue is the ability to choose between "EPROM" and "FLASH" boot configurations. Both of these memory sources are present. All of the switches in question (JP2, JP3, JP8, SW2 and SW4) are physically present on the board. It is clear that this system can ship with live boot profiles in two locations, and switching back and forth could change literally everything regarding how the machine works and counts votes. This could be done before or after the so-called "Logic And Accuracy Tests".

A third possible profile could be field-added in minutes and selected in the "external flash" memory location, the interface for which is present on the motherboard.

This is not a minor variation from the previously documented attack point on the newer Diebold TSx. To its credit, the TSx can only contain one boot profile at a time. Diebold has ensured that it is extremely difficult to confirm what code is in a TSx (or TS) at any one time but it is at least theoretically possible to do so. But in the TS, a completely legal and certified set of files can be instantly overridden and illegal uncertified code be made dominant in the system, and then this situation can be reversed leaving the legal code dominant again in a matter of minutes.

http://www.openvotingfoundation.org

When I tried, just got the photo :shrug:

So, I saved the pic to my files and uploaded to photobucket

I knew that actually getting our hands on one of these machines would reveal everything, and you just proved that.

in the machine.

Ben, I fear there is another seriously dirty trick in store for many voters this fall. Here's link to an old post of mine re Greg Palast on GOP trick of sending mail with DO NOT FORWARD to home addresses of deployed troops (from districts with heavily black populations)

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=364x1443718

Palast on this one:
http://www.gregpalast.com/massacre-of-the-buffalo-soldiers

Now, think about that laptop with all that data on MILLIONS of vets and active duty personnel. It disappeared (or was reported stolen in news) same week Cheney started mouthing off about how he was sure the GOP would prevail this Novemeber.

We find their old tricks. They have new ones lined up.

We have to make sure the GOP does not disenfranchise huge chunks of our vets and active duty people. It seems to me the next phase of Cheney's insurance policy.

K & R. :kick:

How large is the EPROM on this board? Could it contain a complete software image? (It wouldn't need to, though, because it could use parts of the on-board flash image.)

Where would an "external Flash" need to physically be to be used by this system?

To use an external flash to boot, you would have to open the machine and configure the boot selectors for that. Then insert the flash card in the reader and turn on the machine. Once booted, you can remove the card and do whatever.

Now the flash on the memory card could be programmed to do diagnostics (a good thing) or to overwrite the onboard flash. It would depend on the type of EPROM as to whether or not it can be reprogrammed, but that's easy enough to look up once the chip type is determined.

-Hoot

Lots and lots of LTTE with links. Can we get the DU Activist Corps on it? DUers in general?

If you can boot an external flash, you can replace the internal flash contents trivially.

also do sleepovers?

The machine involved is the Diebold TS. Not TSx. The TS is VVPAT-less, which we don't use in CA.

an easily exploitable system......

The switches you see here are the sorts of things you HAVE to have in an embedded computer system to make the system maintainable and manufacturable. As a result, you cannot have a maintainable and manufacturable computerized voting machine that is NOT exploitable.

life wondering and I still couldn't think of any possible reason why they would build and market such an easily exploitable system.

:eyes:

:hi:

I believe Avi Rubin, David Dill, et al. were livid about some security flaw a couple months ago and were keeping mum about it so that nobody wd use their description to do what the back door apparently was designed to do: make the machine more easily rigged than it already is.

This one is stealthy. Not in the way the OVF thinks though.

The external flash switch is not the issue. The issue is the EPROM boot switch. That EPROM could boot the internal flash but patch it to enable vote flipping. Then later when you examine the internal Flash, it would still be the code you expected because the patches were in the RAM copy of the software after boot.

there.

If you have any questions, please contact the site administrator.

:eyes:

Well, unbelievably there is ANOTHER security hole in some Diebold machines,
this affects Maryland and Georgia in particular.

Glenn Newkirk, the consultant for Wake County,North Carolina, and President
of InfoSENTRY - wrote a report used to persuade Maryland to KEEP the paperless Diebold DREs.

Newkirk's March 29, 2006 Report on Maryland Voting Machine Security
http://www.ncvoter.net/downloads/InfoSENTRY_Results-Review_MD_20060329.pdf

Dr. David Dill's Rebuttal of Newkirk Report on MD machines
http://www.ncvoter.net/downloads/David_Dill_rebutts_Glenn_Newkirk.pdf

The info on this site is very weak. Has this been reported anywhere else?

Kind of hard to give credibility to a site where the "About Us" page is "(under construction)" and the only contact info is a snailmail address that doesn't register on any internet map I use. In addition, SPI, in the addendum to their agenda item in which they considered membership for OVF, seems to cast doubt on OVFs stated objective (www.spi-inc.org/secretary/agenda/2006-06-20.html ).

On the limited info that can be learned about this site I wouldn't give it much credibility until it's independently verified.

You are seeing their new site. They evidentally havent
migrated everything to it yet.

They are running on a shoe-string budget.

There are plenty of reputable people involved in OVC.

THey just changed their site the other day.

http://www.openvotingconsortium.org/

Login | Register

Our Mission and Key Players
The Open Voting Consortium is a not-for-profit organization dedicated to the development, maintenance, and delivery of trustable and open voting systems for use in public elections. We are comprised of computer scientists, voting experts, and voting rights activists. We have a growing international membership base, but our organizing efforts are currently focused in California where we are actively engaged in legislation and implementing Open Voting as a model for the United States.

The founders of OVC are computer scientist Alan Dechert, database and election systems expert Dr. Arthur Keller, and computer science professor Dr. Doug Jones. They have worked collaboratively with experts from throughout the world to examine every aspect of voting scientifically and advance needed reform so that confidence can be restored in American elections. Many of these experts now serve as advisors or on the OVC Board of Directors. In sum, OVC has the brain power and computer programming talent to develop open source software codes and a comprehensive data base and check list for electoral accountability. Now all we need is your support!
http://www.openvotingconsortium.org/about_ovc

I trust Doug Jones, too, and the analysis here seems reasonable.

OPEN VOTING FOUNDATION is a nonprofit non stock California corporation
dedicated to demonstrating the need for and benefits of voting technology
that can be publicly scrutinized.

Like Verified Voting had the org and the foundation?

OVF is getting help from "Software in the Public Interest (SPI):

You can also make your contribution tax deductible through
Software in the Public Interest (SPI).
If you want your contribution to be tax deductible,
make your check to "Software in the Public Interest"
and mail to the address above. Online contributions go through SPI

http://www.openvotingfoundation.org/donate.htm

Software in the Public Interest, Inc. (SPI) is a
non-profit organization formed to help other organizations
create and distribute open-source software and
http://en.wikipedia.org/wiki/Software_in_the_Public_Interest

Counting is too easy. Anybody can do it with pen and paper.\

If you want to make hundreds of millions selling voting machines, you have to make fraud easy and untraceable. It's called "value added."

We already know that technicians (in Georgia they are Diebold employees) are under contract and have opportunity for mischief because of their easy access to DREs. They come and go to "fix" the machines before, during and after elections and election officials and poll workers by and large would not be able to tell if the software had been manipulated in the process.

In a scenario with over 24,000 machines in Georgia, would this mean a 'hands-on' for every machine that is going to be effected? DREs in precincts are stand-alones.

So the question is, how many accomplices would it take to change the top of the ticket races in a statewide election if this security hole is exploited? Anybody know?

If I remember the deal in GA (although I won't even bother to check), one DRE per polling place is designated as the accumulator, so potentially one machine could alter the results of several. How many votes per machine could one get away with stealing? and how many votes does one need?

Off-hand it does seem more labor-intensive than mucking with ballot definition files as Bill Bored suggests, but spinning machine-hack scenarios is not my forte.

"How many votes per machine could one get away with stealing?" Perhaps enough to flip a local race, a referendum, a bond (that last one could pay a lot).

And with sleepovers (which I guess happen after, as well as before, the election) it's easier than the Ballot Definition hacks Bill Bored warns about.

Potawattamie!

I'm interested in understanding the implications of any particular security vulnerability as clearly as I can within reason. One reason: the point is often made that while even HCPB is subject to fraud, that fraud is 'retail' while electronic fraud can be 'wholesale.' But it turns out that electronic fraud can come in various mixes of 'retail' and 'wholesale' -- and I like to think about that so I don't make any stupid assumptions as I'm trying to examine election returns.

At the same time, if this is primarily a mechanism of retail fraud, then it shouldn't be treated as evidence of wholesale fraud. I'm sorry Bill Bored is in such a bad mood, but he sort of has a point.

Here, let me get myself slapped silly: I think about the pollworkers in my town (officially "city"), and I think about equipping them with screwdrivers and directing them to tamper with motherboard switches during sleepovers, and my eyes begin to roll. This particular vulnerability seems more likely to be exploited by authorized techies in advance -- but I don't claim that machine fraud risk assessment is my forte.

In any case, as you point out, the smaller the jurisdiction, the narrower the scope of coordination entailed.

However, the results are printed off all the DREs before their memory cards are put into the accumulator DRE and totalled up. These tapes are saved with the zero tapes and other election materials and sent to the county elections' offices. It would be hard but not totally impossible I suppose at least in theory to change the results on the accumulators and not have it immediately obvious. The pollworkers at the precincts and county offices might not notice the totals were off. Think it would not be the easiest election fraud to pull off however. In GA there are over 2000 precincts.

Brennan Center said easiest was a Trojan Horse or the like placed by an insider at any of a number of opportunities, like in COTS software by programmers, someone at the ITAs, etc. Would only take one person to change the top race for a state.

One boot is the official, approved and tested version, and the other - well, whatever the Hell is on that Flash chip.

Yup, a chimp could be trained to change that machine.

in Georgia and Maryland, all you need is a screw driver...