E-Vote Machines Face Audit

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,59976,00.html

By Kim Zetter
Aug. 12, 2003

After weeks of defending itself against charges of bad programming and 
lax security, Diebold Election Systems is facing an independent, 
third-party audit of the software for its touch-screen voting 
machines. 

Maryland Gov. Robert L. Erhlich Jr. ordered the review after 
researchers at Johns Hopkins University and Rice University released a 
report (PDF) last month revealing numerous programming flaws and 
security vulnerabilities in the source code for Diebold's AccuVote-TS 
voting machines. 

In March 2002, Maryland purchased more than 5,000 Diebold touch-screen 
terminals at a cost of $17 million. The machines were used in four 
counties in the state election that year. 

Then last month, just days before the university report came out, 
Maryland awarded Diebold a $55.6 million contract to provide and 
service 11,000 additional Diebold machines to be used throughout the 
state for next spring's presidential primary. 

But publicity about security flaws has caused the state to seek a 
thorough review of the software before proceeding with the order. 

"Government has no more fundamental obligation than to ensure the 
integrity of the democratic election process," Ehrlich said in a 
statement released from his office. "In an effort to strengthen public 
confidence in Maryland's election process, I have ordered a thorough, 
fully independent review of the Diebold system by a third party leader 
in information security." 

Maryland is the first state to adopt a unified electronic voting 
system statewide. The success of electronic voting machines there 
likely will result in additional lucrative contracts for Diebold 
around the country. 

The audit is the first to be conducted on the entire range of 
AccuVote-TS software -- the Johns Hopkins report focused only on 
software for the touch-screen terminal and not on backend software 
that tabulates, compiles and prints final votes. 

Science Applications International Corp., or SAIC, will conduct the 
audit. The San Diego-based company has a standing contract to vet new 
software purchased by the state of Maryland, so its role in the audit 
is not a surprise. 

According to Diebold spokesman Mike Jacobsen, the company granted SAIC 
access to the source code after the group signed a nondisclosure 
agreement. The report is expected to be completed in about three weeks 
but likely will remain closed to the public. Critics of electronic 
voting will watch closely to see if Maryland goes through with its 
purchase of Diebold's equipment. 

Jacobsen said, "We're confident that no problems will arise from the 
review. But should the third-party audit require action on our part, 
we're going to work very closely with the state of Maryland to make 
sure that their needs are met." 

When asked whether any alterations made to the software used by 
Maryland will also be made to electronic machines already purchased by 
other states, Jacobsen replied: "This review is for Maryland. No other 
state has found the need to enact that kind of review at this time." 

He added, "Were going to work very hard with all of the states to make 
sure that their needs are met, that they're as comfortable with the 
security of our system as we are." 

Cindy Cohn, legal director at the Electronic Frontier Foundation, said 
the audit is a good first step but wants the report made public. 

"I would like the review to be more open so that ordinary people can 
see what testing was done and what the results were," she said. 
"There's a list of things that the university teams found and I'd like 
to see a point-by-point response to it from SAIC." 

She also said that other states need to take a cue from the Maryland 
audit. 

"The average vending machine is more secure than the Diebold code," 
she said. "Given this backdrop it's irresponsible for public officials 
not to go give the public a better explanation of the security of our 
voting machines." 

Professor Avi Rubin, technical director of the Information Security 
Institute at Johns Hopkins and one of the authors of the critical 
report against Diebold, said SAIC is a top-notch company and he's glad 
it will be conducting the audit. "It shows that Maryland really is 
serious about this," he said. 

The initial report concluded that the AccuVote-TS machines would allow 
a voter to cast multiple votes and was vulnerable to someone hacking 
into the system to switch votes. The researchers also found that 
cryptography wasn't written into the code in some places where it 
should have been used, and where it was written into the code, it was 
used poorly and incorrectly. 

"We were looking at code that would not get a C-minus grade in an 
undergraduate computer-programming course," Rubin said. "It's so full 
of mistakes and misunderstandings and improper use of cryptography 
that it was obvious to us that the person who wrote this code had no 
training." 

Diebold reports that during the state elections of Nov. 5, 2002, 
approximately 33,000 of its voting machines were used throughout the 
United States, including more than 22,000 in Georgia and 4,000 in a 
county in California. 

States that have used the touch-screen terminals so far have reported 
that voters were happy with them and liked their design and ease of 
use. But these comments were elicited before anyone made public the 
security risks involved in using the systems. 

Rubin said he's worried that states are taking an attitude that 
assumes electronic voting systems are secure until proven otherwise. 

"People will use it unless someone can show it's insecure," he said. 
"I don’t know if that's the right model we should be taking for 
elections." 

Diebold responded to the accusations laid out in the report with a 
27-page rebuttal (PDF) defending its product. The company claimed the 
version of software the researchers viewed was from last year and had 
since been revised. 

"Only parts of that code may have been used in an actual election," 
Jacobsen said. "It was not the total code that you have to take into 
account when you consider everything that's involved in a real-world 
election." 

But Rubin said it's highly unlikely Diebold could have fixed problems 
in the software within a year because fundamental security design 
flaws would have required a complete revamping of the program rather 
than simple corrections. 

"I don't think anybody has the capability to develop a whole new 
system from scratch in a year, and I don't think Diebold had any 
incentive to do so because none of this news broke until recently," he 
said. "The only alternative is that they fixed it, and I don't think 
it was fixable." 

Diebold said the code viewed was "less than 5 percent" of the whole 
application, which includes backend servers and other hardware as well 
as election protocols designed to prevent vote tampering. 

But Rubin said security standards call for "defense in-depth," a term 
used by security professionals that means defenses must be built into 
every layer of a system. That includes software, hardware and 
implementation. "We looked at the software and it was poorly written. 
I don't think claiming that the other components are secure is a good 
enough argument," Rubin said. 

Diebold's rebuttal also takes issue with the fact that researchers 
tested the program on a Windows 2000 machine rather than on a modified 
Windows CE device, the intended operating system for it. 

Rubin calls this a non-issue because the researchers' conclusions are 
based on reading the code, not on observing its performance on a 
machine. They ran it on a machine only to verify that it was workable 
code rather than a nonworking draft. Regardless of the type of machine 
used, the security problems remain the same. 

Rubin's group has posted a response to the Diebold rebuttal. It 
includes this damning statement: 

"We have claimed that, in the Diebold code we examined, 'cryptography, 
when used at all, is used incorrectly.' We stand by this claim. Every 
use of cryptography in the Diebold code is flawed." 

Rubin said for the SAIC review to be successful, it should audit the 
code carefully and look at software engineering processes to see that 
they follow industry standards, particularly for cryptography. In 
addition, the auditing group should examine a host of attack scenarios 
to see if the voting system would survive them. 

According to a press release on Gov. Ehrlich's website, SAIC intends 
to build a test bed on which to run the Diebold system. "The test will 
be built as dictated by State Board of Elections regulations, 
standards and procedures developed for polling places.... Once adapted 
to a simulated Maryland election environment, SAIC will evaluate the 
claims of voting security and integrity vulnerabilities." 

"I think SAIC has competent people," Rubin said. "But if SAIC passes 
the software, then I'll be very suspicious of how good they did the 
review. 

"But I obviously don't think this thing is going to pass the tests," 
Rubin said. "It took us a couple of hours to identify very serious 
problems and two weeks to complete our project, including writing the 
paper. Diebold called the research we did a 'homework assignment.' But 
if a homework assignment can find these problems, then how much is a 
real serious audit going to find? 

"The main thing is, it would have been very easy for them to do this 
right, but they didn't," Rubin said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.