Robert Lemos, SecurityFocus | May 14 2006
Michael Shamos remembers that the call came late at night, during the last week of April.
The call - from election watchdog BlackBoxVoting.org - described a critical vulnerability in Diebold Election Systems' touchscreen voting systems that could allow any person with access to a voting terminal the ability to completely change the system code or ballot file on the system. As a professor of computer science at Carnegie Mellon University and adviser to the Commonwealth of Pennsylvania on electronic voting, Shamos realized that, at the very least, a workaround for the flaw needed to be in place by Pennsylvania's next election - at the time, less than three weeks away.
"This one is so bad, that we can't do just nothing," Shamos told the state's election officials at the time. "Any losing candidate could challenge the election by saying, 'How do I know that the software on the machine is the software certified by the state?'" Late Thursday, BlackBoxVoting published a redacted version of a paper describing the design flaw in Diebold AccuVote TSX and TS6 touchscreen election systems. Because of the seriousness of the flaw, the full report detailing the issue has only been distributed to a limited group of computer scientists, state and federal election officials, and security groups.
"We have elections every single week this month, and there is no way to do meaningful remediation at this point," said Bev Harris, founder of BlackBoxVoting.
Three states have already issued alerts on the flaws to election officials. The Pennsylvania Department of State told county clerks to reinstall the software on election devices and then lock them up in a secure location until the May 16 general primary.
"The Department of State will furnish the authorized software to the counties on a PCMCIA card along with instructions for its installation," a copy of the memo seen by SecurityFocus stated.
Both Iowa and California have also issued alerts, according to the Associated Press.
The incident represents the most major failure of the federal process to create secure election technology to date. While researchers and civil rights groups have voiced strong criticism of electronic voting technology - and in particular the systems' security - the national elections held in November 2004 saw only small problems (http://www.securityfocus.com/news/9718) that would likely not have impacted the outcome of the election (http://www.securityfocus.com/news/9854).
However, trust remains a significant issue. Voting machine makers and the certification labs that have tested election systems have been secretive about the technology. And, while older machines and the method for counting votes tallied by the older technology were easily understood by the average voter, electronic voting systems have become more impenetrable (http://www.securityfocus.com/columnists/198) and have not undergone significant and public testing, according to computer scientists that have called for more rigorous security testing (http://www.securityfocus.com/news/11336).
Diebold has had a more turbulent relationship with states and security experts over e-voting. The company's CEO stepped down in December, a day before a law firm filed a shareholder suit against the company (http://www.securityfocus.com/brief/81), claiming - among other issues - that the company misled investors about the state of its e-voting technology. The U.S. Securities and Exchange Commission announced this week that it has opened an inquiry into how Diebold reports revenue, following the company's admission in SEC filings that its election business overstated revenue and understated deferred revenue.
A representative of Diebold Election Systems could not immediately be reached for comment on the SEC inquiry or the design flaw, but Pennsylvania's memo to election officials stated that the company had confirmed the vulnerability and acknowledged that the issue could be used to load malicious software on an election system.
"The probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low," the memo to election officials stated. "To exploit this risk, physical access is required to the Personal Computer Memory Card International Association (PCMCIA) slots on the machine during system startup."
Other computer scientists do not believe the threat to be theoretical.
"It is like the nuclear bomb for e-voting systems," said Avi Rubin, computer science professor at Johns Hopkins University. "It's the deal breaker. It really makes the security flaws that we found (in prior years) (http://www.securityfocus.com/news/6727) look trivial."
--------------------------------------------------------------------------------
When Bruce Funk called in BlackBoxVoting to look at some strange memory issues with Diebold voting systems in Utah, finding the "nuclear bomb" of e-voting security was not on his agenda.
As the auditor and clerk for Emery County, a large rural bite out of the middle of Utah, Funk had noticed that the county's voting machines - provided by Diebold - were having various maintenance issues. Because Utah had adopted a requirement for a verified voter paper audit trail - essentially a printout of a person's vote - Funk needed the printers to work flawlessly. However, they frequently jammed. Moreover, electrical cords had pulled out from the machines with components attached. Those issues made Funk believe the machines may not have been new, but refurbished.
A Diebold technician told the county auditor early this year that any components with problems would have to be replaced. Funk decided to do a manual check of the systems to find any other issues and discovered that the machines had a variety of different file sizes on backup memory. Uncertain why that should be and wanting an independent opinion, he contacted the e-voting muckraking group BlackBoxVoting to come and look at one of the systems, he said.
In March, BlackBoxVoting flew in Harri Hursti, a Finnish voting-machine security expert with whom the group had frequently collaborated. Funk remembers that he was surprised by what Hursti could do with only poll-worker-level access to the machine.
"He was able to - from the keyboard that appears on the machine - create a macro that doesn't even show up that you created it, go and pickup a program through the modem, and run it," Funk said during an interview with SecurityFocus from his home in Clawson, Utah. "I was thinking that this was not right."
As Hursti got more familiar with the machine, he and members of BlackBoxVoting, who were videotaping the process, became more concerned, Funk said.
"It became so serious, that my concern about memory was minor," he said. "They told me that the information that they'd found had to go to certain federal agencies and certain things had to be done before the issues were made public."
Officials in Utah apparently were not concerned with the security of the systems, but with what they considered a breach in authorization. State officials and representatives of Diebold told Funk that he had cost the county more than $40,000 in damages because Diebold technicians would have to return to the county and recertify the systems, according to transcripts of the public parts of an April meeting in Emery County published by BlackBoxVoting (http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/27671.html).
"The reason that we’re here today is because Mr. Funk, on his own, has gone outside that system and compromised the integrity of not only Emery County’s elections, but also the State of Utah and any other jurisdiction of the United States that is using this equipment, simply because he wouldn’t call and ask these questions that these people and the Lieutenant Governor’s staff know the answers to," said Utah's State elections director, Michael Cragun, according to the transcript. "It seems to me it’s inappropriate to be in this meeting now answering these questions he should have asked before he compromised the integrity of this system."
The officials asked for Funk's resignation, which he gave verbally at the meeting.
"They basically said that they have people that want to have you removed," Funk said. "This whole weight fell on me and I said, 'I'm so tired, just let me out.'"
By the next morning, he decided to fight the process, but he was informed that a verbal agreement to resign was enough, he said. Calls to both Diebold and the office of the governor of Utah by SecurityFocus were not returned.
Meanwhile, Funk maintains that he did what the county's voters elected him to do: Look out for their interests in a fair election process.
"Basically, (Utah officials) tried to portray BlackBoxVoting as some radical organization, and they portrayed me as a renegade villain," he said. "They don't want this to come out, but it needs to come out at a national level."
--------------------------------------------------------------------------------
Members of BlackBoxVoting did not look to go national at first, but searched for a state that might take action on the issue. With that in mind, their first choice was not Pennsylvania, but California.
The selection was understandable. The Golden State had plenty of battles with election systems makers and even decertified Deibold's touch screen systems (http://www.gartner.com/DisplayDocument?doc_cd=120825) in April 2003. Yet, three years later, BlackBoxVoting did not make much headway with state officials, possibly because California's Secretary of State is elected, where Pennsylvania's is appointed, said BlackBoxVoting's Harris.
"There is a lot less politicking that can happen in Pennsylvania than in California," she said. "The very people that are responsible for remediation are running for election right now, and it adds more complexity to the issues."
With little interest from California, Harris turned to Carnegie Mellon's Shamos and Pennsylvania.
After hearing the details of the issue, Shamos knew that he needed to get Pennsylvania officials involved. Within a week, the state held a conference call with Diebold and, under threat of decertification, asked the company to come clean on the security issue. Diebold acknowledged the issue, but classified the threat as low, Shamos said.
The computer scientist's estimation of the flaw is less charitable.
"There are two types of security holes," he said. "The ones that are designed in and which you didn't think about the security implications beforehand or a bug- a mistake - in the program code. This is the first kind: It is not a bug; it's a horribly designed feature."
Other independent sources and the report released this week by BlackBoxVoting (http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/27675.html) also called the security issue a design flaw. To ease system upgrades for Diebold technicians, the company allowed anyone with a memory card and knowledge of certain file names to upgrade any of three levels of system software: the boot loader, the operating system and the application itself.
"There seems to be several backdoors to the system which are unacceptable from a security point of view," stated BlackBoxVoting's report, penned by computer security expert Hursti. "These backdoors exist in each of these three layers and they allow the system to be modified in extremely flexible ways without even basic levels of security involved."
Shamos cautioned against overemphasizing the threat. Poll-worker-level access to the machines is needed for several minutes to accomplish the attack. More importantly, an insider's knowledge of the source code of the machines would be needed to actually attempt to impact an election, he said. With that said, the threat should be taken seriously, he stressed.
"It is a feasible exploit," Shamos said. "You don't have to dip into the realm of science fiction to figure out how someone could make use of this."
Shamos, as often a critic of BlackBoxVoting as not, said the organization did well to approach election officials quietly about the flaw rather than go public with the details.
Based on the findings in the report, the Commonwealth of Pennsylvania issued an order last week to election officials to sequester any systems until a statewide election on May 16 and reload the machines with an authorized copy of election software to be provided by the Department of State for Pennsylvania.
Already, Iowa and California have warned their election officials of the flaw, according to the Associated Press (http://www.montereyherald.com/mld/montereyherald/news/14552458.htm), and Shamos expects more to come.
"Once Pennsylvania does something, then the other states have to follow," he said. "The dominoes have started falling. States cannot sit on this forever."
--------------------------------------------------------------------------------
While state election officials are scrambling to ensure that this month's primaries go off without a hitch, the real deadline is the mid-term elections in November.
Tens of thousands of the AccuVote systems have been deployed by Diebold to various states. Almost 40 per cent of voters will cast ballots on "digital recording-electronic" (DRE) systems - a class that included the AccuVote touchscreen terminals - in 2006, according to a report from Election Data Services (http://www.electiondataservices.com/home.htm). Only optical-scan voting systems, which account for about 41 per cent of voters, exceed the popularity of touch screens, according to the report.
Many states will not be able to remediate the problem by elections this month, said BlackBoxVoting's Harris. Moreover, those that are doing some sort of workaround for the problem are not doing enough.
"None of the states are doing a mitigation that is going to address the bootloader issue," Harris said. "If the bootloader has been contaminated, you cannot clean it through software, and they are taking a software approach to fixing this."
Instead, the systems need to be opened up, the on-board system rewritten, and the machines need to be sealed up permanently, she said. Otherwise, the bootloader could again be compromised.
The move to electronic voting systems has largely been due to the Help America Vote Act (HAVA) of 2002 (http://www.fec.gov/hava/hava.htm), which requires that states who want federal funding to modernize their systems adopt certified voting machines, adhere to certain election standards and provide citizens with disabilities the power to vote without aid. Yet, the latest security incident could lead to greater scrutiny on systems that many election officials had given passing marks in the 2004 general elections. The insecure design of Diebold's touch screen systems is only the latest problem flagged this year.
In West Virginia, the Secretary of State filed a complaint this week against e-voting machine maker Election Systems & Software, citing numerous problems counting ballots that "place great hardship" on election officials during primaries on May 9, according to a statement (PDF (http://www.wvsos.com/pressoffice/051006essproblems.pdf)). At the end of March, Florida's attorney general subpoenaed voting systems makers (http://biz.yahoo.com/ap/060329/voting_dispute.html) to testify as to why they refused to sell machines to one Florida county whose election supervisor is an outspoken critic of the reliability and security of the machines.
For Diebold, however, the incident is the latest blow to the image of its voting systems. The company faces shareholder lawsuits (http://www.securityfocus.com/brief/81) and the exit of its CEO. In 2003, a leak of Diebold's source code resulted in a highly critical independent security report (http://news.com.com/2009-1028_3-5429534.html). And, in a February letter to the Election Assistance Commission, the governor of Maryland--which has committed to move statewide to Diebold's AccuVote terminals--lambasted the company for the high costs of the deployment, which jumped 78 percent over initial estimates, and a staggering 1000 percent increase in maintenance costs.
"The cost of Maryland’s Diebold voting machines has skyrocketed as our confidence in the system has plummeted,” Maryland governor Robert Ehrlick Jr. stated in the letter (PDF (http://www.bradblog.com/docs/EhrlichLetter_021506.pdf)).
Shamos also criticized Diebold's engineering of their product. While he believes that the severity of the flaw is offset by the ease with which he believes a workaround can be put in place, the computer scientist did not let Diebold off the hook. Between now and the November election, the company has to fix all the systems in the field.
His message? "Go back, and for the first time in your life, think about security," Shamos said. "It is clear that they might not be able to do that by themselves."
Already, the company has engineers in the field implementing fixes. This week, Diebold technicians were in Emery County, Utah, completely replacing the system software and recertifying the machines, according to news reports.
"Over the past few months we have been out in the counties in Utah, training and helping with machines--we are just doing it all here in Emery County at one time," Diebold technician Bryan Simpson told the Emery County Progress (http://www.ecprogress.com/index.php?tier=1&pub=2006-05-09&page=news#2). "One of the big issues the former county clerk had was the amount of memory the machines have. We have been erasing the operating system software and reinstalling everything on these machines."
As for Emery County's former clerk, he still feels he made the right call.
"You do create a few enemies when you do your job correctly," Funk told SecurityFocus. "I feel what was done was the most important thing to do, and I have not regretted it."
And now, he is just happy to be away from the to-do of county politics.
"I'm trying to catch up on things that I haven't been able to do for years," he said