E-voting terminals: gambling with data?
Playing the slots with votes
Opinion Making electronic voting terminals more like slot machines won't keep elections secure from tampering. Neither will using ATMs as a model improve the prospects for data integrity.
There is a children's day care facility in my area called "The Pied Piper". Apparently, many people around here don't have a problem with that. Presumably they consider the fairy tale of a stranger saving a town by leading away rats via dance and melody, and think it worthy criterion by which to base the name of such an operation.
Of course, anyone who knows the whole story will immediately realize that in the end, the Piper actually steals away all the children (save one) after the local town-folk cheated him out of his thousand guilders fee. Had the owners of the business considered all the available information, I doubt seriously that they would have decided upon that particular moniker.
In the continuing debate over the use of e-voting machines to replace paper-ballots, I fear that both sides - those designing controls around these systems, and those critical of said security measures - are falling prey to the same kind of short-sightedness.
By way of example, a recent dialog regarding the insecurity of electronic voting machines compared them with slot machines, and found them lacking. Much was made of the fact that a computerized slot machine could withstand a Taser gun attack without evident failure, while an e-voting machine apparently could not.
This is a kind of security-modeling-by-resemblance, and it takes away from designing a security foundation that actually serves the needs.
When designing security around a new technological process, we must first consider what problems we seek to remedy. For a video poker machine, that's obvious: if it gets broken into, manipulated, or zapped into dispensing money, someone gets away with the cash. Being "tamper resistant" is the most important element in countering that scenario. The tamper resistant properties of the unit - including standing up to a little high voltage - is what protects the asset.
But despite a certain physical and architectural resemblance to their casino cousins, e-voting machines have a completely different threat model, and need to value a completely different set of security properties.
The asset that these units seek to protect is the integrity of the data it holds. Consequently, it is much more important to have mechanisms in place that immediately alert officials to the fact that voting data was somehow altered, such as cryptographic and algorithmic checks, than any physical means that attempts to prevent attacks in the first place. These machines must be "tamper evident", not zap-proof.
If e-voting critics really want to take a lesson from Vegas, they should look at the history of gambling machine security. New means of stealing money still come along from time to time, and new measures are taken to prevent it. There was a time where a piece of aluminum foil could make a slot machine pay out, and there will always be new attacks against these units. Some are trivially simple, and at some point cash will be lost.
There's no reason to think e-voting machines can hold up better. Knowing this, it stands to reason that voting machine security should be concentrated on the aftermath of an attack, and not the attack itself. Regardless of how someone breaks an electronic ballot, the fact that it was broken into must remain the most important point of knowledge - data integrity must be required. The attack vector can be addressed later; we must first know if any votes were tainted, and we need a plan for recovering lost votes.
Other comparisons fare little better than the slot machines. Academics have suggested ATM machines as a model for e-voting machines, and one of the largest e-voting players, Diebold, also makes cash machines. ATMs are very physically secure, and even possess data integrity mechanisms (like having crypto keys embedded in the keypads rather than some extraneous software exchange). But, here, too, the security is directed at protecting cash, not data. Moreover, ATM's are hardly invulnerable themselves: they're increasingly deployed on insecure networks. I write about just this scenario in Syngress' new book, "Stealing the Network: How to Own a Continent".
We've already seen the dangers of applying the wrong kind of security to e-voting. Earlier deployments of Diebold's physically secure voting machines used a Microsoft Access database to store and tally votes. Diebold reportedly left this database anonymously accessible via the Internet, with no password, and no change log. It doesn't matter if the unit could withstand a tactical nuclear missile attack if someone on the Internet could point and click someone into elected office from the comfort of their desktop.
This is what happens when any security measure is designed without first determining what issues it sets out to solve. As elections draw near, it is time that we as a security community revisit this topic. We can't let facile comparisons lead us like the Piper away from e-voting's true problem.
SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.