Feeds

Diebold voting systems critically flawed

'It is like the nuclear bomb for e-voting systems'

Next gen security for virtualised datacentres

While state election officials are scrambling to ensure that this month's primaries go off without a hitch, the real deadline is the mid-term elections in November.

Tens of thousands of the AccuVote systems have been deployed by Diebold to various states. Almost 40 per cent of voters will cast ballots on "digital recording-electronic" (DRE) systems - a class that included the AccuVote touchscreen terminals - in 2006, according to a report from Election Data Services. Only optical-scan voting systems, which account for about 41 per cent of voters, exceed the popularity of touch screens, according to the report.

Many states will not be able to remediate the problem by elections this month, said BlackBoxVoting's Harris. Moreover, those that are doing some sort of workaround for the problem are not doing enough.

"None of the states are doing a mitigation that is going to address the bootloader issue," Harris said. "If the bootloader has been contaminated, you cannot clean it through software, and they are taking a software approach to fixing this."

Instead, the systems need to be opened up, the on-board system rewritten, and the machines need to be sealed up permanently, she said. Otherwise, the bootloader could again be compromised.

The move to electronic voting systems has largely been due to the Help America Vote Act (HAVA) of 2002, which requires that states who want federal funding to modernize their systems adopt certified voting machines, adhere to certain election standards and provide citizens with disabilities the power to vote without aid. Yet, the latest security incident could lead to greater scrutiny on systems that many election officials had given passing marks in the 2004 general elections. The insecure design of Diebold's touch screen systems is only the latest problem flagged this year.

In West Virginia, the Secretary of State filed a complaint this week against e-voting machine maker Election Systems & Software, citing numerous problems counting ballots that "place great hardship" on election officials during primaries on May 9, according to a statement (PDF). At the end of March, Florida's attorney general subpoenaed voting systems makers to testify as to why they refused to sell machines to one Florida county whose election supervisor is an outspoken critic of the reliability and security of the machines.

For Diebold, however, the incident is the latest blow to the image of its voting systems. The company faces shareholder lawsuits and the exit of its CEO. In 2003, a leak of Diebold's source code resulted in a highly critical independent security report. And, in a February letter to the Election Assistance Commission, the governor of Maryland--which has committed to move statewide to Diebold's AccuVote terminals--lambasted the company for the high costs of the deployment, which jumped 78 percent over initial estimates, and a staggering 1000 percent increase in maintenance costs.

"The cost of Maryland’s Diebold voting machines has skyrocketed as our confidence in the system has plummeted,” Maryland governor Robert Ehrlick Jr. stated in the letter (PDF).

Shamos also criticized Diebold's engineering of their product. While he believes that the severity of the flaw is offset by the ease with which he believes a workaround can be put in place, the computer scientist did not let Diebold off the hook. Between now and the November election, the company has to fix all the systems in the field.

His message? "Go back, and for the first time in your life, think about security," Shamos said. "It is clear that they might not be able to do that by themselves."

Already, the company has engineers in the field implementing fixes. This week, Diebold technicians were in Emery County, Utah, completely replacing the system software and recertifying the machines, according to news reports.

"Over the past few months we have been out in the counties in Utah, training and helping with machines--we are just doing it all here in Emery County at one time," Diebold technician Bryan Simpson told the Emery County Progress. "One of the big issues the former county clerk had was the amount of memory the machines have. We have been erasing the operating system software and reinstalling everything on these machines."

As for Emery County's former clerk, he still feels he made the right call.

"You do create a few enemies when you do your job correctly," Funk told SecurityFocus. "I feel what was done was the most important thing to do, and I have not regretted it."

And now, he is just happy to be away from the to-do of county politics.

"I'm trying to catch up on things that I haven't been able to do for years," he said.

This article was originally published at SecurityFocus.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Govt control? Hah! It's IMPOSSIBLE to have a successful command economy
Even Moore's Law can't help the architects of statism now
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.