Feeds

Diebold voting systems critically flawed

'It is like the nuclear bomb for e-voting systems'

Application security programs and practises

While state election officials are scrambling to ensure that this month's primaries go off without a hitch, the real deadline is the mid-term elections in November.

Tens of thousands of the AccuVote systems have been deployed by Diebold to various states. Almost 40 per cent of voters will cast ballots on "digital recording-electronic" (DRE) systems - a class that included the AccuVote touchscreen terminals - in 2006, according to a report from Election Data Services. Only optical-scan voting systems, which account for about 41 per cent of voters, exceed the popularity of touch screens, according to the report.

Many states will not be able to remediate the problem by elections this month, said BlackBoxVoting's Harris. Moreover, those that are doing some sort of workaround for the problem are not doing enough.

"None of the states are doing a mitigation that is going to address the bootloader issue," Harris said. "If the bootloader has been contaminated, you cannot clean it through software, and they are taking a software approach to fixing this."

Instead, the systems need to be opened up, the on-board system rewritten, and the machines need to be sealed up permanently, she said. Otherwise, the bootloader could again be compromised.

The move to electronic voting systems has largely been due to the Help America Vote Act (HAVA) of 2002, which requires that states who want federal funding to modernize their systems adopt certified voting machines, adhere to certain election standards and provide citizens with disabilities the power to vote without aid. Yet, the latest security incident could lead to greater scrutiny on systems that many election officials had given passing marks in the 2004 general elections. The insecure design of Diebold's touch screen systems is only the latest problem flagged this year.

In West Virginia, the Secretary of State filed a complaint this week against e-voting machine maker Election Systems & Software, citing numerous problems counting ballots that "place great hardship" on election officials during primaries on May 9, according to a statement (PDF). At the end of March, Florida's attorney general subpoenaed voting systems makers to testify as to why they refused to sell machines to one Florida county whose election supervisor is an outspoken critic of the reliability and security of the machines.

For Diebold, however, the incident is the latest blow to the image of its voting systems. The company faces shareholder lawsuits and the exit of its CEO. In 2003, a leak of Diebold's source code resulted in a highly critical independent security report. And, in a February letter to the Election Assistance Commission, the governor of Maryland--which has committed to move statewide to Diebold's AccuVote terminals--lambasted the company for the high costs of the deployment, which jumped 78 percent over initial estimates, and a staggering 1000 percent increase in maintenance costs.

"The cost of Maryland’s Diebold voting machines has skyrocketed as our confidence in the system has plummeted,” Maryland governor Robert Ehrlick Jr. stated in the letter (PDF).

Shamos also criticized Diebold's engineering of their product. While he believes that the severity of the flaw is offset by the ease with which he believes a workaround can be put in place, the computer scientist did not let Diebold off the hook. Between now and the November election, the company has to fix all the systems in the field.

His message? "Go back, and for the first time in your life, think about security," Shamos said. "It is clear that they might not be able to do that by themselves."

Already, the company has engineers in the field implementing fixes. This week, Diebold technicians were in Emery County, Utah, completely replacing the system software and recertifying the machines, according to news reports.

"Over the past few months we have been out in the counties in Utah, training and helping with machines--we are just doing it all here in Emery County at one time," Diebold technician Bryan Simpson told the Emery County Progress. "One of the big issues the former county clerk had was the amount of memory the machines have. We have been erasing the operating system software and reinstalling everything on these machines."

As for Emery County's former clerk, he still feels he made the right call.

"You do create a few enemies when you do your job correctly," Funk told SecurityFocus. "I feel what was done was the most important thing to do, and I have not regretted it."

And now, he is just happy to be away from the to-do of county politics.

"I'm trying to catch up on things that I haven't been able to do for years," he said.

This article was originally published at SecurityFocus.

Designing a Defense for Mobile Applications

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.