Feeds

Diebold voting systems critically flawed

'It is like the nuclear bomb for e-voting systems'

Intelligent flash storage arrays

While state election officials are scrambling to ensure that this month's primaries go off without a hitch, the real deadline is the mid-term elections in November.

Tens of thousands of the AccuVote systems have been deployed by Diebold to various states. Almost 40 per cent of voters will cast ballots on "digital recording-electronic" (DRE) systems - a class that included the AccuVote touchscreen terminals - in 2006, according to a report from Election Data Services. Only optical-scan voting systems, which account for about 41 per cent of voters, exceed the popularity of touch screens, according to the report.

Many states will not be able to remediate the problem by elections this month, said BlackBoxVoting's Harris. Moreover, those that are doing some sort of workaround for the problem are not doing enough.

"None of the states are doing a mitigation that is going to address the bootloader issue," Harris said. "If the bootloader has been contaminated, you cannot clean it through software, and they are taking a software approach to fixing this."

Instead, the systems need to be opened up, the on-board system rewritten, and the machines need to be sealed up permanently, she said. Otherwise, the bootloader could again be compromised.

The move to electronic voting systems has largely been due to the Help America Vote Act (HAVA) of 2002, which requires that states who want federal funding to modernize their systems adopt certified voting machines, adhere to certain election standards and provide citizens with disabilities the power to vote without aid. Yet, the latest security incident could lead to greater scrutiny on systems that many election officials had given passing marks in the 2004 general elections. The insecure design of Diebold's touch screen systems is only the latest problem flagged this year.

In West Virginia, the Secretary of State filed a complaint this week against e-voting machine maker Election Systems & Software, citing numerous problems counting ballots that "place great hardship" on election officials during primaries on May 9, according to a statement (PDF). At the end of March, Florida's attorney general subpoenaed voting systems makers to testify as to why they refused to sell machines to one Florida county whose election supervisor is an outspoken critic of the reliability and security of the machines.

For Diebold, however, the incident is the latest blow to the image of its voting systems. The company faces shareholder lawsuits and the exit of its CEO. In 2003, a leak of Diebold's source code resulted in a highly critical independent security report. And, in a February letter to the Election Assistance Commission, the governor of Maryland--which has committed to move statewide to Diebold's AccuVote terminals--lambasted the company for the high costs of the deployment, which jumped 78 percent over initial estimates, and a staggering 1000 percent increase in maintenance costs.

"The cost of Maryland’s Diebold voting machines has skyrocketed as our confidence in the system has plummeted,” Maryland governor Robert Ehrlick Jr. stated in the letter (PDF).

Shamos also criticized Diebold's engineering of their product. While he believes that the severity of the flaw is offset by the ease with which he believes a workaround can be put in place, the computer scientist did not let Diebold off the hook. Between now and the November election, the company has to fix all the systems in the field.

His message? "Go back, and for the first time in your life, think about security," Shamos said. "It is clear that they might not be able to do that by themselves."

Already, the company has engineers in the field implementing fixes. This week, Diebold technicians were in Emery County, Utah, completely replacing the system software and recertifying the machines, according to news reports.

"Over the past few months we have been out in the counties in Utah, training and helping with machines--we are just doing it all here in Emery County at one time," Diebold technician Bryan Simpson told the Emery County Progress. "One of the big issues the former county clerk had was the amount of memory the machines have. We have been erasing the operating system software and reinstalling everything on these machines."

As for Emery County's former clerk, he still feels he made the right call.

"You do create a few enemies when you do your job correctly," Funk told SecurityFocus. "I feel what was done was the most important thing to do, and I have not regretted it."

And now, he is just happy to be away from the to-do of county politics.

"I'm trying to catch up on things that I haven't been able to do for years," he said.

This article was originally published at SecurityFocus.

Internet Security Threat Report 2014

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.