Feeds

Diebold voting systems critically flawed

'It is like the nuclear bomb for e-voting systems'

Top three mobile application threats

While state election officials are scrambling to ensure that this month's primaries go off without a hitch, the real deadline is the mid-term elections in November.

Tens of thousands of the AccuVote systems have been deployed by Diebold to various states. Almost 40 per cent of voters will cast ballots on "digital recording-electronic" (DRE) systems - a class that included the AccuVote touchscreen terminals - in 2006, according to a report from Election Data Services. Only optical-scan voting systems, which account for about 41 per cent of voters, exceed the popularity of touch screens, according to the report.

Many states will not be able to remediate the problem by elections this month, said BlackBoxVoting's Harris. Moreover, those that are doing some sort of workaround for the problem are not doing enough.

"None of the states are doing a mitigation that is going to address the bootloader issue," Harris said. "If the bootloader has been contaminated, you cannot clean it through software, and they are taking a software approach to fixing this."

Instead, the systems need to be opened up, the on-board system rewritten, and the machines need to be sealed up permanently, she said. Otherwise, the bootloader could again be compromised.

The move to electronic voting systems has largely been due to the Help America Vote Act (HAVA) of 2002, which requires that states who want federal funding to modernize their systems adopt certified voting machines, adhere to certain election standards and provide citizens with disabilities the power to vote without aid. Yet, the latest security incident could lead to greater scrutiny on systems that many election officials had given passing marks in the 2004 general elections. The insecure design of Diebold's touch screen systems is only the latest problem flagged this year.

In West Virginia, the Secretary of State filed a complaint this week against e-voting machine maker Election Systems & Software, citing numerous problems counting ballots that "place great hardship" on election officials during primaries on May 9, according to a statement (PDF). At the end of March, Florida's attorney general subpoenaed voting systems makers to testify as to why they refused to sell machines to one Florida county whose election supervisor is an outspoken critic of the reliability and security of the machines.

For Diebold, however, the incident is the latest blow to the image of its voting systems. The company faces shareholder lawsuits and the exit of its CEO. In 2003, a leak of Diebold's source code resulted in a highly critical independent security report. And, in a February letter to the Election Assistance Commission, the governor of Maryland--which has committed to move statewide to Diebold's AccuVote terminals--lambasted the company for the high costs of the deployment, which jumped 78 percent over initial estimates, and a staggering 1000 percent increase in maintenance costs.

"The cost of Maryland’s Diebold voting machines has skyrocketed as our confidence in the system has plummeted,” Maryland governor Robert Ehrlick Jr. stated in the letter (PDF).

Shamos also criticized Diebold's engineering of their product. While he believes that the severity of the flaw is offset by the ease with which he believes a workaround can be put in place, the computer scientist did not let Diebold off the hook. Between now and the November election, the company has to fix all the systems in the field.

His message? "Go back, and for the first time in your life, think about security," Shamos said. "It is clear that they might not be able to do that by themselves."

Already, the company has engineers in the field implementing fixes. This week, Diebold technicians were in Emery County, Utah, completely replacing the system software and recertifying the machines, according to news reports.

"Over the past few months we have been out in the counties in Utah, training and helping with machines--we are just doing it all here in Emery County at one time," Diebold technician Bryan Simpson told the Emery County Progress. "One of the big issues the former county clerk had was the amount of memory the machines have. We have been erasing the operating system software and reinstalling everything on these machines."

As for Emery County's former clerk, he still feels he made the right call.

"You do create a few enemies when you do your job correctly," Funk told SecurityFocus. "I feel what was done was the most important thing to do, and I have not regretted it."

And now, he is just happy to be away from the to-do of county politics.

"I'm trying to catch up on things that I haven't been able to do for years," he said.

This article was originally published at SecurityFocus.

High performance access to file storage

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.