Backdoor Found in Diebold Voting Machines

[rs]

http://news.yahoo.com/s/pcworld/20060515/tc_pcworld/125700

I'm *shocked*, yes I say shocked.

Emphasis is mine.

Robert McMillan, IDG News Service Mon May 15, 10:00 AM ET

Diebold Election Systems plans to make changes to its electronic voting machines, following the disclosure of a number of serious security flaws in the systems.

Last week, the voting watchdog organization Black Box Voting published a report detailing how Diebold's TS6 and TSx touch-pad voting machines could be compromised by taking advantage of "backdoor" features designed to allow new software to be installed on the systems.

Finnish security researcher Harri Hursti discovered backdoors in the systems boot loader software, in the OS, and in the Ballot Station software that it runs to tabulate votes.

"These are built-in features, all three of them," said Black Box Voting Founder Bev Harris. If a malicious person had access to a Diebold machine, the back doors could be exploited to falsify election results on the system, she said.

Vulnerability or Functionality?

A Diebold spokesman did not dispute Hursti's findings, but said that Black Box Voting was making too much of the matter because the systems are intended to remain in the hands of trusted election officials.

"What they're proposing as a vulnerability is actually a functionality of the system," said spokesman David Bear. "Instead of recognizing the advantages of the technology, we keep ringing up 'what if' scenarios that serve no purpose other than to confuse and in some instances frighten voters."

Nevertheless, Diebold plans to address the issue in an upcoming version of the product, which will use cryptographic keys to ensure that only authorized software is installed on the machine, Bear said. He could not say when this feature would be added, but said that it could be available in time for the November 7 general election in the U.S.

Flaws Found

After the November 2000 presidential election exposed flaws in traditional paper ballots,

which is hogwash. The flaws were not in traditional paper ballots, the flaws were in punch cards.

many U.S. states have rushed to adopt electronic voting systems. But computer experts have pointed out numerous security flaws in these machines, and some consumer groups have called for them to be dropped altogether.

These latest set of flaws are the most serious voting machine flaws yet reported, according to Ed Felten, a professor of computer science at Princeton University, and Avi Rubin, a Professor of Computer Science at Johns Hopkins University.

"The attacks described in Hursti's report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools," they wrote last week on the Freedom to Tinker blog. "The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes."

Diebold's machines are based on custom hardware that runs Microsoft's Windows CE operating system.

OK, so it has Microsoft security. Now I am really worried.

Black Box Voting's Harris called on Diebold to recall the machines and replace them with its optical scanners, which do not suffer from the same vulnerability. "The company sold a defective product," she said. "It should not be used in a Federal election."

Harris also called on Congress to find out why these backdoors were installed in the first place. "We need to find out how this got through the oversight system, and we need to question the programmer who did the programming under oath."

 

[vinny]

I'm *shocked*, yes I say shocked.

I take it you're being ironic?
Anyone out there (and I guess there's probably still quite a lot) who really expects fair elections and believes that democracy actually exists, hasn't been paying attention!

wake up people! (but of course... they don't)

 

[John Chang]

Still, too many people voted for him - it's easy and unobvious to steal a 48/52 election, much less legitimate to steal a 40/60 election. In the end, the american people are getting the government they deserve. Actually, if you look at what has happened over the past 40 years, you can see the smooth continuous slide into the mess we're in today. I doubt that Kerry or Gore would've changed much. The details might look a little different, but we'd be pretty much close to where we are.

Interesting that ATM machines are about as vulnerable to hacking as the voting machines are. And that too isn't widely publicized either. Those big old hierarchal companies just can't find and retain good creative people. They try to function without them, and they can, to a certain extent, but it shows, oh it shows.

For some reason, slot machines, however, are much more secure. Don't exactly know why. Perhaps it's the gaming aspect that allows the casinos to exploit the creativity of their programmers?

 

[John Chang]

For some reason, slot machines, however, are much more secure.

Um, like, DUH. they are more secure because slot machines are run by the mob and they don't like to lose money.

And the Gov't doesn't instill fear and loathing either? All I'm saying is don't ascribe to malice what can be adequately explained by stupidity. What reports I've seen about the Diebold voting machines indicate maybe a lack of competence in the software, a system that's put together from some high level UML that has been given to the lowest bidder to implement. Granted, such a system is rife for abuse.

And are you this rude and tactless to everyone? Or have I said something that offends you?

 

[ark]

All I'm saying is don't ascribe to malice what can be adequately explained by stupidity.

You see, but malice a more probable explanation than stupidity. In fact, malice in the voting machines was to be expected as a natural prolongation of the previous actions of the Bushes.

It was enough if a high FBI official explained to the person in charge of the production:

"... we need to have a reliable backdoor, so that we will be able to correct the results in case they are manipulated by the TERRORISTS. Pause ... And, by the way, we have interesting files concerning your company etc.

Of course stupidity may add to that, and the back doors could have been sloppily implemented, so they are not as reliable as expected. :)