Back-door flaws found in Diebold e-voting machines
The flaws could be used to change election results on the systems
IDG News Service - Diebold Election Systems Inc. plans to make changes to its electronic voting machines, following the disclosure of a number of serious security flaws in the systems.
The voting watchdog organization Black Box Voting last week published a report (download PDF) detailing how Diebold's TS6 and TSx touch-pad voting machines could be compromised by taking advantage of back-door features designed to allow new software to be installed on the systems.
Finnish security researcher Harri Hursti discovered back doors in the systems boot loader software, in the operating system and in the Ballot Station software that it runs to tabulate votes.
"These are built-in features, all three of them," said Black Box Voting founder Bev Harris. If a malicious person had access to a Diebold machine, the back doors could be exploited to falsify election results on the system, she said.
A Diebold spokesman did not dispute Hursti's findings but said that Black Box Voting was making too much of the matter because the systems are intended to remain in the hands of trusted election officials.
"What they're proposing as a vulnerability is actually a functionality of the system," said spokesman David Bear. "Instead of recognizing the advantages of the technology, we keep ringing up 'what if' scenarios that serve no purpose other than to confuse and in some instances frighten voters."
Nevertheless, Diebold plans to address the issue in an upcoming version of the product, which will use cryptographic keys to ensure that only authorized software is installed on the machine, Bear said. He could not say when this feature would be added but said that it could be available in time for the Nov. 7 general election in the U.S.
After the November 2000 presidential election exposed flaws in traditional paper ballots, many U.S. states rushed to adopt electronic voting systems. But computer experts have pointed out numerous security flaws in these machines, and some consumer groups have called for them to be dropped altogether.
These latest set of flaws are the most serious voting machine flaws yet reported, according to Ed Felten, a professor of computer science at Princeton University, and Avi Rubin, a professor of computer science at Johns Hopkins University.
"The attacks described in Hursti's report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools," they wrote Thursday on the Freedom to Tinker blog. "The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes."
Diebold's machines are based on custom hardware that runs Microsoft Corp.'s Windows CE operating system.
Harris called on Diebold to recall the machines and replace them with its optical scanners, which do not suffer from the same vulnerability. "The company sold a defective product," she said. "It should not be used in a federal election."
Harris also called on Congress to find out why these back doors were installed in the first place. "We need to find out how this got through the oversight system, and we need to question the programmer who did the programming under oath."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts