[IP] Diebold Optical Scan Voting System Hacked (3 Ways)

To: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Diebold Optical Scan Voting System Hacked (3 Ways)
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 1 Jun 2005 09:20:41 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <8a.27f52966.2fce6f74@xxxxxxx>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: EEkid@xxxxxxx
Date: May 31, 2005 9:55:00 PM EDT
To: dave@xxxxxxxxxx
Subject: Diebold Optical Scan Voting System Hacked (3 Ways)


Diebold Optical Scan Voting System Hacked (3 Ways)
Tuesday, 31 May 2005, 1:10 pm
Article: www.blackboxvoting.org
Diebold Optical Scan Voting System Hacked (3 Ways) - BBV Exclusive

http://www.blackboxvoting.org/ - Source URL

Tallahassee, FL: "Are we having fun yet?"

This is the message that appeared in the window of a county opticalscan machine, startling Leon County Information Systems OfficerThomas James. Visibly shaken, he immediately turned the machine off.

Diebold's opti-scan (paper ballot) voting system uses a curiousmemory card design, offering penetration by a lone programmer suchthat standard canvassing procedures cannot detect election manipulation.

The Diebold optical scan system was used in about 800 jurisdictionsin 2004. Among them were several hotbeds of controversy: VolusiaCounty (FL); King County (WA); and the New Hampshire primaryelection, where machine results differed markedly from hand-countedlocalities.


New regs: Counting paper ballots forbidden

Most states prohibit elections officials from checking on opticalscan tallies by examining the paper ballots. In Washington, Secretaryof State Sam Reed declared such spontaneous checkups to be"unauthorized recounts" and prohibited them altogether. New Floridaregulations will forbid counting paper ballots, even in recounts,except in highly unusual circumstances. Without paper ballot hand-counts, the hacks demonstrated below show that optical-scan electionscan be destroyed in seconds.


A little man living in every ballot box

The Diebold optical scan system uses a dangerous programmingmethodology, with an executable program living inside the electronicballot box. This method is the equivalent of having a little manliving in the ballot box, holding an eraser and a pencil. With anexecutable program in the memory card, no Diebold opti-scan ballotbox can be considered "empty" at the start of the election.

The Black Box Voting team proved that the Diebold optical scanprogram, housed on a chip inside the voting machine, places a call toa program living in the removable memory card during the election.The demonstration also showed that the executable program on thememory card (ballot box) can easily be changed, and that checks andbalances, required by FEC standards to catch unauthorized changes,were not implemented by Diebold -- yet the system was certified anyway.

The Diebold system in Leon County, Florida succumbed to multipleattacks.


Ion Sancho: Truth and Excellence in Elections

Leon County Elections Supervisor Ion Sancho and Information SystemsOfficer Thomas James had already implemented security procedures inLeon County far exceeding the norm in elections management. Thistesting, done by a team of researchers including Black Box Voting,independent filmmakers, security expert Dr. Herbert Thompson, andspecial consultant Harri Hursti, was authorized by Mr. Sancho, in anunusual act of openness and courage, to identify any remaining holesin Leon County's election security.

The results of the memory card hack demonstration will assistelections supervisors throughout the U.S., by emphasizing thecritical importance of accounting for each and every memory card andprotecting access.


Findings:

Computer expert Harri Hursti gained control over Leon County memorycards, which handle the vote-reporting from the precincts. Dr.Herbert Thompson, a security expert, took control of the Leon Countycentral tabulator by implanting a trojan horse-like script.

Two programmers can become a lone programmer, says Hursti, who hasfigured out a way to control the entire central tabulator by way of asingle memory card swap, and also how to make tampered polling placetapes match tampered central tabulator results. This more complexapproach is untested, but based on testing performed May 26, Hurstisays he has absolutely no reason to believe it wouldn't work.

Three memory card tests demonstrated successful manipulation ofelection results, and showed that 1990 and 2002 FEC-requiredsafeguards are being violated in the Diebold version 1.94 opti-scansystem.


Three memory card hacks

1. An altered memory card (electronic ballot box) was substituted fora real one. The optical scan machine performed seamlessly, issuing areport that looked like the real thing. No checksum captured thechange in the executable program Diebold designed into the memory card.

2. A second altered memory card was demonstrated, using a programthat was shorter than the original. It still worked, showing thatthere is also no check for the number of bytes in the program.

3. A third altered memory card was demonstrated with the votesthemselves changed, showing that the data block (votes) can bealtered without triggering any error message.


How to "Roll over the odometer" in Diebold optical scan machines

Integer overflow checks do not seem to exist in this system, makingit possible to stuff the ballot box without triggering any errormessage. This would be like pre-loading minus 100 votes for Tom andplus 100 votes for Rick (-100+100=ZERO) -- changing the candidatetotals without changing the overall number of votes.

A more precise comparison would be this: The odometer on a car rollsover to zero after 999,999. In the Diebold system tested, therollover to zero happens at 65,536 votes. By pre-loading 65,511 votesfor a candidate, after 25 real votes appear (65,511 plus 25 = 65,536)the report "rolls over" so that the candidate's total is ZERO.

This manipulation can be balanced out by preloading votes forcandidate "A" at 65,511 and candidate "B" at 25 votes -- producing anarticifial 50-vote spread between the candidates, which will not beobvious after the first 25 votes for candidate "A" roll over to zero.The "negative 25" votes from the odometer rollover counterbalance the"plus 25" votes for the other candidates, making the total number ofvotes cast at the end of the day exactly equal to the number of voters.

While testing the hack on the Leon County optical scan machine,Hursti was stunned to find that pre-stuffing the ballot box to "rollover the odometer" produced no error message whatsoever.*

*We did not have the opportunity to scan ballots after stuffing theballot box. Therefore, the rollover to zero was not tested in LeonCounty. This integer overflow capability is discernable in theprogram itself. We did have the opportunity to test a pre-stuffedballot box, which showed that pre-loaded ballot boxes do not triggerany error message.


Simple tweaks to pass L&A test and survive zero tape

Though the additional tweaks were not demonstrated at the Leon Countyelections office, Hursti believes that the integer overflow hack canbe covered up on the "zero tape" produced at the beginning of theelection. The programming to cover up manipulations during the "logic& accuracy test" is even simpler, since the program allows you tospecify on which reports (and, if you like, date and time of day) themanipulation will affect.

The testing demonstrated, using the actual voting system used in areal elections office, that Diebold programmers developed a systemthat sacrifices security in favor of dangerously flexibleprogramming, violating FEC standards and calling the actions of ITAtesting labs and certifiers into question.

In the case of Leon County, inside access was used to achieve thehacks, but there are numerous ways to introduce the hacks withoutinside access. Outside access methods will be described in thetechnical report to be released in mid-June.


Security concerns

Putting an executable program into removable memory card "ballotboxes" -- and then programming the opti-scan chip to call and invokewhatever program is in the live ballot box during the middle of anelection -- is a mind-boggling design from a security standpoint.Combining this idiotic design with a program that doesn't even checkto see whether someone has tampered with it constitutes negligenceand should result in a product recall.

Counties that purchased the Diebold 1.94 optical scan machines shouldnot pay for any upgraded program; instead, Diebold should be requiredto recall the faulty program and correct the problem at its own expense.

None of the attacks left any telltale marks, rendering all audits andlogs useless, except for hand-counting all the paper ballots.


Is it real? Or is it Memorex?

For example, Election Supervisor Ion Sancho was unable to tell, atfirst, whether the poll tape printed with manipulated results was thereal thing. Only the message at the end of the tape, which read "Isthis real? Or is it Memorex?" identified the tape as a tamperedversion of results.

In another test, Congresswoman Corrine Brown (FL-Dem) was shocked tosee the impact of a trojan implanted by Dr. Herbert Thompson. Sheasked if the program could be manipulated in such a way as to flipevery fifth vote.


"No problem," Dr. Thompson replied.

"It IS a problem. It's a PROBLEM!" exclaimed Brown, whose districtincludes the troubled Volusia County, along with Duval County -- bothcurrently using the Diebold opti-scan system.

This system is also used in Congressman John Conyers' home district,in contentious King County, Washington, and in Lucas County, Ohio(where six election officials resigned or were suspended after manyirregularities were found.)

Diebold optical scans were used in San Diego for its ill-fatedmayoral election in Nov. 2004.


- - - - - - - - - - -

Optical scan systems have paper ballots, but election officials arecrippled in their ability to hand count these ballots due torestrictive state regulations and budget limitations.

The canvassing (audit) procedure used to certify results from opticalscan systems involves comparing the "poll tapes" (cash register-likeresults receipts) with the printout from the central tabulator. Thesetests demonstrate that both results can be manipulated easily andquickly.


Minimum requirements to perform this hack:

1. A single specimen memory card from any county using the Diebold1.94 optical scan series. (These cards were seen scattered on tablesin King County, piled in baskets accessible to the public in Georgia,and jumbled on desktops in Volusia county.)

2. A copy of the compiler for the AccuBasic program. (These compilershave been fairly widely distributed by Diebold and its predecessorcompany, and there are workarounds if no compiler is available.)

3. Modest working language of any one of the higher level computerlanguages (Pascal, C, Cobol, Basic, Fortran...) along withintroductory-level knowledge of assembler or machine language.(Machine language knowledge needed is less than an advancedrefrigerator or TV repairmen needs. The optical scan system is muchsimpler than modern appliances).

The existence of the executable program in the memory card wasdiscernable from a review of the Diebold memos. The test hacks tookjust a few hours for Black Box Voting consultants to develop.

Nearly 800 jurisdictions conducted a presidential election on thissystem. This system is so profoundly hackable that an advanced-levelTV repairman can manipulate votes on it.

Black Box Voting asked Dr. Thompson and Hursti to examine the centraltabulator and the optical scan system after becoming concerned thatnot enough attention had been paid to optical scans, tabulators andremote access.

Thompson and Hursti each found the vulnerabilities for theirrespective hacks in less than 24 hours.


"Open for Business"

When it comes to this optical-scan system, as Hursti says, "It's notthat they left the door open. There is no door. This system is 'openfor business.'"

The question now is: How brisk has business been? Based on this newevidence, it is time to sequester and examine the memory cards usedwith Diebold optical scans in Nov. 2004.

The popularity of tamper-friendly machines that are "open forbusiness" in heavily Democratic areas may explain the lethargy withwhich Democratic leaders have been approaching voting machinesecurity concerns.

The enthusiasm with which Republicans have endorsed machines with nopaper ballots at all indicates that neither party really wants tohave intact auditing of elections.

The ease with which a system -- which clearly violates dozens of FECstandards going back to 1990 -- was certified calls into question thehonesty, competence, and personal financial transactions of bothtesting labs and NASED certifiers.


Revamp and update hand-counted paper ballot technology?

Perhaps it is time to revisit the idea of hand-counted paper ballots,printed by machines for legibility, with color-coded choices forquick, easy, accurate sorting and counting. We should also takeanother look at bringing counting teams in when the polls close, torelieve tired poll workers.


http://www.scoop.co.nz/stories/HL0505/S00381.htm

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] America's DNA
Next by Date: [IP] more on FROM Intel REPLY Intel quietly embeds DRM in it's 945 chips firmware
Previous by thread: [IP] America's DNA
Next by thread: [IP] Can You Trust Your Spyware Protection?
Index(es):
- Date
- Thread