

A team of computer scientists tasked with examining the source code of voting machines used in California (and elsewhere across the country) finally released their much-anticipated report on Thursday and it contains significant information that could lead the secretary of state to decertify the machines on Friday (the last day by which Secretary of State Debra Bowen can make decisions that affect voting machines that will be used in 2008).

The team, led by UC Berkeley computer scientist David Wagner, conducted the most thorough security examination of e-voting machines that has been done to date and examined both touch-screen and optical-scan systems (a separate Red Team conducted hacking tests on the machines and released their report last week).

Wagner's source code team found that the Diebold system still had many of the most serious security flaws that computer scientists had uncovered in the system years ago, despite Diebold's claims that problems had been fixed. These include vulnerabilities that would allow an attacker to install malicious software to record votes incorrectly or miscount them or that would allow an attacker with access to only one machine and its memory card to launch a vote-stealing virus that could spread to every machine in a county.

They also found that the Diebold system lacked administrative safeguards to prevent county election workers from escalating their privileges on the election management software that counts the votes. Essentially, the researchers found that the Diebold software was so "fragile" that it would require an entire re-engineering of the system to make it secure. From the Diebold report (PDF):

Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit “weakness-

in-depth” — even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.

Here's just a sample of what the researchers found in the Diebold system:

Data on the memory cards for the optical-scan machines is unauthenticated The connection between the voting machines and the server that contains the vote-counting software is unauthenticated The memory card checksums do not adequately detect malicious tampering The audit log does not adequately detect malicious tampering The memory card “signature” does not adequately detect malicious tampering Buffer overflows in unchecked string operations allow arbitrary code execution Integer overflows in the vote counters are unchecked Votes can be swapped or neutralized by modifying the defined candidate voting coordinates stored on the memory card Multiple vulnerabilities in the AccuBasic interpreter allow arbitrary code execution A malicious AccuBasic script can be used to hide attacks against the optical-scan machine and defeat the integrity of zero and summary tapes printed on the optical-scan machine The touch-screen machine automatically installs bootloader and operating system updates from the memory card without verifying the authenticity of the updates The touch-screen machine automatically installs application updates from the memory card without verifying the authenticity of the updates Multiple buffer overflows in .ins file handling allow arbitrary code execution on startup

The list goes on. The researchers also describe an interesting scenario for hacking the voter-verified paper audit trail that gets printed out from touch-screen machines (see p. 15 of the report).

The researchers found that although some vulnerabilities could be mitigated by making changes to election procedures, poll workers and election officials likely wouldn't be able to implement them adequately (see this story on last year's primary in Cuyahoga County, Ohio, to see why relying on poll workers and election officials to make voting systems secure can be problematic.)

Two other systems (Sequoia and Hart InterCivic) were also examined, with similar results. Regarding the Sequoia system, the researchers write that "virtually every important software security mechanism is vulnerable to circumvention." You can see the Sequoia report here and the Hart InterCivic report here.