About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch

Smashing a Diebold for Fun and Profit

Ed Felten's Princeton team do it again.


Ten seconds to pick the lock; less than one minute realtime to infect the machine itself - and after that every machine it comes into contact with will be infected as well. Customised election results at an attractive price.

Ariel Feldman, Alex Halderman, and Ed Felton of Princeton University, in possession of a Diebold voting machine, have shown how easy it is.

The Diebold AccuVote-TS Voting Machine is the subject of a study published by Feldman, Halderman, and Felten. The AccuVote-TS and its newer relative the AccuVote-TSx are together the most widely deployed electronic voting platform in the United States. In the 7 November 2006 general election these machines are scheduled to be used in 357 counties representing nearly 10% of registered voters. Approximately half these counties - including all of Maryland and Georgia - will employ the AccuVote-TS. More than 33,000 Diebold AccuVote machines are in service.

Following up on an earlier study from July 2006, the Princeton team confirmed the previously disclosed weaknesses and also found new serious vulnerabilities and constructed proof of concept demonstrations of real world attacks.

Main Findings

  • Malicious software running on a Diebold voting machine can modify election results with little if any risk of detection. It can modify all records, audit logs, and counters kept by the voting machine so that even careful forensic examination of the records finds nothing amiss. The software is also capable of deleting itself prior to election close so that no vestiges of its presence remain.
  • Anyone with physical access to a voting machine or to a memory card that can be inserted into a machine can install the software using a simple method that takes but one minute.
  • The machines are susceptible to propagating worms.
  • Some of the design flaws are in the machine hardware itself.
  • Perhaps the greatest flaw is the reliance on Microsoft Windows.
  • The machines are susceptible to coordinated denial of service attacks.
  • The Diebold software shows no evidence of sophisticated security thinking.

Conclusions

As the Diebold voting machines rely on nothing better than Microsoft Windows, they suffer from the same security issues - bugs, crashes, hangs, hacks, and data tampering. As Microsoft have never succeeded in improving their system, it is doubtful Diebold can improve theirs.

Although earlier types of voting machines have also proven susceptible to fraud, Diebold machines are singularly susceptible to fraud on a much more comprehensive scale.

Diebold have a history of dismissing claims later corroborated many times over.

Diebold cannot plausibly implement the necessary security fixes in time for the elections on 7 November 2006.

See Also
Good Night and Good Luck
YouTube: Felten on Fox News
YouTube: HBO's Hacking Democracy
YouTube: Steal an election in one minute

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.