Researchers Crack Every Certified CA Voting Machine

ewhac writes "The San Francisco Chronicle is reporting that computer security researchers throughout the University of California system managed to crack the security on every voting machine they tested that has been approved for use in the state. The researchers are unwilling to say how vulnerable the machines are, as the tests were conducted in an environment highly advantageous to the testers. They had complete access to the devices' source code and unlimited time to try and crack the machines. No malicious code was found in any of the machines, but Matt Bishop, who led the team from UC Davis, was surprised by the weakness of the security measures employed. The tests were ordered by Secretary of State Debra Bowen, who has until Friday of next week to decide whether to decertify any of the machines for use in the upcoming Presidential primary election."

Link to SOS Site

[jellie]

I'm surprised there's no link to Secretary of State Debra Bowen's site that includes all the analyses, CVs/resumes, and all other documentation regarding the top-to-bottom review:
http://www.sos.ca.gov/elections/elections_vsr.htm [ca.gov]

The overview by Matt Bishop is actually quite an interesting read. In it, he says that they could have found more problems with the three systems, but they were limited by time:

The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a "lower bound"; all team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities.

In addition, he also cites the lack of proper information from the vendors as another problem.

It should also be noted that a fourth vendor, Election Systems and Software (ES&S) missed the deadline for submitting their systems for the review. I'll be cynical and just assume that they decided to skip the initial review than to have a bunch of computer researchers hack their systems.

Move your ass guys

[rbarreira]

Hey, do something for your country and humanity, send letters to your representatives or whatever you can do to stop this electronic voting madness. Posting on slashdot won't do much.

Paper ballots are even MORE insecure...

[hummassa]

Paper ballots are falsifiable. You can easily stuff/switch paper ballots. The security in an election process, electronic or otherwise, is in the process itself. If the machines are tested, and their state is always checked by parties' officials before the election begins, they are as safe as paper ballots that are sealed by said parties' officials -- with the advantage that you know the results quicker, with less opportunity to magic tricks. Of course it helps having more than one (or two) parties. Oh, and it also helps if you have a single data interchange standard for the whole country.
I have a post from three years ago (#8944789 [slashdot.org]) detailing how stuff works here in Brasil, for your entertainment:

Oh, yes, I will repeat myself over and over...
by hummassa (157160) on 2004.04.22 20:06 (#8944789)

Till these topics die.

I live in Brasil. We have had voting machines in the last 12-14 years (yes, twelve to fourteen -- it depends the size of the city you are in). Brazilians here: the first election here in Belo Horizonte to use the machines were the mayoral (and city council, state representation, governor, house and senate) before FHC was elected (as I count it, 2 years + 8 years + 1 1/2 = 11,5 years). I know it, because I was "mesário" (election "table" official? election "clerk"? what is a good English translation?) in the previous election, and in the two subsequent elections. IIRC, there were electronic ballot boxes in Rio and Sao Paulo in the election before that (the only two cities larger than Belo Horizonte).

Our voting machines are mainly of three different (internally) models: (a) the old ones, that use VirtuOS (*) as the OS, (b) the new ones, that use WinCE as the OS, and (c) the newest and deprecated ones that have the second printer to print your vote, show it to you inside a clear acrilic case, and mix it with others inside the machine.

Externally, all of them look roughly the same: a box similar to the old "portable computers" of the eighties, with a 5-6" diagonal LCD and a big numerical keypad in the right side of the screen, that has, besides the 0-9 keys, "confirma" (ok), "erro" (cancel), and "branco" (white).

The electoral process (from the point of view of the voter) begins ... when you get your first job. If you are a mandatory voter (literate person from 18 to 65) you have to go to Electoral Court and register to vote. In the process of registering, you receive the "Título de Eleitor" (voter id), in which you have the number of you voting section. To change jobs, and specially to get a government job, you have to prove you are a registered and regularized voter (you voted in the last election, or regularized your voting situation after it).

In the election day, you scan the newspapers (or the Superior Electoral Court website), search for the address of your section, and go there. No, there is no transit vote, you can only vote at that address. If you can't get there, you'll have to "justify" your absence.

At the section, you will present your voter id to one the "mesários", and if you don't have it on you, you can still vote (you can show other valid id), but will be delayed. The mesário will search for your name in the vote-ticket sheet, and annex it to your id while you vote. You will sign a receipt in a sheet, and proceed to the voting "booth". Another "mesário" will type your voter id # in a remotely connected keypad, setting the machine in the "ready to vote" mode.

The voting "booth" is really only a desk with the voting machine over it, facing nobody else in the room, and sometimes with a cardboard "cover" around it. You will "dial" the numbers of the candidates, in order. when you dial all the digits of one candidate, a star-trek-like chime rings, his/her face will show up in the screen, and if you digited it right, you hit "ok". otherwise, you hit "cancel" and start over. Afte

Re:And the problem with paper was?

[tjkslashdot]

And please, can we quit calling them "computer security researchers"?

Well, Matt Bishop [ucdavis.edu] is actually a "computer security researcher" with a PhD, papers, and books to prove it. And the first sentence of the friendly article actually did use your coveted term.

Re:How did the election Official get his job?

[martyb]

From the article:-

Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines "is like giving a burglar the keys to your house,'' said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials.

This is simply not true! The analogue in the real world of locks and keys is that you have given a burgler the design blueprints of the lock. NOT the code combination or the key lever settimgs. The demonstrated ignorance of the said Steve Weir about secure computing begs the question "How did he get appointed to his positions?"

This is directly responded to in the Overview of Red Team Reports [ca.gov] in section 3.1 (page 5): (NB: emphasis added.)

Finally, no security should ever rely solely on secrecy of defensive mechanisms and countermeasures. [2] While not publishing details of security mechanisms is perfectly acceptable as one security mechanism, it is perhaps the one most easily breached, especially in this age of widespread information dissemination. Worse, it provides a false sense of security. Dumpster diving, corporate espionage, outright bribery, and other techniques can discover secrets that companies and organizations wish to keep hidden; indeed, in many cases, organizations are unaware of their own leaking of information. A perhaps classic example occurred when lawyers for the DVD Copyright Control Association sued to prevent the release of code that would decipher any DVD movie file. They filed a declaration containing the source code of the algorithm. One day later, they asked the court to seal the declaration from public view--but the declaration had been posted to several Internet web sites, including one that had over 21,000 downloads of the declaration! [9] More recently, Fox News reported that information posing "a direct threat to U.S. troops ... was posted carelessly to file servers by government agencies and contractors, accessible to anyone online" [8], and thefts of credit card numbers and identities are reported weekly and growing in number. Thus, the statement that attackers could not replicate what red team testers do, because the red team testers have access to information that other attackers would not have, profoundly underestimates the ability and the knowledge of attackers, and profoundly overestimates the infallibility of organizations and human nature.

[2] This is often called "security through obscurity".

Mod Parent Up

[mad.frog]

This is a valid comment, but is modded into oblivion for some reason...