Voting Machine Attacks Proven To Be Practical 225
An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."
Why doesn't Public Key crypto figure in to this? (Score:5, Interesting)
Here's what I'm trying to understand.
We have this great thing called Public Key Crypto and the PKI to go along with it.
If you presume a custom processor that will only execute code signed by an election commission, that would be a first step - the system won't run anything that hasn't been specifically approved for installation on the machine. There would be no more "last minute fixes" as we've seen in the past, where code was installed without being vetted by an election authority.
For that matter, require the software developers to store their code on a state or federal election repository, and only sign code that's been compiled on those systems, from that repository. Require that anyone who makes changes sign them with their private key and state the reason for the change.
For the results, take each ballot, strip off the identifying information, and encrypt it to the election commission, and sign it with a pre-deployed per-machine private key that's known. It would of course also be important to have a reliable time source for the device, to include that in the result file.
I would even envision that this would be a good purpose for a federal election agency - hosting the code for all certified voting systems, and being the "root of trust" that signs certificates for the state election commissions, which can then sign local and county commissions, which can then issue keys to individual election machines.
Some patches to an open-source OS, say Linux, a PKI infrastructure (along with some HSM modules to store keys) and a processor with an integrated crypto engine and TPM module would take care of all of this.
Banks do this kind of stuff all the time - what's so hard about it?
Re:Still not fair. (Score:2, Interesting)
The fact that we had one election "stolen" by the R's in 2004 (so say the D's), and the fact that we had the next election "stolen" by the D's in 2008 (so say the R's), should be proof, at least, that there is no ultimate ability to steal on either groups part - otherwise, once you have power, why ever let the other side win?
It would also imply the following:
If we have an illegitimate vote in 2004, then it is nonsensical for "them" to not have taken advantage of their power in 2006 and 2008. If that is true, then the belief that Diebold or some other group hacking the results is unfounded.
BTW - "a few minutes of access" is a bit of a misnomer. It's one thing for James Bond to break into a secure area and do some pinpoint damage, but breaking in and influencing millions of machines across America is unrealistic. I have been a poll worker, and there are few opportunities to hack the machines as would be needed. The system I used did an electronic read of paper ballots. While this could have been hacked, it would be unlikely to stand up to the manual count we did at the end of the day to cross-tabulate against the electronic count. If I'm not mistaken, this already had the benefits of speed and tamper-prevention requested by an earlier poster.
Re:Not a Bug (Score:4, Interesting)
It makes me wonder what you're hiding.
I have no incentive to hide anything as I'm not an employee of the Elections Board nor an office holder with a stake in the system. I became a poll worker because of the controversy surrounding this issue. I wanted to see for myself how the system worked. I came to it as a skeptic and after learning the procedures and seeing them in action have been convinced that the system is as secure as it can be expected to be.
How often has that happened in the history of American elections?
That is exactly the kind of dramatic detail that puts my fraud-detector on alert. "Look, it's so secure that it's even secure against problems you don't have!" Typical distraction.
So now you are complaining that the system is protected against disasters just because they rarely happen? Would you be happier with a system that left less of a paper trail?
As it happens, if you google "ballots lost in fire" you get a bunch of hits on the first page about fraud and failure related to electronic voting machines.
As I said, my experience is limited to the State of New York. In NYS we don't use direct electronic recording machines. You fill out a paper ballot that is then tabulated by an optical scanner. In the event of a disputed election the paper ballot is still around and any idiot can count it with the Mark I human eyeball.
The only part of our voting process that is "electronic" is the so-called "ballot marking device" that handicapped voters use. This is a machine that prints a paper ballot for those voters who are unable to write and have to rely on another interface (audio, sip and puff, foot pedals, etc.) The printed paper ballot is in the same format as the one that you would fill out as a non-handicapped voter and can be read by any human being.
Given the complete lack of transparency at all levels of any electronic voting system I am extremely suspicious of all of them
Evidently that's not all you are suspicious of, since you seem to think that I'm trying to hide something :)
Re:Things like this will never change (Score:4, Interesting)
Yup. That's a good start.
I'd also love to see some kind of basic voter assessment to substantiate the vote as well. We all have a right to vote, but if yopur vote is based on fallicy or a complete lack of knowledge, you should not be allowed to register that vote.
My grandfather is a prime example of this. He's voted republican his entire life, nearly 70 years of going to the polls. I pointed out to him just before Obama's election that he couldn't, other than Right to Life and anti gun restriction, name a single Republican platform stance. Then i further asked him what his personal beliefs were on the top 25 debated items between the 2 parties. Of the 25 things, he chose the side the DEMOCRATS voiced support for. he didn't believe me, so i showed him the republican national website, and ran down the list (which took a while, it's not well organized). He voted straight democratic ticket. You see, the current Democratic platform is actually closer to what the Republicans had for a platform 50-60 years ago. He started voting replublican as a youth and then allways did, not paying ANY attention to the actual politics at stake. He figured about half his retired friends were doing the same thing...
If you can't name the candidate you're voting for, and at least 1 major platform stance out any 1 issue that candidate supports out of that candidates top 10 supported initiatives, you are not informed enough to effect MY future by registering your invalid votes. If you want to vote straight ticket, that's fine, name 3 platform stances of your party instead. If you can do that, you can vote, if not, either stay home, or only vote for the candidates you know something about. If uninformed people continue to vote, we'll need to bring voter certification back into play... (yes, I know it was used to discriminate in the past, but it would be VERY easy to ensure that did not happen in the future).
Re: You're too generous (Score:4, Interesting)
First, 99.99% of the EJs are good people, but there are also bad seeds. You must guard against the EJ's as much as the voter. We had an EJ voting every day of early voting, until the Alternate Judge discovered what he was doing and reported him to us. We reported him to the County Commissioners and County Prosecutor who declined to prosecute the person for whatever (probably politically motivated) reason.
With paper ballots, the fraud would be easier to spot statistically. But any EJ that could figure out how to upload a virus to their voting machine, and get it onto the tabulating machine, could possibly edit results in a way that would make it very hard to discover.
Second, an attacker could possibly find a way to defeat a tamper seal, or could break into the storage facility of the voting machines before election day, or I am sure there are a multitude of other attacks where someone could have a short time of unsupervised access to the voting machine that wouldn't be detected by tamper proof seals.
Re:Not a Bug (Score:2, Interesting)
If you think it's impossible to get a few private minutes with one of these voting machines you are crazy. I am not sure how you have been an election worker and still managed to come to that conclusion. In fact, you can easily get a few private HOURS with them. Ed Felten (one of the writers of this paper) annually takes photos of himself with unattended voting machines the night before Election Day.
http://www.freedom-to-tinker.com/blog/felten/unattended-voting-machines-usual [freedom-to-tinker.com]
Re:Not a Bug (Score:2, Interesting)
The only problem with this is that you aren't going to get a few "private minutes" with the machine
I am a student at Princeton and last term I took Ed Felton's class on Security. (Ed Felton being one of the authors). This was one of the issues which he talked about. I can't speak for the State of New York, but in New Jersey the voting machines are often stored at the voting sites over night. These voting sites are more often than not, unsecured places such as Churches or Schools. Prof. Felton, on the night before an election, went to all of the election sights. A distrubing number of electronic voting machines were stored in hallways or behind unlocked doors. He has an entire slide show of pictures which he took of these machines the night before an election. Had he any malicious intentions, he could have easily tampered with the machines. I'm sure that most of the election officials are very trust worthy. It is not them who concerns me. It is the fact that anyone can simply walk into a church basement and have access to all of the voting machines for that district.
Re: You're too generous (Score:3, Interesting)
First, 99.99% of the EJs are good people, but there are also bad seeds. You must guard against the EJ's as much as the voter.
Indeed you must. In my state there are four of us, representing at least two different political parties. It seems unlikely to me that you could get four randomly assigned people from different political parties to all agree to rig an election.
We had an EJ voting every day of early voting, until the Alternate Judge discovered what he was doing and reported him to us.
Sounds like the system worked if he got caught. My only question would be why did it take so long? Our machines have always kept a running count of the votes cast that day that must match up with the number of people we've signed in. There are two different people who handle the signing in process (one who handles the poll book and the other who keeps a running handwritten list of the people who have voted thus far) so it wouldn't be easy to do a fake sign in to keep the numbers matching. If you tried this at my polling place I would know about it pretty quickly as I always make a point of checking the running total throughout the day.
We reported him to the County Commissioners and County Prosecutor who declined to prosecute the person for whatever (probably politically motivated) reason.
Well, that's bullshit right there. As far as I'm concerned messing with the electoral process should be regarded as a felony and punished accordingly.
But any EJ that could figure out how to upload a virus to their voting machine, and get it onto the tabulating machine, could possibly edit results in a way that would make it very hard to discover.
They could, but the machines are randomly audited and you have no way of knowing if yours is going to be one of them or not. I don't know what else you can do to protect the system at this point. You could audit every single machine but that would require manpower and resources that most Election Boards just don't have.
Second, an attacker could possibly find a way to defeat a tamper seal, or could break into the storage facility of the voting machines before election day, or I am sure there are a multitude of other attacks where someone could have a short time of unsupervised access to the voting machine that wouldn't be detected by tamper proof seals.
You've got an awful lot of "coulds" there. People could do any number of things. All you can do is make the system as secure as possible. At least with regards to New York State I haven't seen any glaring holes in the security of our electoral process or anything that I would do differently if I was in charge of the whole show.
Re:Still misses an important point (Score:2, Interesting)
It's not like you can hack 1 million votes into one computer and escape undetected.
You don't have to make one voting computer return 1 million votes for your candidate. All you have to do is hack the election software used in 30% of the polling places to give a 5% lead to your candidate. That will give you well over the 1 million votes you want (in the US) and leave no physical proof.
The only way to detect such fraud would be through statistical analysis, trying to correlate results with voting computer model while eliminating the noise caused by the comparatively huge variations from county to county. But even if you get somewhere you would most likely be ignored just like the exit poll discrepancies in 2000.