Diebold voting systems critically flawed

'It is like the nuclear bomb for e-voting systems'


Michael Shamos remembers that the call came late at night, during the last week of April.

The call - from election watchdog BlackBoxVoting.org - described a critical vulnerability in Diebold Election Systems' touchscreen voting systems that could allow any person with access to a voting terminal the ability to completely change the system code or ballot file on the system. As a professor of computer science at Carnegie Mellon University and adviser to the Commonwealth of Pennsylvania on electronic voting, Shamos realized that, at the very least, a workaround for the flaw needed to be in place by Pennsylvania's next election - at the time, less than three weeks away.

"This one is so bad, that we can't do just nothing," Shamos told the state's election officials at the time. "Any losing candidate could challenge the election by saying, 'How do I know that the software on the machine is the software certified by the state?'"

Late Thursday, BlackBoxVoting published a redacted version of a paper describing the design flaw in Diebold AccuVote TSX and TS6 touchscreen election systems. Because of the seriousness of the flaw, the full report detailing the issue has only been distributed to a limited group of computer scientists, state and federal election officials, and security groups.

"We have elections every single week this month, and there is no way to do meaningful remediation at this point," said Bev Harris, founder of BlackBoxVoting.

Three states have already issued alerts on the flaws to election officials. The Pennsylvania Department of State told county clerks to reinstall the software on election devices and then lock them up in a secure location until the May 16 general primary.

"The Department of State will furnish the authorized software to the counties on a PCMCIA card along with instructions for its installation," a copy of the memo seen by SecurityFocus stated.

Both Iowa and California have also issued alerts, according to the Associated Press.

The incident represents the most major failure of the federal process to create secure election technology to date. While researchers and civil rights groups have voiced strong criticism of electronic voting technology - and in particular the systems' security - the national elections held in November 2004 saw only small problems that would likely not have impacted the outcome of the election.

However, trust remains a significant issue. Voting machine makers and the certification labs that have tested election systems have been secretive about the technology. And, while older machines and the method for counting votes tallied by the older technology were easily understood by the average voter, electronic voting systems have become more impenetrable and have not undergone significant and public testing, according to computer scientists that have called for more rigorous security testing.

Diebold has had a more turbulent relationship with states and security experts over e-voting. The company's CEO stepped down in December, a day before a law firm filed a shareholder suit against the company, claiming - among other issues - that the company misled investors about the state of its e-voting technology. The U.S. Securities and Exchange Commission announced this week that it has opened an inquiry into how Diebold reports revenue, following the company's admission in SEC filings that its election business overstated revenue and understated deferred revenue.

A representative of Diebold Election Systems could not immediately be reached for comment on the SEC inquiry or the design flaw, but Pennsylvania's memo to election officials stated that the company had confirmed the vulnerability and acknowledged that the issue could be used to load malicious software on an election system.

"The probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low," the memo to election officials stated. "To exploit this risk, physical access is required to the Personal Computer Memory Card International Association (PCMCIA) slots on the machine during system startup."

Other computer scientists do not believe the threat to be theoretical.

"It is like the nuclear bomb for e-voting systems," said Avi Rubin, computer science professor at Johns Hopkins University. "It's the deal breaker. It really makes the security flaws that we found (in prior years) look trivial."


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021