diebold 06

8/2/2019 Diebold 06

1/28

17-803/17-400 ELECTRONIC

VOTING

FALL 2004COPYRIGHT 2004

MICHAEL I. SHAMOS

17-803/17-400 Electronic Voting

Session 6: The Diebold Reports

Michael I. Shamos, Ph.D., J.D.

Institute for Software Research International

Carnegie Mellon University

8/2/2019 Diebold 06

2/28


VOTING


MICHAEL I. SHAMOS

Outline

Rubin (Johns Hopkins) Report

SAIC Report

RABA Report

Schade v. Maryland State Board of Elections

8/2/2019 Diebold 06

3/28


VOTING


MICHAEL I. SHAMOS

DIEBOLD DEMO

The Diebold System

AccuVote-TS

75,000 in US

Used statewide in GA, MD

Global Election Management System(GEMS)

1,000 in US

Audio feature
http://www.diebold.com/dieboldes/OnLine_Demo/screen1.htmlhttp://www.diebold.com/dieboldes/OnLine_Demo/screen1.html

8/2/2019 Diebold 06

4/28


VOTING


MICHAEL I. SHAMOS

Diebold Audit Trail

Maryland Election Code

9-102. Certification of voting systems.

(c) Standards for certification.- The State Board may not

certify a voting system unless the State Board determines

that: the voting system will:

(vi) be capable of creating a paper record of all votes

cast in order that an audit trail is available in the event of

a recount.

Diebold audit trail is similar to Hart Intercivic computer

file that is printed after the polls are closed

8/2/2019 Diebold 06

5/28


VOTING


MICHAEL I. SHAMOS

Diebold System (Preparation)

County prepares ballot definitions on GEMS system Transfers ballot definitions to voting machine on

machine-readable media (or by FTP)

Machines are distributed to polling places

8/2/2019 Diebold 06

6/28


VOTING


MICHAEL I. SHAMOS

Diebold System (Election Day)

Officials verify a voters eligibility to vote Voter receives a signed paper Voter Authority Card

(VAC) (used for later verification of vote totals)

Voter presents VAC to a different election official

Voter receives a smartcard and is directed to a votingmachine. Official puts the VAC in an envelope attached

to the machine

Voter inserts smartcard into machine to activate ballot

8/2/2019 Diebold 06

7/28


VOTING


MICHAEL I. SHAMOS

Diebold System Post-Election

Polls are closed Vote totals printed out for each machine, signed by

election judges

Unofficial totals uploaded to county GEMS server by

modem Memory cartridges sent to county canvassing board

Statewide canvass lists all results from all polling

places; can be verified by election judges

8/2/2019 Diebold 06

8/28


VOTING


MICHAEL I. SHAMOS

Rubin Report

Voters can easily program their own smartcards With such homebrew cards, a voter can cast multiple

ballots without leaving a trace

FALSE

Voter can perform administrative actions: viewing

partial results, terminating the election

No cryptography in vote reporting Even unsophisticated attackers can perform

untraceable man in the middle attacks

8/2/2019 Diebold 06

9/28


VOTING


MICHAEL I. SHAMOS

Rubin Report

Code written in C++, not type-safe No evidence of disciplined software engineering

No evidence of change-control procedures

Buffer overflows

8/2/2019 Diebold 06

10/28


VOTING


MICHAEL I. SHAMOS

Rubin Report

Voting terminal runs Windows CE Could expose system to attack

audio library fmod is used can access voting program

memory

Ballot definitions in election.edb file Ending the election. ender administrator card + PIN

PINs insecure in Diebold

Protective counter implemented poorly (total stored in

an unencrypted file) Tampering with ballot definitions

8/2/2019 Diebold 06

11/28


VOTING


MICHAEL I. SHAMOS

Rubin Report

Impersonating a voting terminal during upload Hard-coded DES key

Tampering with election results

weak cryptography

Sequential vote storage file Linear congruential random number generator for serial

numbers

generates a sequence Xi+1 = (aXi + c) mod m) given

parameters a, c, m, X0 (the seed) Audit log (not the ballot images) weakly encrypted

8/2/2019 Diebold 06

12/28


VOTING


MICHAEL I. SHAMOS

Rubin Report Summary

8/2/2019 Diebold 06

13/28


VOTING


MICHAEL I. SHAMOS

SAIC Report

Report commissioned by Maryland Governor Ehrlich SAIC = Science Applications International Corporation

SAIC is the largest employee-owned R&D engineering company

in the US. 44,000 employees; 150 locations

State of Maryland is a large customer of SAIC

No election expertise

SAIC website contains no occurrence of voting, Diebold or

election

The system, as implemented in policy, procedure, and

technology, is at high risk of compromise. Application of the

listed mitigations will reduce the risk to the system.

8/2/2019 Diebold 06

14/28


VOTING


MICHAEL I. SHAMOS

SAIC Report

While many of the statements made by Mr. Rubin weretechnically correct, it is clear that Mr. Rubin did not have a

complete understanding of the State of Marylands

implementation of the AccuVote-TS voting system, and the

election process controls or environment.

In general, most of Mr. Rubins findings are not relevant to theState of Maryland because the voting terminals are not

connected to a network.

LBE procedures and the openness of the DRE voting booth

mitigate a large portion of his remaining finding.

8/2/2019 Diebold 06

15/28


VOTING


MICHAEL I. SHAMOS

SAIC Recommendations (Diebold)

Apply cryptographic protocols to protect vote transmission

Change default passwords and passwords printed indocumentation immediately

Removes the GEMS server from any network connection

Rebuild the server from trusted media and validate it has not

been compromised

Remove all extraneous software from the GEMS server

8/2/2019 Diebold 06

16/28


VOTING


MICHAEL I. SHAMOS

SAIC Recommendations (Process)

Bring system into compliance with Maryland Information Security

Policy and Standards Create Chief Information Systems Security Officer within the

State Board of Elections

Develop formal, documented set of policies and procedures

Create a formal System Security Plan

Require 100 percent verification of results transmitted to media

Require review of audit trails

Provide formal info security training

Review any system modification by a risk assessment process

Implement a documented process to respond to unauthorizedaccess attempts

Document how the general support system identifies access to

the system

8/2/2019 Diebold 06

17/28


VOTING


MICHAEL I. SHAMOS

SAIC Recommendations (Process)

Verify that the ITA-certified version of software and firmware is

loaded Modify Logic and Accuracy testing to include testing of time-

oriented exploits

Discontinue ballot distribution by FTP

Implement an interative process to ensure integrity of the system

is maintained
http://www.raba.com/

8/2/2019 Diebold 06

18/28


VOTING


MICHAEL I. SHAMOS

RABA Report

Commissioned by Maryland legislature Financed by Spring Capital Partners LP

Top tier information technology services for

government and commercial applications

Former National Security Agency employees No election expertise

Laboratory Red Team exercise
http://www.raba.com/

8/2/2019 Diebold 06

19/28


VOTING


MICHAEL I. SHAMOS

RABA Report

Rubin Report: The subsequent revelation of a conflictof interest involving one of its authors with a Diebold

competitor has only served to detract form the

substance of the results.

Many of the statements made by the authors appear tofunction more are attention gathering sound bites than

actual statements of fact.

Had the authors approached the State Board of

Elections with their preliminary findings, many of their

false hypotheses could have been corrected and the

discussion not diluted by specious claims.

8/2/2019 Diebold 06

20/28


VOTING


MICHAEL I. SHAMOS

RABA Report

Report generally agrees with Rubin and SAIC opinionon code quality (poor)

RABA conducted a Red Team exercise January 19,

2004

Eight computer security specialists, none with election

expertise

Exercise conducted in a laboratory, not under election

conditions

No one from the State Board of Elections was present

8/2/2019 Diebold 06

21/28


VOTING


MICHAEL I. SHAMOS

RABA Recommendations

Create smartcards with computer-generated passwordsby precinct

Apply tamper tape to AccuVote-TS terminals

Institute procedures to prevent use of unauthorized

Supervisor cards

Add locks to prevent removal of PCMCIA cards from

machines

Prevent screen from being disconnected

Secure physical access to the AccuVote

8/2/2019 Diebold 06

22/28


VOTING


MICHAEL I. SHAMOS

RABA Recommendations




Supervisor cards


machines



8/2/2019 Diebold 06

23/28


VOTING


MICHAEL I. SHAMOS

RABA GEMS Recommendations




Supervisor cards


machines



8/2/2019 Diebold 06

24/28


VOTING


MICHAEL I. SHAMOS

RABA GEMS Immediate Recommendations

1. Install all Microsoft security patches on servers

2. Ensure modem access to servers only when expected3. Block at firewall all ports not needed by GEMS

4. Update anti-virus software

5. Turn off all services not needed by GEMS

6. Install Tripwire to enable configuration audit

7. Disable autorun in the Windows registry

8. Lock the front panel, store server in a secure location;

use tamper tape

9. Change boot order to hard drive first; password

protect the BIOS

8/2/2019 Diebold 06

25/28

SOURCE: TRIPWIRE

Tripwire

Portland, OR software company

Change monitoring and analysis software
http://www.tripwire.com/products/technology/index.cfmhttp://www.tripwire.com/products/technology/index.cfm

8/2/2019 Diebold 06

26/28

8/2/2019 Diebold 06

27/28


VOTING


MICHAEL I. SHAMOS

A Well-Designed e-Voting Machine

READ-ONLY

MEMORY

READ-ONLY

MEMORY

RANDOM ACCESS

MEMORY

WRITE-ONCE

MEMORYINTERNAL

PAPER

TRAIL

VOTER CHOICES

PROPRIETARY OPERATING SYSTEM(NOT WINDOWS)

BALLOT SETUP DATA

SOFTWARE FROM A

TRUSTED SOURCE

(NOT THE VENDOR)

16-HOUR BATTERY

NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET

TOTALS REPORT

SIGNED BY ELECTION JUDGES

WRITE-ONCE MEMORY

TO COUNTY BOARD

MACHINE SEALED WITH PAPER TRAIL

8/2/2019 Diebold 06

28/28


VOTING


Q A

diebold 06

Documents