Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Cloud Data Storage Security Hardware Linux

Man-In-the-Middle Remote Attack On Diebold Voting Machines 251

An anonymous reader tips news of a vulnerability discovered in the Diebold Accuvote voting system, which could be used to alter voting results without leaving evidence of tampering. Quoting Salon: "[T]he Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. ... The team's video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a "bad guy" virtually complete control over the machine. A cheap remote control unit can enable access to the voting machine from up to half a mile away. ... The video shows three different types of attack, each demonstrating how the intrusion developed by the team allows them to take complete control of the Diebold touch-screen voting machine. They were able to demonstrate a similar attack on a DRE system made by Sequoia Voting Systems as well."

This discussion has been archived. No new comments can be posted.

Man-In-the-Middle Remote Attack On Diebold Voting Machines

Comments Filter:
  • (a) First post! (b) I was going to do research into voting protocols as a senior design project. I'm convinced that there is no truly, 100% secure way of implementing this, unfortunately. I wish there was, though.
    • Re: (Score:2, Insightful)

      by BenJury ( 977929 )
      >The team's video demonstrates how inserting the inexpensive electronic device into the voting machine can offer a "bad guy" virtually complete control over the machine. If you can do this, you're going to have no protection at all. Just like paper votes, if the people who run the voting stations are corrupt, then the system can be fiddled. This shouldn't come as a surprise.
      • by lammy ( 1557325 ) on Wednesday September 28, 2011 @05:01AM (#37537602)
        The key point is SUPERVISION. Yes, the voting station staff might be corrupt, but if you have representatives from each of the parties with a stake in the election present during the entire voting and counting process, then sleight-of-hand becomes is much trickier. With a pencil-and-paper-based system, you need to distract a great number of people *on election day* (assuming the votes are counted immediately after polls close, as in the UK) in order to 'interfere' with the vote. With the electronic system, all you need is a moment alone with the machine, at basically any point after its manufacture, to make your modifications (whatever they may be - software/hardware - just preferably hard to trace) - and it suddenly doesn't matter how rigorous the supervision is, come election day. Human beings can't supervise at the electron level.
        • With a pencil-and-paper-based system, you need to distract a great number of people *on election day*

          Hmmm, wrong! Your rose-tinted-glasses view of paper votes clashes with reality [google.com].

          As long as you can raise doubt about the accuracy of votes you can request a recount. Good luck with keeping supervision on all ballot boxes for all time after the election until the last recount is done.

          I can' t understand how slashdotters keep raising the same theoretical objections to electronic voting while they disregard the observed facts. Guys, this is religion! Slashdot dogma says electronic voting is bad, paper voting is

          • by Sique ( 173459 )

            I have to correct you, but actually it's possible to supervise all voting boxes until the last recount is done. If you understand any german (or the english your favourite online translator generates from german), you might have a look at Voting Fraud of Dachau [wikipedia.org] to see it in action.

          • by Joce640k ( 829181 ) on Wednesday September 28, 2011 @07:27AM (#37538306) Homepage

            This is true for all nerdy arguments - if something isn't 100% perfect then it's obviously completely useless.

            Usually we ignore the real world practicalities (I believe there's an XKCD cartoon about breaking 4096 bit encryption with a $5 wrench which illustrates this point nicely).

            OTOH the Diebold contract should have been cancelled a long time ago and the people forbidden from ever working in security. They're seriously incompetent.

            Me? I think electronic voting is basically flawed because information can be tampered with and leave no trace. I want something physical that can be audited later.

            My plan:

            I'd have the machines print out little cards with a plain text version of the votes on one side and QR codes printed on the other. You can check your vote is correct, fold it in half (it's pre-scored and has glue dots) so that only the QR codes are visible then drop it in the ballot box. The votes can be counted electronically and you have something physical which can be randomly sampled and/or audited later. Best of both worlds!

            • This is true for all nerdy arguments - if something isn't 100% perfect then it's obviously completely useless.

              Of course, but then we do tend to think in binary.

            • by Nadaka ( 224565 )

              No. The printed computer readable code used for counting also needs to be human readable. Why? A compromised machine could print codes that do not match the human readable verification.

              Print the results in a large simple font and OCR will work for any undamaged ballot.

              • That would be found out in the random sampling of the ballot papers that takes place later.

                Ballot papers are supposed to be secret, not something that people can read from ten yards away.

                • by Nadaka ( 224565 )

                  They have this incredible new invention, it is called paper. It has two sides and is capable of a revolutionary process called folding so that marks made on the inside are invisible from the outside!

                  The electronic ballot prints the paper and the user can verify his vote before casting it.
                  The user folds the ballot and takes it to the ballot box.
                  The paper is fed through an optical scanner and into the ballot box.
                  The scanner provides the initial count, that is later confirmed by hand counts.

                  This addiction we h

              • At the end of the day the machine will have a count on it A: 120, B: 83. You then randomly select a small fraction of the machines and count the ballots in them. If there are discrepancies, you can project their size accurately and see if the margin of error is close to a win/loss changer.

                If there are individual machine with seriously questionable results, you can again open them up and do a hand count.

                The idea of the non-humanly readable format is so the vote is private. Where I used to vote, you punch hol

                • by Nadaka ( 224565 )

                  Random sampling is not sufficient. All votes must be equal. All votes must be counted.

          • by PopeRatzo ( 965947 ) * on Wednesday September 28, 2011 @07:31AM (#37538346) Journal

            Vulnerabilities in electronic votes are the equivalent of butterfly ballots and hanging chads. If only people had shown the same determination to find all possible modes of failure in the paper system used in the Florida 2000 election...

            No. The extreme vulnerability in electronic voting is not the equivalent of hanging chads. It's the equivalent of powerful people having access to a simple method of rigging elections, as the Supreme Court and Citizens United wasn't enough.

          • Re: (Score:2, Informative)

            by Anonymous Coward

            I've been a voting official; I attended the mandatory training and staffed a booth all day long for the last US presidential election.

            I'm also one of the people who has totally unrestricted, totally unsupervised access to dozens of voting machines.

            This has nothing to do with my status as a trained voting official; basically, I do volunteer maintenance work at local schools and Unitarian Universalist churches. Somebody has to show up at 2AM to fix busted pipes, you know - that somebody is usually me. And i

          • So, is there a way to insert an "inexpensive electronic device" into a ballot? Simple solution, remove all unused connectors from the circuit boards. For every vulnerability there's a solution.

            From the abstract of the video, the man in the middle is between the UI and the machine. No way to remove that vulnerability.

            Here is an unremovable attacks to a purely electronic system: system programed to not count votes correctly if the date and time are right for voting based on an unsettable clock not revealed to the administrator's UI--when the battery on the clock fails, the machine reports a hardware failure that requires service form the manufacturer.

            You could get around this with an open hardware

          • I've always wondered why there isn't a hybrid system - make your electronic vote print out a receipt, validate the receipt and drop the receipt in the box. If someone manages to compromise the electronic system, you've got a paper trail backup. If someone manages to compromise the paper system, you've got the electronic one.

            Isn't defense in depth the order of the day here?

        • by Sique ( 173459 ) on Wednesday September 28, 2011 @07:07AM (#37538150) Homepage

          Why "representatives from each of the parties"? Why not "who wants to attend can attend"?

          That's how it works for most elections anyway. If you want to watch the election, go to the voting hall and sit there. Watch the empty voting boxes being sealed. Watch the breaking fo the seal for the count. Watch the count. Watch the signing of the count sheet and the resealing of the voting boxes. Put your own seal on the boxes too, if you want. Accompagne the car transporting the voting boxes to the central voting office. etc.pp.

          If enough people do this in enough voting districts, large scale fraud is nearly impossible. That's how the people of the former communist East Germany were able to prove in court the voting fraud at least in the last "election"s in 1989 - enough people were at the voting halls, watched the procedure, and took notes of the results, compared them with the official results as announced the next day and found discrepancies.

        • by jeti ( 105266 )

          No. The key point is accountability. Over in Germany, we've had reports of machines that were stored overnight at the home of a candidate. And the seals being used are the cheapest kind of paper seal, which can easily be forged and probably even re-attached.

          Over in the Netherlands, there was a case were eye witnesses suspected tempering. The suspect has not been found guilty because of lack of proof.

          It's hard to prove tampering without a paper trail.

    • by neyla ( 2455118 ) on Wednesday September 28, 2011 @05:05AM (#37537616)

      There is, infact, a simple, straightforward way of getting all the advantages of electronic voting, while preserving the advantages of paper-voting.

      Have the voting-machine print your vote as the last step, then deposit this printed vote in a ballot-box the old-fashioned way.

      To verify the vote, simply count the paper-ballots the old-fashioned way, and compare the result with the results from the electronic voting.

      It isn't really needed to count all the votes: picking a small fraction of voting-places randomly and checking those, has a high probability of detecting systematic attempts at cheating nationwide.

      • I agreed up until the last sentence... All votes should be manually counted regardless of how "close" or "non-suspicious" the results are. It's not particularly hard, we usually manage to count 100% of the votes in the precints by early morning after, and 99.9% by late night. The votes are then counted again centrally in each county to officially certify the count and the election.

        • So why not reduce the very expensive middleman and eliminate electronic voting altogether?

          e-voting was supposed to replace manual counting. If you can't do that then there's no point in spending millions on e-voting machines.

          • by SwedishPenguin ( 1035756 ) on Wednesday September 28, 2011 @07:11AM (#37538188)

            If you go in to e-voting expecting it to make elections cheaper, you're coming at it from the wrong perspective. If the goal of e-voting is not to make it more secure and accessible, then there's no point in doing it. Elections are a minimal cost in the scheme of things, and endangering their validity in order to save a few measly thousands-of-percent of the budget is insane.

          • In theory electronic voting would be more reliable and less open to interpretation than paper voting. I would be fine counting votes by hand until people were confident that the electronic voting machines were actually accurate.
            • Voting machines can never be trusted... unless the manufacturer and everyone who works for them, and everyone at the polling station is unbiased ... which they cannot be

              A voting machine that prints out, you check and then but in a box in the old fashioned way, stops spoilt papers and unclear intentions, and is easily verified
              No purely electronic voting machine can be as open and verifiable as this ...?

            • by he-sk ( 103163 )

              The _hypothesis_ that electronic voting is somehow less open to interpretation has been thoroughly disproven by reality in the last decade. It can also be shown to be theoretically false very easily: The integrity of the manual hand count stems from the fact that any idiot^W^W the average voter can monitor the process and be reasonably sure that no tampering occurred. An electronic voting machine^W^W^W general purpose computer is completely opaque in that regard. Ken Thompson showed 25 years ago that even a

              • Why don't we just throw all the candidates names into a hat and randomly draw the winners? The results can't be any worse than the current system produces and it would be a hell of a lot cheaper and faster.
          • So....what we need is e-counting?

            See my plan a bit further up ^^

          • E-voting with a print out as the last option stops spoilt papers (well unless you are using old hanging chad machines) and can speed up counting as there are no longer any unclear choices

            E-voting where everything is kept electronically is always suspect, and always open to fraud/hacking etc ...

          • by tlhIngan ( 30335 )

            So why not reduce the very expensive middleman and eliminate electronic voting altogether?

            Well, e-voting allows for accessibility (paper ballots are hard to use by the blind, but it's trivial for an e-voting machine to speak the choice). Sure you're allowed to bring in an assistant to help, but that can lead to vote coercion.

            A printed paper ballot can also be printed in such a way that the vote is unambiguous. No "hanging chads" or such - the paper shows the vote clearly. Even if the printer runs out midway

      • Have the voting-machine print your vote as the last step, then deposit this printed vote in a ballot-box the old-fashioned way.

        They showed that it is possible to control the printer as well, so then it would depend on what is printed by the printer, and whether voters would notice.

        • If you recounted the paper votes and it was different than the electronic tally, then it would be very clear very quickly that something was wrong.
        • Put a sign up - "Check your card!"

          Not everybody would check but it only takes a couple of observant voters to bring the whole election down. If that's your plan for winning the election then it's not a very good one...

      • To verify the vote, simply count the paper-ballots the old-fashioned way, and compare the result with the results from the electronic voting.

        Let's assume they don't match... What happens then? That's the problem with having two controls: you prefer one over the other, so you'll pay twice for the same information.

        • Then you work out if its just a minor error in one, or if there's a systemic issue and you need to redo the entire election.

          You also find and execute the people who tried to rig the election if it was intentional.

          You don't have two controls so that you can choose one over the other. You have two controls so that if they are different you know something has screwed up. Once you know something is broken you can work out how to fix it. If you don't know in the first place it's a tad more difficult to fix.

        • by tlhIngan ( 30335 )

          To verify the vote, simply count the paper-ballots the old-fashioned way, and compare the result with the results from the electronic voting.

          Let's assume they don't match... What happens then? That's the problem with having two controls: you prefer one over the other, so you'll pay twice for the same information.

          Really? The printed paper would be the one that counts, because a) the voter read the ballot before they deposited it. It's also the only record anyone has of the election. The electronic tally is u

      • by Nadaka ( 224565 )

        There does not need to be nationwide systematic fraud in order to change the outcome of an election. Fraud in a few well selected states, and even a few well selected counties of those states could turn the tide.

        Every vote must be counted.

      • This is how my precinct has done it for several years. The only difference is the paper is deposited automatically for me, but I do get a chance to check and verify it. It's pretty clearly the solution we need.
      • by drrck ( 959788 )
        This print and verify method is deployed in my county in Ohio. Step 1 is to place your votes on all the available pages. Step 2 the machine flips to the first page and show you your vote, you are then instructed to look at the paper slip to the right to ensure that your recorded vote matches that which is printed. You do this for all pages, then your vote is "submitted".
    • Encryption and a two-factor authentication system should allow you to do this.

      • Encryption and authentication, performed by who? The machine? That can be broken if you have access to the machine, like in this case.

        One could give personal certificates (in the form of a smart card, for example) to voters and require each vote to be signed using it, so votes would be impossible to forge, but that eliminates the anonymity of the process.

        • Two factor authentication requires a code generated by a second machine (or a card, etc).

          This article describes man in the middle attacks, this should never be possible to do even if you know the source code of the whole thing. Public key encryption and signing should be enough to stop any attempt like this.

          He said he was trying to research voting protocols. It is possible to create a protocol that will be secure 99.999999% of the time.

          PS: If you have enough access to a machine that should be guarded from a

          • Have you read the second sentence in my post? The problem with PKI is that it ties each vote to a specific key, and hence voter, destroying anonymity. It's perfectly possible to have a secure system if you're willing to lose that. But is it worth it?

      • Encryption and a two-factor authentication system should allow you to do this.

        Sure, so long as you can trust the software inside the machines...

        • You could know the whole source code of the machines, if it requires someone's password and token, you'd have to have altered everything in order to get those. And the software can be signed and required to pass verification upon boot, so it's not that easy.

          Either way, the question was about about protocols, and it is already possible to have 99.99999% secure connections. I'd say 100%, but you have to consider the human element and those can and will most likely fail sometime.

    • It seems to me that if each voter had a few bits of crypto they could roll in to the vote then they could later verify that their vote was counted correctly. You could aggregate the vote up as you go, so it's not like you'd need to roll the 500 million sigs into the national vote. Verify that you were included in your district, compare the fingerprint to the one included at the national level. There's tons of details I haven't thought of, obviously, but I think this could be made to work. Most people wo
      • by Nadaka ( 224565 )

        The ability of a person to verify their specific vote after it was cast allows vote buying schemes to be confirmed, and violates election laws.

  • Vote tracking (Score:2, Interesting)

    by AK Marc ( 707885 )
    Even with all the massive problems, people still are pushing for electronic voting. The simplest and only sure way to fix the problems is to move back to open vote, which worked great in the past and would ensure that nobody could ever tamper with a voting machine again. Yes, I'm aware of the supposed problems that so many people bring up regarding vote tampering, but absentee voting is available everywhere now with all the same weaknesses and no problems with vote tampering.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Sure, and allow the kind of MASSIVE voter-intimidation of Tammaney Hall in New York City that went on in the 19th Century? Secret ballot was brought in FOR A REASON!

      Go back to paper, it takes longer, but is better accountability.

    • Well, the main flaw with electronic voting right now is simply that it seems rare from the press I am seeing that there are paper ballots, or receipts mind you, printed out as well. Keep in mind this might be a case of positive news of E-voting focuses on the E-part and the printers are only mentioned in the negative press attacking flaws.

      Electronic voting, when the information is not tampered with, is more accurate and faster than the old paper voting. Human error can occur in counting them. See 2000 re

      • See 2000 recount efforts.

        See : idiotically design ballot and what I can only presume is deliberate incompetence due to the inability to create a machine to reliably punch holes in paper.

  • Now that it's been exposed, it will hopefully be fixed very quickly. Though I wonder how many other "unknown" bugs there are that will allow someone mess with votes.
  • How is this "without evidence of tampering", when they have an actual circuit board ("alien electronic") inserted into the machine?

    Also, to hide the fact that they're changing votes, they blank out the screen. How likely is it that *no one* notices this?

    • Re: (Score:3, Insightful)

      by lammy ( 1557325 )
      "Without evidence of tampering" obviously refers to the state of the machines if the alien circuitry is removed before inspection. The attack does not require any wires to be cut or internal components to be destroyed or removed, which would leave physical evidence. You do have a point about the screen blanking, though. Although it only blanks for a split second and I guess most users could be led to believe that this was normal behaviour. Is it suspicious enough for the regular Joe election supervisor to
    • by znerk ( 1162519 )

      If you can blank the screen, then it should be feasible to actually *change* the screen's output. This attack doesn't require any knowledge of the actual election software, but if you *did* have that knowledge, you could dummy up a screen that has the "correct" votes on it, and display that instead of the votes that are actually being recorded.

      Also, the "without evidence of tampering" is referring to the lack of any evidence that the machine has been tampered with after you remove the alien hardware. Gain a

    • How is this "without evidence of tampering", when they have an actual circuit board ("alien electronic") inserted into the machine?

      Also, to hide the fact that they're changing votes, they blank out the screen. How likely is it that *no one* notices this?

      Both of these refer to the user of the machine who's vote is being tampered with. As the case is not made of acrylic I don't know if it has a surplus circuit board installed in it by the person who was in the booth before me.

      Also as someone who has never used an e-voting machine how am I supposed to know the screen isn't supposed to blank?

    • How likely is it that *no one* notices this?

      If it's your first ever time using the software then *very likely* because you don't know what's 'normal'.

      Duh.

    • How is this "without evidence of tampering", when they have an actual circuit board ("alien electronic") inserted into the machine?

      Also, to hide the fact that they're changing votes, they blank out the screen. How likely is it that *no one* notices this?

      They discuss it at 8:35 in the video. Because there's no soldering, you can remove the board when you are done with the vote tampering and nobody would be the wiser.

  • Man on the inside (Score:2, Insightful)

    by jamesl ( 106902 )

    "[T]he Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code ...

    No, all they needed was access to the machine's internals, modification of it's electronics and knowledge of how to "insert a piece of 'alien electronics' into a circuit board."

    Once you give someone physical control of your machine, you have given someone control of your machine.

    • this is true. I made a replica of a Diebold voting machine and crammed an atari 2600 into it. If anyone wanted to vote for an independent, they had to first solve jungle hunt. Totally hacked the voting process.

    • Given how last year we saw articles on how dead easy these things were to get into despite the fancy looking lock, this attack is still falls in the category of "could conceivably happen".

  • See? It really does!

    Now go vote!

    Remotely! Here is your remote!

  • "Often the polling places are in elementary schools or a church basement or some place that doesn't really have a great deal of security."

    At least they are not in the hands of someone with a political agenda.

  • It died boldly just like yesterdays votes.

  • I saw this discussion on another site and someone asked 'Why can they make rock solid tamper proof slot machines but not voting machines?' I realize they are not the same animal but the concepts of security and tampering must be very similar.

    • by dltaylor ( 7510 )

      Because the people making the gambling machines want them secure FROM cheaters, while the people making the voting machines want them secure FOR cheaters (cough cough GWB cough).

    • Exactly. Somehow we can make ATMs, electronic slot machines, and all kinds of online transactions secure, but can't secure a vote? Sounds like a lack of will at best, a nefarious plan to make U.S. democracy more of a farce that it already is at worst.

  • ...Oh that's right, because popular vote doesn't matter.
    See: 2000 election.

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...