For public review, the results of California's software audit of Diebold voting machines. Guess what? The machines are a joke. Color me shocked.
[a style="font-weight: bold; color: rgb(0, 0, 255);" href="http://www.sos.ca.gov/elections/voting_systems/ttbr/diebold-source-public-jul29.pdf"]http://www.sos.ca.gov/elections/voting_systems/ttbr/diebold-source-public-jul29.pdf[/a]
[hr style="width: 100%; height: 2px;"]
Executive Summary
This report is a security analysis of the Diebold voting system, which consists primarily of the
AccuVote-TSX (AV-TSX) DRE, the AccuVote-OS (AV-OS) optical scanner, and the GEMS election management system. It is based on a study of the system's source code that we conducted at the request of the California Secretary of State as part of a "top-to-bottom" review of California voting systems.
Our analysis shows that the technological controls in the Diebold software do not provide sufficient security to guarantee a trustworthy election. The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes. These vulnerabilities include:
• Vulnerability to malicious software
The Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines or on the election management system. Malicious software could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results. It could also prevent voting machines from accepting votes, potentially causing long lines or disenfranchising voters.
• Susceptibility to viruses
The Diebold system is susceptible to computer viruses that propagate from voting machine to voting machine and between voting machines and the election management system. A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county's voting machines. Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines.
• Failure to protect ballot secrecy
Both the electronic and paper records of the Diebold AV-TSX contain enough information to compromise the secrecy of the ballot. The AV-TSX records votes in the order in which they are cast, and it records the time that each vote is cast. As a result, it is possible for election workers who have access to the electronic or paper records and who have observed the order in which individuals have cast their ballots to discover how those individuals voted. Moreover, even if this vulnerability is never exploited, the fact that the AV-TSX makes it possible for officials to determine how individuals voted may be detrimental to voter confidence and participation.
• Vulnerability to malicious insiders
The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority. Anyone with access to a county's GEMS server could tamper with ballot definitions or election results and could also introduce malicious software into the GEMS server itself or into the county's voting machines.
Although we present several previously unpublished vulnerabilities, many of the weaknesses
that we describe were first identified in previous studies of the Diebold system (e. g., [26], [17], [18],[19], [33], [23], and [14]). Our report confirms that many of the most serious flaws that these studies uncovered have not been fixed in the versions of the software that we studied. Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit "weakness-in-depth"—even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.
Due to these shortcomings, the security of elections conducted with the Diebold system depends almost entirely on the effectiveness of election procedures. Improvements to existing procedures may mitigate some threats in part, but others would be difficult, if not impossible, to remedy procedurally. Consequently, we conclude that the safest way to repair the Diebold system is to reengineer it so that it is secure by design.
[a style="font-weight: bold; color: rgb(0, 0, 255);" href="http://www.sos.ca.gov/elections/voting_systems/ttbr/diebold-source-public-jul29.pdf"]http://www.sos.ca.gov/elections/voting_systems/ttbr/diebold-source-public-jul29.pdf[/a]
