Update: Talk of the Nation Interview – Red Team Leader   ” [relying on procedures] indicates a very high belief in human infalibility.”
Executive Summary:
Vulnerability to malicious software
The Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines or on the election management system. Malicious software could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results. It could also prevent voting machines from accepting votes, potentially causing long lines or disenfranchising voters.
Susceptibility to viruses
The Diebold system is susceptible to computer viruses that propagate from voting machine to voting machine and between voting machines and the election management system. A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county’s voting machines.
Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines.Vulnerability to malicious insiders
The Diebold system lacks adequate controls to ensure that county workers with access to the GEMS central election management system do not exceed their authority. Anyone with access to a county’s GEMS server could tamper with ballot definitions or election results and could also introduce malicious software into the GEMS server itself or into the county’s voting machines.
Although we present several previously unpublished vulnerabilities, many of the weaknesses that we describe were first identified in previous studies of the Diebold system (e. g., [26], [17], [18], [19], [33], [23], and [14]). Our report confirms that many of the most serious flaws that these studies uncovered have not been fixed in the versions of the software that we studied.
Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to render the system secure. Systems that are architecturally unsound tend to exhibit “weaknessin-depthâ€â€” even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.
Conclusion of the Diebold software report:
Our study of the Diebold source code found that the system does not meet the requirements for a security-critical system. It is built upon an inherently fragile design and suffers from implementation flaws that can expose the entire voting system to attacks. These vulnerabilities, if exploited, could jeopardize voter privacy and the integrity of elections. An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine.
The damage could be extensive—malicious code could spread to every voting machine in polling places and to county election servers. Even with a paper trail, malicious code might be able to subtly influence close elections, and it could disrupt elections by causing widespread equipment failure on election day. We conclude that these problems arose because of a failure to design and build the system with security as a central focus, which led to the inconsistent application of accepted security engineering practices. For this reason, the safest way to repair the Diebold system is to reengineer it so that it is secure by design.
We discussed a number of limited solutions and procedural changes that may improve the security of the system, but we warn that implementing any particular set of technical or procedural safeguards may still be insufficient. Similarly, fixing individual flaws in the system—even all of the issues identified in this report—may not yield a secure voting system because of the possibility that unidentified problems will be exploited. We are also concerned that future updates to the system may introduce new, unknown vulnerabilities or fail to adequately correct known ones. We urge
the state to conduct further studies to determine whether any new or updated voting systems are secure.
CA Reports:
Link to the Diebold Software Report
Link to the CA Hardware Report
All the CA reports
Commentary:
Matt Blaze, who lead the Sequoia software team
The problems we found in the code were far more pervasive, and much more easily exploitable, than I had ever imagined they would be…
There was a pervasive lack of good security engineering across all three systems, and I’m at a loss to explain how any of them survived whatever process certified them as secure in the first place. Our hard work notwithstanding, unearthing exploitable deficiencies was surprisingly — and disturbingly — easy…
Unfortunately, while finding many of the vulnerabilities may have been straightforward enough, fixing them won’t be…
strengthening these systems will involve more than repairing a few programming errors. They need to be re-engineered from the ground up…
