2008: The year of hack the vote? http://blogs.zdnet.com/security/?p=753 December 17th, 2007 Posted by Larry Dignan @ 2:12 am The state of Ohio has released a comprehensive study of voting machine security and the report will have you longing for paper. A 334-page PDF report http://www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pd... from the Ohio Secretary of State reveals insufficient security, poor implementation of security technology, lax auditing and shoddy software maintenance. The report, which covers voting systems from Election Systems and Software (ES&S), Hart InterCivic and Premier Election Solutions formerly known as Diebold, was conducted by Ohio\u2019s EVEREST (Evaluation and Validation of Election-Related Equipment, Standards and Testing) initiative in conjunction with research teams from Penn State, University of Pennsylvania and WebWise Security. The EVEREST report was released Dec. 7 and I found it via Slashdot. Overall, the report really raises questions about election systems. Buffer overflows, leaky encryption, audit problems and firmware issues abound. One machine, the M100, from ES&S accepts counterfeit ballots. The Premier AV-TSX allows an unauthenticated user to read or tamper with its memory. The Hart EMS has audit logs that can be erased. In fact, the first 17 pages of the report\u2013essentially the table of contents\u2013is an indictment of these systems. To make matters worse, these machines don\u2019t run constantly. That means malicious software could be planted and not turn up until election time. These machines aren\u2019t patched regularly either. The report is too massive to detail completely here, but at a high level here are the takeaways from the EVEREST report: * Systems uniformly stunk at security and \u201cfailed to adequately address important threats against election data and processes.\u201d * A root cause of these security failures was \u201cpervasive mis-application of security technology.\u201d Standard practices for cryptography, key and password management and security hardware go ignored. * Auditing capabilities are a no show. \u201cIn all systems, the logs of election practices were commonly forgeable or erasable by the principals who they were intended to be monitoring.\u201d Translation: If there\u2019s an attack the lack of auditing means you can\u2019t isolate or recover from the problem. * Software maintenance practices \u201cof the studied systems are deeply flawed.\u201d The EVEREST report calls the election software \u201cfragile.\u201d Why would these machines be so enticing as a target? You could swing an entire election, produce incorrect results, block groups of voters, cast doubt on an election or delay results. And it may not take a brain surgeon to alter these systems. The EVEREST teams reported that they were able to subvert every voting system and not be detected \u201cwithin a few weeks.\u201d Meanwhile, the EVEREST teams found the issues with only limited access since vendors weren\u2019t exactly cooperative (Section 2.4 of the PDF has the details). The researchers say: Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact. As for the attackers, EVEREST ranks the following folks in ascending order of capabilities: * Outsiders have no special access to voting equipment, but could affect equipment to an extent that it is connected to the Internet. All of the systems reviewed run Microsoft Windows and occasionally connect to the Internet. In addition, an attacker could create a counterfeit upgrade disk and mail it to install malware. * Voters have limited and partially supervised access to voting systems while casting a vote. * Poll workers have extensive access to polling place equipment, management terminals before, during and after voting. They can authorize who votes and who doesn\u2019t and opportunities to tamper with equipment abound. * Election officials have extensive access to back-end election systems and voting equipment. Access is only loosely supervised if at all. One possibility: Bad software prompts election officials to \u201ccorrect\u201d results. * Vendor employees have access to the hardware and source code of system during development. Employees may also be on site to assist workers and election officials. \u201cSome vendors use third-party maintenance and election day support whose employees are not tightly regulated,\u201d according to EVEREST. Add it up and any hack the vote opportunities will most likely be an inside job of some sort. The attacks may or may not be detectable. --- end --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE