[Clips] "Hotel Minibar" Keys Open Diebold Voting Machines

R.A. Hettinga rah at shipwright.com
Mon Sep 18 19:07:20 PDT 2006


--- begin forwarded text


  Delivered-To: rah at shipwright.com
  Delivered-To: clips at philodox.com
  Date: Mon, 18 Sep 2006 21:57:38 -0400
  To: Philodox Clips List <clips at philodox.com>
  From: "R.A. Hettinga" <rah at shipwright.com>
  Subject: [Clips] "Hotel Minibar" Keys Open Diebold Voting Machines
  Reply-To: clips-chat at philodox.com
  Sender: clips-bounces at philodox.com

  <http://www.freedom-to-tinker.com/?p=1064>

  Freedom to Tinker


  + Security Analysis of the Diebold AccuVote-TS Voting Machine

  "Hotel Minibar" Keys Open Diebold Voting Machines

  Monday September 18, 2006 by Ed Felten

  Like other computer scientists who have studied Diebold voting machines, we
  were surprised at the apparent carelessness of Diebold's security design.
  It can be hard to convey this to nonexperts, because the examples are
  technical. To security practitioners, the use of a fixed, unchangeable
  encryption key and the blind acceptance of every software update offered on
  removable storage are rookie mistakes; but nonexperts have trouble
  appreciating this. Here is an example that anybody, expert or not, can
  appreciate:

  The access panel door on a Diebold AccuVote-TS voting machine - the door
  that protects the memory card that stores the votes, and is the main
  barrier to the injection of a virus - can be opened with a standard key
  that is widely available on the Internet.

  On Wednesday we did a live demo for our Princeton Computer Science
  colleagues of the vote-stealing software described in our paper and video.
  Afterward, Chris Tengi, a technical staff member, asked to look at the key
  that came with the voting machine. He noticed an alphanumeric code printed
  on the key, and remarked that he had a key at home with the same code on
  it. The next day he brought in his key and sure enough it opened the voting
  machine.

  This seemed like a freakish coincidence - until we learned how common these
  keys are.

  Chris's key was left over from a previous job, maybe fifteen years ago. He
  said the key had opened either a file cabinet or the access panel on an old
  VAX computer. A little research revealed that the exact same key is used
  widely in office furniture, electronic equipment, jukeboxes, and hotel
  minibars. It's a standard part, and like most standard parts it's easily
  purchased on the Internet. We bought several keys from an office furniture
  key shop - they open the voting machine too. We ordered another key on eBay
  from a jukebox supply shop. The keys can be purchased from many online
  merchants.

  Using such a standard key doesn't provide much security, but it does allow
  Diebold to assert that their design uses a lock and key. Experts will
  recognize the same problem in Diebold's use of encryption - they can say
  they use encryption, but they use it in a way that neutralizes its security
  benefits.

  The bad guys don't care whether you use encryption; they care whether they
  can read and modify your data. They don't care whether your door has a lock
  on it; they care whether they can get it open. The checkbox approach to
  security works in press releases, but it doesn't work in the field.

  This entry was posted on Monday September 18, 2006 at 8:29 am and is filed
  under Security, Voting. You can follow any responses to this entry through
  the RSS 2.0 feed. You can leave a response, or trackback from your own site.


  --
  -----------------
  R. A. Hettinga <mailto: rah at ibuc.com>
  The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
  44 Farquhar Street, Boston, MA 02131 USA
  "... however it may deserve respect for its usefulness and antiquity,
  [predicting the end of the world] has not been found agreeable to
  experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
  _______________________________________________
  Clips mailing list
  Clips at philodox.com
  http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list