More on Security of Electronic Voting Machices in 08

Also taken from the Princeton review of the Diebold voting machines the following information was provided regarding the flaws and security vulnerabilities with the Diebold Machines. I must say that this review was done in 2006 and I am currently looking to see what updates have been made to the machines. For the whole .PDF you can go to the .PDF directly by Clicking Here.

Main Findings The main findings of our study are:
1. Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.
2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.
3. AccuVote-TS machines are susceptible to voting-machine viruses—computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and postelection activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.
4. While some of these problems can be eliminated by improving Diebold’s software, others cannot be remedied without replacing the machines’ hardware. Changes to election procedures would also be required to ensure security.

Injecting Attack Code
To carry out these attacks, the attacker must somehow install his malicious software on one or more voting machines. If he can get physical access to a machine for as little as one minute, he can install the software manually. The attacker can also install a voting machine virus that spreads to other machines, allowing him to commit widespread fraud even if he only has physical access to one machine or memory card.

Boot Process
When the machine is booted, the bootloader copies itself to RAM and initializes the hardware. Then it looks for a memory card in the first PC Card slot, and if one is present, it searches for files on the card with special names. If it finds a file called fboot.nb0, it assumes that this file contains a replacement bootloader, and it copies the contents of this file to the bootloader area of the on-board flash memory, overwriting the current bootloader. If it finds a file called nk.bin, it assumes that this file contains a replacement operating system image in Windows CE Binary Image Data Format [22], and it copies it to the OS area of the on-board flash, overwriting the current OS image. Finally, if it finds a file called EraseFFX.bsq, it erases the entire file system area of the flash. The bootloader does not verify the authenticity of any of these files in any way, nor does it notify the user or ask the user to confirm any of the changes that it makes. As Hursti [14] suggests, these mechanisms can be used to install malicious code.

Stealing Votes
Figure 4: Our demonstration vote-stealing control panel Several of the demonstration attacks that we have implemented involve installing code onto AccuVote-TS machines that changes votes so that, for a given race, a favored candidate receives a specified percentage of the votes cast on each affected machine. Since any attacks that significantly alter the total number of votes cast can be detected by election officials, our demonstration software steals votes at random from other candidates in the same race and giving them to the favored candidate. The software switches enough votes to ensure that the favored candidate receives at least the desired percentage of the votes cast on each compromised voting machine. Election results (i.e., the record of votes cast) are stored in files that can be modified by any program running on the voting machine. For the currently running election, the primary copy of the election results is stored on the memory card at \Storage Card\CurrentElection\election.brs and a backup copy is stored in the machine’s on-board flash memory at \FFX\AccuVote-TS\BallotStation\CurrentElection\election.brs. Our software works by directly modifying both of these files.

I dont know about you but just knowing this little bit scares me and I can tell you that if you look at the .PDF there is even more when it comes to Security Issues and even storage issues. Think about all of this information before you go in to VOTE this year and remember that you can always request to vote on a piece of Paper instead. Make sure your Vote Counts this year, Make Sure your Voice is Heard. Learn what you are using and don't believe everything your told when it comes to these machines. Sure it is HIGHLY unlikely that anything would happen but when it comes to my freedom and my democracy I can guarantee that knowing as much about this as possible is what or Founding Fathers would want us to do.