Software Review and Security Analysis of the Diebold Voting Machine Software

Citation

• R. Gardner, A. Yasinsac, M. Bishop, T. Kohno, Z. Hartley, J. Kerski, D. Gainey, R. Walega, E. Hollander, and M. Gerke, “Software Review and Security Analysis of the Diebold Voting Machine Software”, Security and Assurance in Information Technology Laboratory, Florida State University, Tallahassee, FL 32306-4530 (July 2007).

Paper

• PDF
• PS

About This Report

From the Executive Summary:

On May 14^th 2007, the Florida Department of State (FLDoS) commissioned an independent expert review of Diebold Voting System Software. The team, led by Florida State University’s (FSU) Security and Assurance in Information Technology (SAIT) Laboratory, was commissioned to conduct a software code review as part of the state’s voting system certification process. This report is the culmination of that review. .

The scope of the investigation, as defined in the Statement of Work, is:

This review is for the purpose of yielding technological data to DOS to ensure voting system effectiveness and security in Florida elections by investigating for potential flaws in target software as documented in reported literature and other published studies.

Our primary findings are:

The version of the Optical Scan and Touch Screen software that we examined:

1. fixed many of the flaws in earlier versions, but
2. retain significant flaws that are documented in this report.

As an example of the issues that remain, flaws in the Optical Scan software enable a type of vote manipulation if an adversary can introduce an unofficial memory card into an active terminal before the voting (or early voting) period (e.g., during “sleepover”). Such a card can be preprogrammed to alter the correspondence between physical bubbles on the scanned paper ballots and the candidates with which they are associated. Specifically, it can be used to essentially swap the electronically tabulated votes for two candidates, reroute all of a candidate’s to a different candidate, or tabulate votes for several candidates of choice toward another chosen candidate. We implemented this attack in the laboratory. The attack succeeds despite new protection mechanisms apparently designed to protect against similarly-documented attacks in previous studies.

Many reported flaws were removed from the Touch Screen software. Nonetheless, we identified many that still exist. As one example, we found an attack that allows an adversary to prepare official, activated voter smart cards that would enable voters to cast multiple ballots in a ballot-stuffing attack. Creation of the cards requires an adversary able to insert a custom smart card into a legitimate voting terminal and to read the data off of a valid voter card (these steps could be done by separate adversaries.) Once the adversary obtained the necessary information in this way, she could then create smart cards that could be used at any precinct throughout a county. Even if detected, this attack is not correctable: the malicious ballots, either in electronic or paper form, are essentially unidentifiable and thus cannot be removed.

Background

I guess Alec Yasinsac thought I was helpful on the review of the ES&S iVotronic source code involved in the CD-13 review, so he invited me to help out with this one. The report, which all the team members wrote, speaks for itself. It was issued by the Division of Elections of the Florida Department of State. Two appendices are redacted from the public version because they are confidential; see §2.1 on p. 4 of the report for an explanation.

This is a local copy. The definitive version is available at http://election.dos.state.fl.us/pdf/SAITreport.pdf