LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
Voting Machines Compromised in Election Simulation
Posted by Rebecca Bolin on Thursday, January 29 @ 17:51:52 EST Computer Crime
RABA Technologies, at the request of the state of Maryland, has issued a report about the state’s Diebold voting systems, ATM-style DRE terminals using smart cards for voter access. The report criticizes in detail the methodology and assumptions of other security audits and the vague security guidelines issued by the FEC, state, and NIST.

Eight security experts held a Red Team exercise on January 19, using a GEMS server and six AccuVote-TS terminals, replicating an election scenario with no prior knowledge of source code. As suggested by the earlier, Hopkins report, the team quickly guessed the hardcoded passwords to administrator and voter smart cards. At a cost of less than $750, they were able to reset voter cards to allow multiple votes with the same card and suggested similar abuses with forged supervisor and voter cards. All 32,000 statewide terminal locks are identical, and the team picked them in less than 10 seconds, allowing physical access to the PCMCIA bay, which contains cards for the modem and the ballot definitions and results. These cards could be tampered with, destroyed, or stolen for their valuable data. Attaching a keyboard to the terminals allowed resetting of all counters in the PCMCIA bay without an administrator card needed.

The server was missing over fifteen Microsoft security updates, and the team was able to use the flaws used by the "Blaster" worm. By using insecure USB ports or more secure CD drives, the team was able to modify results and databases “at will.” The report contains a more detailed analysis of these flaws, as well as many others. The responses of several groups are in the New York Times.

The RABA report demands immediate improvements for primaries and upcoming elections, including precinct specific passwords, tamper-resistant tape on secure locations, limits on administrator card and modem use, changing server accounts, and major software changes and updates for terminals and servers. RABA suggests that these improvements are mandatory to eliminate the need for voter-verified paper ballots, but that a paper record might still be needed.

 
Related Links
· More about Computer Crime
· News by Rebecca Bolin


Most read story about Computer Crime:
Generalized Spam and Blogs

Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
  
The comments are owned by the poster. We aren't responsible for their content.

Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die

Contributors retain copyright interests in all stories, comments and submissions.
Everything else copyright (c) 2002 by the Information Society Project.

This material may be distributed only subject to the terms and conditions
set forth in the Open Publication License, v1.0 or later.
The latest version is currently available at http://www.opencontent.org/openpub/.

You can syndicate our news with backend.php

Page Generation: 0.213 Seconds