Dan Wallach from Rice University was here on Monday and gave a talk on e-voting. One of the examples in his talk was interesting enough that I thought I would share it with you, both as an introductory example of how security analysts think, and as an illustration of how badly Diebold botched the design of their voting system.

One of the problems in voting system design is making sure that each voter who signs in is allowed to vote only once. In the Diebold AccuVote-TS system, this is done using smartcards. (Smartcards are the size and shape of credit cards, but they have tiny computers inside.) After signing in, a voter would be given a smartcard — the "voter card" — that had been activated by a poll worker. The voter would slide the voter card into a voting machine. The voting machine would let the voter cast one vote, and would then cause the voter card to deactivate itself so that the voter couldn’t vote again. The voter would return the deactivated voter card after leaving the voting booth.

This sounds like a decent plan, but Diebold botched the design of the protocol that the voting terminal used to talk to the voter card. The protocol involved a series of six messages, as follows:

terminal to card: "My password is [8 byte value]"
card to terminal: "Okay"
terminal to card: "Are you a valid card?"
card to terminal: "Yes."
terminal to card: "Please deactivate yourself."
card to terminal: "Okay."

Can you spot the problem here? (Hint: anybody can make their own smartcard that sends whatever messages they like.)

As most of you probably noticed — and Diebold’s engineers apparently did not — the smartcard doesn’t actually do anything surprising in this protocol. Anybody can make a smartcard that sends the three messages "Okay; Yes; Okay" and use it to cast an extra vote. (Do-it-yourself smartcard kits cost less than $50.)

Indeed, anybody can make a smartcard that sends the three-message sequence "Okay; Yes; Okay" over and over, and can thereby vote as many times as desired, at least until a poll worker asks why the voter is spending so long in the booth.

One problem with the Diebold protocol is that rather than asking the card to prove that it is valid, the terminal simply asks the card whether it is valid, and accepts whatever answer the card gives. If a man calls you on the phone and says he is me, you can’t just ask him "Are you really Ed Felten?" and accept the answer at face value. But that’s the equivalent of what Diebold is doing here.

This system was apparently used in a real election in Georgia in 2002. Yikes.

Another Broken Diebold Protocol

Yesterday I wrote about a terribly weak security protocol in the Diebold AccuVote-TS system (at least as it existed in 2002), as reported in a talk by Dan Wallach. That wasn’t the only broken Diebold protocol Dan discussed. Here’s another one which may be even scarier.

The Diebold system allows a polling place administrator to use a smartcard to control a voting machine, performing operations such as closing the polls for the day. The administrator gets a special administrator smartcard (a credit-card-sized computing device) and puts it into the voting machine. The machine uses a special protocol to validate the card, and then accepts commands from the administrator.

This is a decent plan, but Diebold botched the design of the protocol.
Here’s the protocol they use:

terminal to card: "What kind of card are you?"
card to terminal: "Administrator"
terminal to card: "What’s the password?"
card to terminal: [Value1]
terminal to user: "What’s the password?"
user to terminal: [Value2]

If Value1=Value2, then the terminal allows the user to execute administrative commands.

Like yesterday’s protocol, this one fails because malicious users can make their own smartcard. (Smartcard kits cost less than $50.) Suppose Zeke is a malicious voter. He makes a smartcard that answers "Administrator" to the first question and (say) "1234" to the second question. He shows up to vote, signs in, goes into the voting booth, and inserts his malicious smartcard. The malicious smartcard tells the machine that the secret password is 1234; when the machine asks Zeke himself for the secret password, he enters 1234. The machine will then execute any administrative command Zeke wants to give it.
For example, he can tell the machine that the election is over.

This system was apparently used in the Georgia 2002 election. Has Diebold fixed this problem, or the one I described yesterday? We don’t know.

Die Berkeley-Wissenschaftler stützen damit Vorwürfe des US-Politikers Jeff Fisher[4], der schon kurz nach der Wahl auffällige Diskrepanzen beim Vergleich von Statistiken über Wählerregistrierungen und der Stimmenauszählung am 2. November in Gegenden, wo Wahlstimmen eingescannt wurden, ausgemacht hatte. In der Summe kommen Hout und seine Kollegen auf 130.000 respektive 260.000 irreguläre Stimmen — je nachdem, ob es sich dabei um "Ghost-Votes" handelte, also Stimmen, die Bush einfach hinzugerechnet wurden, oder um tatsächlich abgegebene Stimmen, die vorsätzlich geändert wurden, mit dem Ergebnis, dass nicht nur Bush Stimmen mehr, sondern Kerry gleichzeitig die selbe Anzahl Stimmen weniger erhielt. Laut der Wahlbehörde Floridas[5] hatte Bush den Staat mit einem Vorsprung von 380.000 Stimmen gewonnen.