Electronic Voting Machine Insecurity

1
Electronic Voting Machine Insecurity

• Michael Plasmeier
• theplaz.com

2
A Hack
3

• Harri Hursti

4

• Video of hack animation

5
(No Transcript)
6
Question Yes No Total Votes
Memory Card Set 5 -5 0
Zero Tape 0 0 0
Actual Ballots 2 6 8
Machine Total 7 1 8
7
(No Transcript)
8
(No Transcript)
9
Question Yes No Total Votes
Memory Card Set 5 -5 0
Zero Tape 0 0 0
Actual Ballots 2 6 8
Machine Total 7 1 8
10
(No Transcript)
11
Question Yes No Total Votes
Memory Card Set 5 -5 0
Zero Tape 0 0 0
Actual Ballots 2 6 8
Machine Total 7 1 8
12

• Ballot scanning

13
(No Transcript)
14
Question Yes No Total Votes
Memory Card Set 5 -5 0
Zero Tape 0 0 0
Actual Ballots 2 6 8
Machine Total 7 1 8
8
15

• Scientists at Berkeley University confirmed the
  Hursti Hack and found 16 more security flaws

16
Diebolds Response

• a very foolish and irresponsible act
• leaving a cars keys in the ignition and the
  windows down

17

• Why does the memory card support negative counts?
  
• Why then, did the machine print an incorrect
  zero tape????

18
Ion Sancho, Leon County

• trouble buying new machines
• got court order to allow
• still uses
• not many people actually use
• takes extra precautions
• no overnight

19
How this Came to Be
20
Florida
21

• Help Americans Vote Act
• 2002
• 3.9 billion

22
Business and

• Before no in voting machines
• Old lever machines used for 40 years
• Counties did not buy them
• Not as much attention on them

23
Diebolds Business

• Diebold was 3 billion ATM maker
• Bought a smaller company
• Which got the touch screen technology from a
  company making machines for the mall
• No emphasis on security

24

• First get into a business you don't understand,
  selling to customers who barely understand it
  either. Then roll out your product without
  adequate testing. Don't hire enough skilled
  people. When people notice problems, deny,
  obfuscate and ignore. Finally, blame your critics
  when it all blows up in your face.
• -2006

25
The Real Problem
26
Secrecy

• Code is secret
• No design documents public
• Reviews/Audits secret
• Independent investigations discouraged

27
Secrecy

• One NJ county wanted to loan Princeton
  researchers some Sequoia machines to test
• Sequoia threaten to sue
• Violate the license agreement

28
Secrecy

• Claimed machines tested by Independent Testing
  Agencies (ITA)
• shocking history of sloppy, incomplete and
  non-existent testing
• EAC on CIBER 2006

29
Mitigating Factors
30
Mitigating Factors

• VVPAT

31
Mitigating Factors

• Open Source
• Less vendor control
• Firefox is percepted to be very secure
• SSL is used by millions of people to conduct
  business online

32
Why?
33
Essential to Democracy

• Transparency
• Cant secure from admin
• Must maintain vigilance