Two-Year Old Public Report Reveals Diebold Was Warned of 'Newly Discovered' Vulnerability Allowing Software to be Overwritten Without Password in Matter of Minutes
Experts Suggest Decertification of System, Violations of Federal Standards, Describe Diebold's Failure to Act as 'Criminal'
By Brad Friedman on 5/16/2006, 12:56pm PT  

The massive security flaw recently revealed in Diebold touch-screen voting machines --- which allows election software and systems to be overwritten with rogue software in minutes, without need of a password --- and which has sent Elections Officials from Pennsylvania to California to Iowa to every state in the union which uses them, sequestering the machines and scrambling for a solution to mitigate the problem, was previously revealed in a 2004 security report commissioned by the state of Maryland, The BRAD BLOG has learned.

The security assessment of Diebold's touch-screen voting systems was completed by RABA Technologies, and presented to the Maryland State Legislature in January 2004. The report, reviewed at the time by both Maryland election officials and officials at Diebold, consisted of "a 'Red Team' exercise to discover vulnerabilities in the actual voting system" prior to the state's March 2004 primary election.

A "Red Team" attack is used by computer security teams to attempt to hack into a computer system or software package. The results of the RABA report in 2004, spelled out specific details of the latest Diebold security problems which have been splashed across the pages of maintream media outlets from coast to coast since last Wednesday.

Maryland was one of the first states to adopt Diebold's paperless touch-screen systems in 2002 and, as previously reported, spent millions of dollars , in an initiative with Diebold at the time, to promote the new electronic voting systems to state voters.

The security problem exists in both Diebold's paperless touch-screen systems, as well as their newer models which include a so-called "voter-verified paper trail."

The BRAD BLOG broke exclusive details of the story originally on Friday before last, several days before the MSM joined the fray...but we're glad that they're all finally paying attention.

Apparently, though Diebold was apprised of the serious security problem back in early 2004, Diebold programmers and company officials appear to have done nothing to fix the flaws which were found as still present in voting systems being sold by the company this year. In March of this year, an independent security analysis of Diebold touch-screen systems deployed in Utah for the first time, confirmed the continuing presence of the same flaw and, additionally, found even more troubling details surrounding the same security vulnerability.

At least one computer scientist and E-voting expert has now described Diebold's delinquency in failing to correct the problem after two years to be "criminal" and meriting complete decertification.

Furthermore, the security vulnerability --- being described by computer security professionals as "the most serious security breach that's ever been discovered in a voting system," and "a major national security risk" --- appears to be yet another apparent violation, by Diebold, of federal Voting System Standards...

The RABA Report...Ignored by Diebold Since January 2004

Douglas Jones, a computer science professor and e-voting expert at the University of Iowa has written that the new revelation --- that Diebold knew about the problem as long as ago as 2004, but did nothing to correct it --- merits at least decertification of Diebold's touch-screen voting systems, if not criminal charges for their negligence in failing to correct the problem.

The 2004 RABA report which Jones was reacting to, clearly points to the problem which was thought to have been revealed for the first time in an examination of Diebold's AccuVote TSx touch-screen voting system in Emery County, Utah in March.

That analysis, by Finnish computer security specialists Harri Hursti as well as the firm Security Innovation, was arranged by non-partisan e-voting watchdog group BlackBoxVoting.org. A version of Hursti's report of the findings from Emery County, describing a "three-level security flaw" was posted on their site last week, slightly redacted for security reasons.

As it turns out, the RABA report, commissioned by the state of Maryland in 2003, reported the problem previously, and yet, apparently, nothing was done to mitigate the issue by either Diebold or state officials. Moreover, neither Diebold, nor the state of Maryland bothered to alert any other states or federal authorities to the enormous design flaw (which has actually been revealed as a "feature" purposely built into the systems by Diebold, reportedly to make updating system files and software much easier.)

That "feature" however, also allows anyone with access to the machine, to completely overwrite the installed software in a matter of minutes and without the need of a password.

"It seems that Diebold has deliberately opted to ingnore [sic] this finding of the RABA report," Jones wrote in an email sent to an Iowa election official on Monday.

"They clearly had time, between then and now, to do the re-engineering necessary to correct this security flaw. If I had my way, the failure to correct a flaw of this magnitude would be considered criminal," the professor wrote.

Jones' email, released to Election Integrity activists goes on to say, "Given this, it seems to me that a call to decertify is quite reasonable, far more than it would have been had Diebold not had a 2-year warning about this design flaw."

The section of the RABA report pointed to by Jones as evidence that the problem had been revealed to both Diebold and the state of Maryland in 2004 is as follows:

3. Load a PCMCIA card with an update file. The PCMCIA card can be used to update the software on the AccuVote-TS terminal. This can be done by placing a PCMCIA card with an update file into the terminal and rebooting the terminal. The update file allows an attacker to overwrite any file on the system. Furthermore, by using this technique an attacker can install his own version of the ballot station software giving him the ability to completely invalidate all the results on that terminal. If he compromises the AccuVote-TS terminal used as the accumulator, he can compromise the entire precinct results.

Wrote Jones, "This appears to clearly document: 1) The RABA group found and documented this flaw 2) Diebold has been sitting on it for most of 2 years, and has apparently opted to do nothing about it."

The paragraph from the RABA report was apparently first uncovered recently by a poster at DemocraticUnderground.com.

David Allen, an Election Integrity Advocate from BlackBoxVoting.com (as distinct from BlackBoxVoting.ORG) contacted Jones after reading the DU post, to confirm whether or not the security issue cited in the RABA report seemed to be similar to the information revealed in the new report by Hursti based on the Utah analysis of Diebold machines.

"This is exactly the same problem!" Jones wrote in reply. "Thanks! I've been wondering whether this vulnerability was hiding in one of those old security evaluations."

But Wait...There's More!

Bev Harris, of BlackBoxVoting.ORG pointed out --- in light of the discovery of the previous RABA revelations --- that the newer Hursti report, in fact, revealed two more levels of security flaws not covered by RABA. She describes those two other levels of vulnerability as even more troubling than the warnings in RABA report concerning the ease of replacing election software on the systems.

She explained that both the bootloader (the firmware or "BIOS") and operating system were found to be vulnerable to such an attack as well and described those problems as "bigger" potential exploits.

As well, Harris detailed additional items discovered by her team which went beyond the RABA report. For example, she describes the Hursti finding that no password or authentication is necessary to exploit these security holes and that additional "mechanisms...can be used instead of the PCMCIA card to contaminate the system."

Johns Hopkins e-voting expert and computer scientist Avi Rubin confirmed the similarities discovered earlier by the RABA report and agreed that the Hursti report offers additional details, believed to be previously unknown by experts. As reported by Allen, Rubin wrote after reviewing the section from RABA:

"That's a good catch. Basically, this is what Harri Hursti did. But he gave a lot more detail on it. Also, he showed that you could get a new bootloader, a new OS or a new voting app, and made it sound easier than Raba did. But, now looking at that paragraph you sent, it's clear RABA knew about this.

Diebold Said to be in Violation of Federal Voting System Standards...Again

John Gideon, executive director of the non-profit elections advocacy organization VotersUnite.org (and a frequent contributor to BRAD BLOG) has suggested that these latest Diebold security matters are again in knowing violation of the FEC Voting System Standards (VSS).

In the VSS Volume 1, Section 6.4.1 "Software and Firmware Installation," Gideon points towards the "requirements for installation of software, including hardware with embedded firmware."

That section, as quoted by Gideon in an email to The BRAD BLOG, requires that system firmware must be "shown to be inaccessible to activation or control by any means other than by the authorized initiation and execution of the vote-counting program."

Gideon says that the latest Diebold security hole seems to violate that standard, which must be met in order for electronic voting systems to receive Federal certification.

"Again," wrote Gideon in the email, "it appears to my non-techie eyes that Diebold has violated the voting systems standards and that they were allowed to do this by the ITAs and NASED [two of the federal authorities responsible for testing, federal certification, and oversight to assure compliance with the Voting System Standards]."

A previous security flaw, discovered in December of 2005, also by Hursti and BlackBoxVoting.org, revealed that all Diebold voting machines --- both touch-screen and optical scan systems --- appear to be in violation of yet another VSS guideline which bans, "interpreted code", a certain type of computer code found to be in Diebold machines. That type of code, specifically banned by federal guidelines, was exploited by Hursti in Leon County, Florida to hack a mock-election on a Diebold optical scan system. The attack was a success, completely flipping the election results and leaving no discoverable trace, save for the paper ballots, behind.

At this time, the governing federal authorities, including the Election Assistance Commission (EAC) and the National Association of State Election Directors (NASED) have failed to condemn, censure, reprimand or decertify Diebold in any way --- despite their growing string of recently revealed and knowing violations of federal Voting Systems Standards.

And Once...Even Rightwingers Cared About E-Voting Security

Interestingly, rightwing media outlet NewsMax.com covered many of the concerns about security in Diebold's voting systems in an article in February of 2004 following the release of the RABA report. Though most right-leaning publications have either ignored or ridiculed questions about Electronic Voting Machine security since the 2004 Presidential Election, the NewsMax article from early 2004 touched on many of those concerns.

In regard to the RABA report, NewsMax wrote: "Amazingly, Diebold officials hailed the report as proof that ? if not tampered with ? their election machines should work perfectly."

They also quoted Rubin, who was part of a team at John Hopkins that issued their own report [PDF] on security problems in Diebold systems back in 2003. NewsMax reporter Charles R. Smith quoted several paragraphs from the Hopkins report which are interesting in light of the recent revelations:

"If any party introduces flaws into the voting system software or takes advantage of pre-existing flaws, then the results of the election cannot be assured to accurately reflect the votes legally cast by the voters," noted the Hopkins report.

"It would be far easier for someone to fix an election by modifying the software at Diebold's installation or elsewhere before it is delivered to election offices to install on all the machines," concluded the Johns Hopkins report.

The Other Redacted Report...Was Diebold Warned Even Earlier?

There was at least one other independent security evaluation made of Diebold's touch-screen voting machines in Maryland from around the same period. That report is a "Risk Assessment" commissioned by the state of Maryland from the Science Applications International Corporation (SAIC). It predates the RABA report.

"The Raba report in Maryland findings were similar to the report issued by SAIC," Diebold spokesman David Bear told NewsMax at the time.

However, approximately two-thirds of the full 280-page SAIC report was redacted before it was released to the public [PDF] in September of 2003. Speculation has therefore swirled amongst the Election Reform community of late about whether or not that report also contained information and warnings on the same serious system flaws which went otherwise unannounced and uncorrected in the many months prior to the 2004 Presidential Election, and on up through the recent discoveries.

The BRAD BLOG is, as expected, attempting to obtain a complete, unredacted copy of the SAIC report in order to learn more.

UPDATE 5/20/06: NPR covers story...

UPDATE 5/21/06: NEWSWEEK COVERS STORY!...