The Case Against the Diebold AccuVote TS

Why this system must be decertified
and what this tells us about the certification process

Part of the Voting and Elections web pages
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Copyright © 2003. This work may be transmitted or stored in electronic form on any computer attached to the Internet or World Wide Web so long as this notice is included in the copy. Individuals may make single copies for their own use. All other rights are reserved.

presented at the
USACM Workshop on Voter-Verifiable Election Systems
Denver
July 28, 2003

Introduction

On July 24, 2003, Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin and Dan S. Wallach released a report on their analysis of the security of the Diebold AccuVote direct recording electronic voting system [1]; This story was covered on the same day by the New York Times [2].

In response, I immediately called for the decertification of the Diebold AccuVote direct recording electronic voting system. The long version of the story leading up to my call for decertification is available on-line and will be updated as this story develops. [3]. What I present here is a short summary of this story.

Background

In 1996, I-Mark Systems submitted its Electronic Ballot Station, Model 100, to Wyle Laboratories of Huntsville Alabama for testing against the Federal Election Commission's 1990 Voting System Standards [4]. The Wyle Labs report on this system described it as the best voting system software they had ever examined; the embedded software for this system was written in C++ and ran under Windows 95, using a clever seeming smartcard-based system for voter authentication [5].

In mid 1997, Global Election Systems acquired I-Mark Systems; Global had acquired the AccuVote optical mark-sense system from Unisys in 1991, and one of their first steps after acquiring the Electronic Ballot Station was to rename it the Global AccoTouch EBS voting system. Global submitted this system to the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems on Nov. 6, 1997; this is when I first saw it.

All voting equipment submitted for examination in Iowa must be submitted with the Independent Testing Authority reports certifying its conformance with the (otherwise voluntary) Federal Voting System Standards. This is how I came to review the Wyle report [5].

In my review of the Wyle report, I noted that while it praised the security of the I-Mark software and noted that it used the Federally approved Data Encryption Standard, there was no hint in the Wyle report that the software they had examined contained any provisions for key management. I asked about this at the Nov. 6, 1997 meeting, and my worst fears were confirmed. None of the Global representatives at the meeting nor the programmer they connected me to by cellphone understood the phrase key management, and it appeared that the security keys for the encryption used by the I-mark software were hard-coded into the voting application.

I scolded the Global representatives for this, telling them that their system might be OK as a prototype, but that they must adopt proper key management techniques before their system entered widespread use. I told them that, as things stood, their system relied on security through obscurity, so they must take measures to assure that their code remains obscure and that no copy of their code ever leaks out into public. I told them that the moment one of their machines goes to the landfill or is otherwise disposed of, someone might extract their encryption key and all of their security claims would become meaningless.

In May 2001, I appeared before the House Science Committee to testify about problems with the Federal Election Commission Voting System Standards, and I used this example as one illustration. A competent evaluation of the I-Mark source code against even the marginal 1990 FEC standards should not have ignored a security problem of this magnitude [6].

The Diebold and Global FTP Sites

In 2001, Diebold purchased Global Election Systems. By this time, Global was selling the descendant of the I-Mark Electronic Ballot Station as the AccuVote TS (touch screen) voting terminal.

In January, 2003, unnamed whistle-blowers exploring the web using Google discovered that Diebold Election Systems was maintaining a public FTP (file-transfer protocol) site on the Internet from which copies of various Diebold voting software could be downloaded. On Feb. 4, 2003, employees of Diebold admitted to Bev Harris that they had used this site to exchange and update unspecified Diebold voting system software. It turned out that this FTP site was not new, it had existed under Global. [7].

Had the exchange of material on this FTP site been properly encrypted, it would not have threatened Diebold's security through obscurity. Had Diebold taken my advice in 1997, release of their software would not have threatened the security of their system. By this time, the Diebold AccuVote TS system had become one of the 4 leading direct recording electronic voting systems in use in the United States.

Time to Face the Consequences!

With the release the paper by Kohno, Stubblefield, Rubin and Wallach on July 24, 2003 [1], three things became immediately clear: First, they found two unencrypted copies copies of the C++ source code for the AccuVote TS system on the Diebold web site, one dating from around 2000, and one dating from late 2002. The presence of these in plaintext form, from two different years and placed there under two different corporate owners makes it clear that neither Global nor Diebold were successfully using security through obscurity. Furthermore, even the encrypted material on the Diebold FTP site was not well protected; rudimentary password protection of zip archives is not the kind of protection you would expect from anyone serious about security.

Second, neither Global nor Diebold had made any effort to correct the problem I had attempted to explain to them in 1997 and that I had explained to the House Science Committee in early 2001. The encryption key F2654hD4 is present, in plain view, in the source code, confirming both my inference from 1997 and my worst fears about this code. To allow a security flaw of this magnitude to remain uncorrected after being informed of its existence and after the flaw has been described in public exhibits a serious disregard for security!

Third, the Diebold AccuVote direct recording electronic voting system relied on security through obscurity far more pervasively than I had imagined when I read the Wyle Report [5] in 1997. Their use of smartcards, it turns out, was not at all clever, but was just as bad as their use of the Federal Data Encryption Standard, ignoring almost everything known about security and key management, and open to attack by outsiders with no access to the source code because keys were transmitted to the card in plaintext form.

Therefore, as soon as I heard about the New York Times news story on the afternoon of July 23, 2003 [2], I issued an immediate call for the decertification of the Diebold AccuVote TS system. As it turned out, this had no impact in Iowa (none were in use), but this is important in many other jurisdictions.

I want to emphasize that my recommendation for the immediate decertification of the Diebold touch screen system does not apply to the AccuVote optical mark-sense system. This system may well incorporate many of the same security flaws as their touch-screen system, but because it uses voter-verified paper ballots, and because the normal procedure is to print a paper copy of the vote totals before making a modem connection from the machine to any remote system, these security flaws are far less significant. Until such time as Diebold corrects these flaws, however, I would recommend against use of the post-election electronic transmission features of these machines, and I would recommend that security for pre-election programming rely entirely on locked doors and a carefully recorded chain of custody.

Finally, I want to emphasize that this story represents more than just a black eye for Diebold. It represents a black eye for the entire system of Voting System Standards promulgated by the Federal Election Commission and the National Association of State Election Directors. Not only did the I-Mark/Global/Diebold touch screen system pass all of the tests imposed by this standards process, but it passed them many times, and the source code auditors even gave it exceptionally high marks. Given this, should we trust the security of any of the other direct recording electronic voting systems on the market?

References

[1] Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin and Dan S. Wallach, Analysis of an Electronic Voting System, posted to the web July 24, 2003 as http://avirubin.com/vote.pdf.

[2] John Schwartz, Computer Voting is Open to Easy Fraud, Experts Say, The New York times July 24, 2003, page A12.

[3] Douglas W. Jones, The Case of the Diebold FTP Site, posted to the web July 21, 2003 (and revised periodically) as http://www.cs.uiowa.edu/~jones/voting/dieboldftp.html.

[4] Voting System Standards, Clearinghouse on Election Administration, Federal Election Commission, Washington D.C. 1990.

[5] Qualification Testing of the I-Mark Electronic Ballot Station, Report No 45450-01, Wyle Laboratories, Huntsville Alabama, Sept. 10, 1996. This report is confidential! The only content of this report disclosed here is material that was discussed in open meetings of the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems.

[6] Douglas W. Jones, Problems with Voting Systems and the Applicable Standards, testimony before the House Science Committee, May 22, 2001, posted to the web as http://www.cs.uiowa.edu/~jones/voting/congress.html.

[7] Bev Harris, Voting System Integrity Flaw, Scoop, posted to the Feb. 5, 2003 as http://www.scoop.co.nz/mason/stories/HL0302/S00036.htm