The Diebold AccuVote TS Should be Decertified
and what this tells us about the certification process
Copyright © 2003. This work may be transmitted or stored in electronic form on any computer attached to the Internet or World Wide Web so long as this notice is included in the copy. Individuals may make single copies for their own use. All other rights are reserved.
presented at the
USENEX Security Symposium
August 6, 2003
On July 24, 2003, Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin and Dan S. Wallach released a report on their analysis of the security of the Diebold AccuVote direct recording electronic voting system ; This story was covered on the same day by the New York Times .
In response, I immediately called for the decertification of the Diebold AccuVote direct recording electronic voting system. The long version of the story leading up to my call for decertification is available on-line and will be updated as this story develops. . What I present here is a short summary of this story.
In 1996, I-Mark Systems submitted its Electronic Ballot Station, Model 100, to Wyle Laboratories of Huntsville Alabama for testing against the Federal Election Commission's 1990 Voting System Standards . The Wyle Labs report on this system described it as the best voting system software they had ever examined; the embedded software for this system was written in C++ and ran under Windows 95, using a clever seeming smartcard-based system for voter authentication .
In mid 1997, Global Election Systems acquired I-Mark Systems; Global had acquired the AccuVote optical mark-sense system from Unisys in 1991, and one of their first steps after acquiring the Electronic Ballot Station was to rename it the Global AccoTouch EBS voting system. Global submitted this system to the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems on Nov. 6, 1997; this is when I first saw it.
Even before I had reviewed the Wyle report, , certain flaws in the security of this system were evident. The minutes of the Board of Examiners meeting on Nov. 6 include the following:
Dr. Jones also expressed concern about data encryption standards used to guarantee the integrity of the data on the machine. DES requires the use of electronic keys to lock and unlock all critical data. Currently all machines use the same key. Dr. Jones stated that this is a security problem. However, the use of a single key for all machines is not a condition that would disqualify the system under Iowa law. .
A copy of these minutes is routinely provided to the vendor of the system under test, and the Global Election Systems representatives present at that meeting, Robert J. Urosevich (Vice President) and Barry Herron (regional manager) should remember this meeting. It was quite clear in the discussion summarized above that none of the Global representatives at the meeting nor the programmer they connected me to by cellphone understood the phrase key management, and it came out in that conversation that the security keys for the encryption used by the I-Mark software were hard-coded into the voting application software.
I scolded the Global representatives for this, telling them that their system might be OK as a prototype, but that they must adopt proper key management techniques before their system entered widespread use. I told them that, as things stood, their system relied on security through obscurity, so they must take measures to assure that their code remains obscure and that no copy of their code ever leaks out into public. I told them that the moment one of their machines goes to the landfill or is otherwise disposed of, someone might extract their encryption key and all of their security claims would become meaningless.
All voting equipment submitted for examination in Iowa must be submitted with the Independent Testing Authority reports certifying its conformance with the (otherwise voluntary) Federal Voting System Standards. This is how I came to receive a copy of the Wyle report on Dec. 15, 1997 . After reading this report, I was sufficiently alarmed that I wrote the following, on Dec. 23, 1997:
[This] raises another issue that reflects a weakness in both the FEC standards and Iowa law. This weakness has been clearly present in all of the electronic reporting systems we have examined this year! The Wyle report takes it for granted that the use of DES encryption plus CRC error checking provides a sufficient guarantee of accuracy and integrity.
This is not true! First, as the Global representative I talked to informed me, the I-Mark system uses only a single DES key for all voting machines they manufacture. This is comparable to the situation you would expect if all ATM cards issued by some bank had the same PIN! .
Unfortunately, the Elections Division office of the Iowa Secretary of State has no record of whether a copy of this letter was or was not forwarded to Global Election Systems, but I have repeated this story several times since. For example, in May 2001, I appeared before the House Science Committee to testify about problems with the Federal Election Commission Voting System Standards, and I used this example as one illustration. .
In 2001, Diebold purchased Global Election Systems. By this time, Global was selling the descendant of the I-Mark Electronic Ballot Station as the AccuVote TS (touch screen) voting terminal. This system has since become one of the leading direct recording electronic voting systems in use in the United States.
In January, 2003, someone searching the web discovered that Diebold Election Systems was maintaining a public FTP (file-transfer protocol) site on the Internet from which copies of various Diebold voting software could be downloaded. On Feb. 4, 2003, employees of Diebold admitted to Bev Harris that they had used this site to exchange and update unspecified Diebold voting system software. It turned out that this FTP site was not new, it had existed under Global. .
Had the exchange of material on this FTP site been properly encrypted, it would not have threatened Diebold's security through obscurity. Had Diebold taken my advice in 1997, public release of their source code would not have threatened the security of their system.
With the release the paper by Kohno, Stubblefield, Rubin and Wallach on July 24, 2003 , three things became immediately clear: First, they found two unencrypted copies copies of the C++ source code for the AccuVote TS system on the Diebold web site, one dating from around 2000, and one dating from late 2002. The presence of these in plaintext form, from two different years and placed there under two different corporate owners makes it clear that neither Global nor Diebold were successfully using security through obscurity. Furthermore, even the encrypted material on the Diebold FTP site was not well protected; rudimentary password protection of zip archives is not the kind of protection you would expect from anyone serious about security.
Second, neither Global nor Diebold had made any effort to correct the problem I had attempted to explain to them in 1997 and that I had explained to the House Science Committee in early 2001. The encryption key F2654hD4 is present, in plain view, in the source code, confirming both my inference from 1997 and my worst fears about this code. To allow a security flaw of this magnitude to remain uncorrected after being informed of its existence and after the flaw has been described in public exhibits a serious disregard for security! Furthermore, Diebold's July 30, 2003 technical rebuttal of the Hopkins study says they were unable to find my claim of problems in their work [10; allegation #45]; such denial is disingenuous given that Robert Urosevich, now president of Diebold Election Systems, was present when this issue was first raised.
Third, the Diebold AccuVote direct recording electronic voting system relied on security through obscurity far more pervasively than I had imagined when I read the 1997 Wyle Report . Their use of smartcards, it turns out, was not at all clever, but was just as bad as their use of the Federal Data Encryption Standard, ignoring almost everything known about security and key management, and open to attack by outsiders with no access to the source code because keys were transmitted to the card in plaintext form.
Therefore, as soon as I heard about the New York Times news story on the afternoon of July 23, 2003 , I issued an immediate call for the decertification of the Diebold AccuVote TS system. As it turned out, this had no impact in Iowa (none were in use), but this remains important in many other jurisdictions.
My recommendation for the immediate decertification of the Diebold touch screen system does not apply to the AccuVote optical mark-sense system. This system may well incorporate many of the same security flaws as their touch-screen system, but because it uses voter-verified paper ballots, and because the normal procedure is to print a paper copy of the vote totals before making a modem connection from the machine to any remote system, these security flaws are far less significant. Until such time as Diebold corrects these flaws, however, I would recommend against use of the post-election electronic transmission features of these machines, and I would recommend that security for pre-election programming rely entirely on locked doors and a carefully recorded chain of custody.
I want to emphasize that this story represents more than just a black eye for Diebold. As I said in my 1997 letter, it represents a black eye for the entire system of Voting System Standards promulgated by the Federal Election Commission and the National Association of State Election Directors. Not only did the I-Mark/Global/Diebold touch screen system pass all of the tests imposed by this standards process, but it passed them many times, and the source code auditors even gave it exceptionally high marks. Given this, should we trust the security of any of the other direct recording electronic voting systems on the market?
 Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin and Dan S. Wallach, Analysis of an Electronic Voting System, posted to the web July 24, 2003 as http://avirubin.com/vote.pdf.
 John Schwartz, Computer Voting is Open to Easy Fraud, Experts Say, The New York times July 24, 2003, page A12.
 Douglas W. Jones, The Case of the Diebold FTP Site, posted to the web July 21, 2003 (and revised periodically) as http://homepage.cs.uiowa.edu/~dwjones/voting/dieboldftp.html.
 Voting System Standards, Clearinghouse on Election Administration, Federal Election Commission, Washington D.C. 1990.
 Qualification Testing of the I-Mark Electronic Ballot Station, Report No 45450-01, Wyle Laboratories, Huntsville Alabama, Sept. 10, 1996. This report is confidential! The only content of this report disclosed here is material that was discussed in open meetings of the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems.
 Minutes of Examination and Test, Board of Examiners for Voting Machines and Electronic Voting Systems, Elections Division, Office of the Secretary of State, Des Moines, Iowa, Nov. 6. 1997.
 Douglas W. Jones letter to Sandy Steinbach, Elections Division, Office of the Secretary of State, Des Moines, Iowa, Dec. 23. 1997.
 Douglas W. Jones, Problems with Voting Systems and the Applicable Standards, testimony before the House Science Committee, May 22, 2001, posted to the web as http://homepage.cs.uiowa.edu/~dwjones/voting/congress.html.
 Bev Harris, Voting System Integrity Flaw, Scoop, posted to the Feb. 5, 2003 as http://www.scoop.co.nz/mason/stories/HL0302/S00036.htm
 Checks and balances in elections equipment and procedures prevent alleged fraud scenarios, Diebold Election Systems, July 30, 2003, posted to the web as http://www2.diebold.com/checksandbalances.pdf.