Earlier this week, Ed Felten and J. Alex Halderman of Princeton University’s Information Technology Policy Department and of the Freedom to Tinker blog, revealed how to hack a Diebold ‘AccuVote’ touchscreen voting machine, untraceably falsifying election results with malicious code.
Today, Felten and Halderman really put in the boot.
Diebold maintains that there is a locked cover on the memory card port of the AccuVote TS to prevent tampering.
True. There’s definitely a lock.
However, the lock employed is a common hardware grade type, used on hotel mini-bars and filing cabinets. Replacement key copies to fit the Diebold can be ordered from office supply stores for about $8 per key, simply by quoting the number stamped on the face of lock. The Princeton video also showed that a key wasn’t always necessary as one member of the Princeton team could consistently pick the lock in under 10 seconds anyway.
Ed Felten comments:
Using such a standard key doesnít provide much security, but it does allow Diebold to assert that their design uses a lock and key. Experts will recognize the same problem in Dieboldís use of encryption ó they can say they use encryption, but they use it in a way that neutralizes its security benefits.
The bad guys donít care whether you use encryption; they care whether they can read and modify your data. They donít care whether your door has a lock on it; they care whether they can get it open. The checkbox approach to security works in press releases, but it doesnít work in the field.
Waiting for Diebold’s reply… and for a number of states to ban machines as easily exploitable as this one.
It’s not the people who vote that count… it’s the people who count the votes.
-(allegedly) Joseph Stalin
1 Comment so far
Leave a comment
Leave a comment