| VOTING INTEGRITY - LOOKING GLASS NEWS | |
|
Why do Diebold's Touch-Screen Voting Machines Have Built-In Wireless Infrared Data Transfer Ports? |
|
|
by Brad The BRAD BLOG Entered into the database on Wednesday, February 22nd, 2006 @ 19:28:57 MST |
|
IrDA Protocol Can 'Totally Compromise System' Without Detection, Warns
Federal Voting Standards Website So far, no state or federal authority -- to our knowledge -- has dealt with
this alarming security threat We hate to pile on... (Or do we?) But, really, with all the recent discussion
of California Sec. of State Bruce McPherson's mind-blowing about-face re-certification
of Diebold -- against state... We hate to pile on... (Or do we?) But, really, with all the recent
discussion of California Sec. of State Bruce McPherson's mind-blowing about-face
re-certification of Diebold -- against state law, we hasten to add -- this may
be a good time to point out one small item that we've been meaning to mention
for a while. As Jody Holder's
recent comment points out, McPherson's silly "conditions" for
re-certification of Diebold in California require a few much-less-than-adequate
knee-jerk "safe guards" towards protection of the handling of the
hackable memory cards in Diebold's voting machines. (Here's McP's full "Certificate
of Conditional Certification"). Never mind, as Holder mentions, that the protective seals to be required are
easily peeled away without tearing. Or that such voting machines have been stored
in poll workers houses for weeks leading up to an election. More to the point,
for the moment, there are ways to manipulate the information on those memory
cards even without removing them or breaking the seals. This is more of a concern
than ever, since it was recently proven, by the now-infamous Harri
Hursti hack in Leon County, FL, that changing the information on the memory
cards can force election results to be flipped...without a trace being left
behind. On that note, here's the little item we've been meaning to point out. It's
a photograph from the side of a Diebold AccuVote TSx touch-screen voting machine: Now we have no idea what that "IrDA" port is meant to be used for with
a touch-screen voting machine, but we do know that the IrDA (Infrared Data Association)
is an Infrared port used for wireless connection between two devices. We used
to have one on the back of our notebook and desktop computers which we used to
keep the two systems synched up via wireless data transfers over that Infrared
port. A few election watchdog groups, including some members of the National Institute
of Standards and Technology (NIST) who works with the federal authorities on
these matters, have issued warnings about the IrDA port and protocols on voting
machines. However, little -- if anything -- seems to have been done to mitigate
the rather obvious security threat posed, as far as we can tell. Here's how a
page at Microsoft.com, last updated December 4, 2001, explains cable-free
Infrafred data transfer on the Microsoft Windows CE operating system (the operating
system which happens to be used in Diebold's AccuVote touch-screen voting machines
-- like the one pictured above)... Imagine the following scenario: Two notebook computers are placed beside
each other. A computer icon appears on both desktops with the name of the
peer computer below it. Open one of the icons to display a folder with the
contents of the peer computer's desktop. Drag-and-drop between your desktop
and the open folder to move files between the two computers. Imagine that the only configuration that this application required to
be installed or used was the ability for the user to enable or disable it.
Imagine that multiple such applications could be running at the same time
without interfering with each other. Imagine that this application could run on 23 million existing notebook
computers at a transfer speed of 115Kbps, and on 14 million existing notebook
computers at 4MBps. Imagine that all applications, regardless of the speed
of the underlying hardware, would work with all other applications at a
common fastest speed. Imagine that the other notebook computer in this example was a digital
still camera, a handheld personal computer, a data capture device or a device
that supports electronic commerce. As a bonus, assume that the two computers do not need to be cabled together. This application is currently possible under Microsoft® Windows®
CE and the Windows family of operating systems. The underlying technology
is based on inexpensive, widely available short-range infrared transceivers
that adhere to the Infrared Data Association (IrDA) standards. IrDA standards
(available from the IrDA at http://www.irda.org) also enable non-Windows
devices to talk to Windows-based applications. There ya go. The issue of the IrDA port on touch-screen voting machines hasn't been much
discussed as far as we can tell. VotersUnite.org issued an
alert mentioning it, with a photograph (seen at right), back on October
26, 2004. The alert warned: 3) A dangerous port on the Diebold touch screen!! This from TrueVoteMD: Diebold AccuVote TS electronic voting machines have
an infrared (IrDA) port installed. This is a remote communication port through
which another remote device could communicate with the touch screen and
change either its data or its software or both. If your county uses Diebold touch screens, let your county officials and
election judges know that it is crucial to cover the IR port with opaque
tape. The National Institute for Standards and Technology (NIST) -- who works with
the federal Election Assistance Commission (EAC) to develop and recommend guidelines
for electronic voting machines -- issued a similar
warning [PDF] about the Infrared ports on voting machines in a report which
warned "The use of short range optical wireless," like infrared, "particularly
on Election Day should not be allowed." As mentioned, since touch-screen machines have been stored at poll workers'
houses and other unsecured locations prior to Election Day, and since data can
be transferred to the machines and their memory cards via Infrared -- even without
removing the cards or breaking their protective seals -- the IrDA ports would
seem to be a tremendous concern. The NIST report discusses such concerns and some of the troubling security
issues with IrDA protocols: How Secure is IrDA IrDA does not provide encryption at the Physical Layer, and depends on the
end systems to implement security if any. With optical, it is possible for a session to be ‘hijacked’
unless strong authentication measures are implemented between communicating
systems. When a session is hijacked, a foreign device masquerades as a trusted
system that is authorized to exchange data. Because the system has no way
to distinguish the masquerader from the authorized system, it will accept
anything from it as if [sic] was authorized. The undated report -- from the EAC's own standards body, NIST -- then goes
on to describe how simple and readily available IrDA software drivers are to
obtain for use with UNIX and most Windows Operating Systems, including Windows
CE. As well, it points out that such software could add executable code to the
machines on, or prior to, Election Day and could then delete itself after ithe
code has completed its main purpose [emphasis ours]: IrDA Software IrDA software drivers are available form [sic] a number of sources for use
with UNIX, Windows and other Operating Systems (OS). Most versions of MS Windows
come with support for IrDA already included. This is true of the MS Windows
CE operating system as well as Windows XP. Microsoft also provides a free
IrDA driver which can be downloaded from it web site. Other suppliers of IrDA
systems (e.g., Ericsson) offer their own drivers including source code (Texas
Inurnments [sic]). With the source code available, an interrupt handler (executable code) could
easily be added. For example, when the voting terminal receives a special
bit configuration (caused by holding down multiple keys concurrently) that
is outside the usually accepted range, a special interrupt could be generated
invoking a handler that could be programmed to perform any desired function.
This would require a small amount of code and could easily be hidden; such
code would be difficult to discover. If such code was installed in the driver, which is considered to be Commercial-Off-The-Shelf
(COTS) [even if compiled and installed by the voting system manufacturer]
it would not be examined by the ITAs [the federal Independent Testing Authorities]. Code in such a handler could be designed to place the voting terminal
in a mode where it downloads and install [sic] an executable module, thus
allowing unapproved logic to be added to the voting machine while in use on
Election Day. Obviously this executable could perform any function the programmer
desired including deleting itself when finished. The only recourse is to disallow
communications with the voting terminal during use. It might be augured [sic]
that such code could be added the day before Election Day. Obviously, that last paragraph is very troubling. But also note the section
about COTS. The source code for that "Commercial-Off-The-Shelf" software is what
Diebold recently argued that they couldn't provide to North Carolina after they
changed their law to require all voting machine vendors to submit such code
in order to receive state certification. Diebold went
to state court arguing they shouldn't be forced to supply the source code
for COTS software. Eventually, they lost that battle, and notified North Carolina
they preferred to pull out of the state entirely (if the state wouldn't change
the law for them) rather than complying with the state law requiring the submission
of all such source code. And another comment
posted to NIST's voting website [PDF] by James C. Johnson on October 5,
2005, also discusses the concern, revealing that the use of the IrDA protocols
could be used at any time, even after final "Logic and Accuracy" tests
have been performed, and thus "totally compromising the system": In Diebold System's AccuVote TS systems these [IrDA] ports are supported
using Microsoft's Windows CE with Winsock. This makes the application interface
easy to program to, and all required drivers are already installed in the
OS. It is interesting that the VVSG [Voluntary Voting System Guidelines] currently
under development, while mentioning this technology does nothing to restrict
or prevent its use, not even on Election Day. It is understandable that communications technology be used for pre election
preparation, but is totally irresponsible and inexcusable to allow it to be
used during an election. The presence of this technology makes it possible
to upload to the voting system anything that is desired after the final "Logic
and Accuracy" test have been performed, thus totally compromising the
system. Perhaps some of you have additional thoughts on this matter. Like why such
a port would be needed, or even present, on a touch-screen voting machine at
all. And why the existence of such a port -- to our knowledge -- has hardly
been discussed at all in conjuction with these machines. Especially in light
of the now-infamous Leon County, FL "hack
test" proving that executable code can be added to Diebold's memory
cards resulting in a completely flipped election...as we've said...without a
trace being left behind. ________________ Read from Loking Glass News - A comprehensive collection of news articles concerning voting integrity |
|