Overview: http://www.bbvdocs.org/general/BBVreport-1sheet.pdf and

Full technical report: http://www.blackboxvoting.org/BBVreport.pdf

Harri Hursti, an independent security consultant - with the consent of election officials in Leon County, Florida - was able to take full control of the Diebold optical scan device and manipulate vote totals and audit reports at will.

The Diebold Precinct-Based Optical Scan 1.94w device accommodates a removable memory card. It had been believed that this card contained only the electronic "ballot box", the ballot design and the race definitions; astonishingly enough, the memory card also contains executable code essential to the operation of the optical scan system. The presence of executable code on the memory card is not mentioned in the official product documentation. This architecture permits multiple methods for unauthorized code to be downloaded to the memory cards, and is wide open to exploitation by malicious insiders.

The individual cards are programmed by the Diebold GEMS central tabulator device via a RS-232 serial port connection or via modem over the public phone network. There are no checksum mechanisms to detect or prevent tampering with the executable code, and worse yet, there are credible exploits which could compromise both the checksum and executable. The report notes that this appears to be in violation of Chapter 5 of the 1990 Federal Election Commission Standards for election equipment, and therefore should never have been certified for use.

The executable code is written in a proprietary language, Accu-Basic. Accu-Basic programs are first compiled into ASCII pseudocode, which is then executed by an interpreter residing in the optical scan device. Hursti located an inexpensive device capable of reading and updating the memory cards advertised on the Internet, and using a publicly-available version of the Accu-Basic compiler (found on the Internet, along with Diebold source code and other documents, by Bev Harris in 2003) was able to exploit these vulnerabilities - and publicly demonstrated the ability to modify vote totals and audit reports at will.

According to the report:

"Exploits available with this design include, but are not limited to:

"1) Paper trail falsification - Ability to modify the election results reports so that they do not match the actual vote data

"1.1) Production of false optical scan reports to facilitate checks and balances (matching the optical scan report to the central tabulator report), in order to conceal attacks like redistribution of the votes or Trojan horse scripts such as those designed by Dr. Herbert Thompson.(19)

"1.2) An ingenious exploit presents itself, for a single memory card to mimic votes from many precincts at once while transmitting votes to the central tabulator. The paper trail falsification methods in this report will hide evidence of out-of-place information from the optical scan report if that attack is used.

"2) Removal of information about pre-loaded votes

"2.1) Ability to hide pre-loaded votes

"2.2) Ability to hide a pre-arranged integer overflow

"3) Ability to program conditional behavior based on time/date, number of votes counted, and many other hidden triggers.

"According to public statements by elections officials(20), the paper trail produced by the precinct optical scan has been placed into the role of a vital safeguard mechanism. The paper report from the optical scan machine is the key record used to confirm the integrity of the central tabulator record. The exploits demonstrated in the false optical scan machine reports ("poll tapes") shown on page 16 do not change the votes, only the report of the votes. When combined with the Trojan horse attack demonstrated by Dr. Thompson, this attack vector maintains an illusion of integrity by producing false reports to match the contaminated central tabulator report.

"The [second] exploit demonstrated in the poll tape with a true report containing false votes, shown on page 18, changes the votes but not the report. This example pre-stuffs the ballot box in such a way as to produce an integer overflow. In this exploit, a small number of votes is loaded for one candidate, offset by a large number of votes for the opposing candidate such that the sum of the numbers, because of the overflow, will be zero. The large number is designed to trigger an integer overflow such that after a certain number of votes is received it will flip the vote counter over to begin counting from zero for that candidate... combining the false report method (demonstrated on page 16) with the pre-arranged integer overflow (demonstrated on 18) seems to be an especially efficient exploit because it is a one-step process that takes out both the actual process and its safeguard at the same time, while surviving scrutiny of almost anything short of a full manual recount."

Reportedly, at least 500 jurisdictions used the vulnerable optical scan system in 2004; for example, the Diebold Precinct-Based Optical Scan 1.94w system counted approximately 2.5 million votes in 30 counties, or about one-third of all the votes in Florida, and nationwide, approximately 25 million votes (http://www.freddevan.com/blog/archives/00006724.html).

Although the exploits described in the report could be uncovered if a full hand recount was performed, in practice, detection is unlikely. Most jurisdictions limit the time frame for contesting an election. For numerous reasons, both candidates and election administrators are reluctant to question the official tally, while hand recounts are expensive - with costs borne by the contesting party. Few elections tallied by optical scan equipment are ever fully recounted, and automatic recounts legally triggered by a narrow margin of victory will, of course, fail to detect large-scale manipulation that shifts results outside the recount threshold. Finally, there are classic problems with paper ballot chain of custody; the more time passes, and the further a paper artifact travels from its point of origin, the more vulnerable it is to tampering.

Therefore, the mere presence of a paper trail will not deter or detect electronic vote manipulation by malicious insiders unless the voter-verified paper ballot or optical scan ballot is actually randomly audited - preferably, in-precinct, on election night . Yet the cost and time required by a truly effective and random audit protocol undermines the case for electronically-assisted vote tallying. Therefore some analysts now recommend US implementation of the Canadian system - hand-counting of paper ballots in-precinct on Election Night, with accommodation for the visually-impaired - as the best countermeasure to systematic electronic election fraud.

Based on my experience in the financial services industry, discovery of multiple security vulnerabilities of this severity in equipment in use by any bank or brokerage house would trigger an immediate shutdown of all the affected systems, followed by a full internal and external audit, and, in all likelihood, formal investigation by regulatory and law enforcement agencies. We should accept no less from the election services industry.

The affected Diebold optical scan equipment should be immediately withdrawn from use in any election until independent recertification is achieved, or a secure alternative is obtained. All other election equipment - manufactured by Diebold or by other vendors - should be examined, and if subject to the same vulnerability, should also be withdrawn. An investigation to determine how equipment with such serious vulnerabilities to insider manipulation could ever have been certified should also be launched, and certification and oversight procedures enhanced.

Good people died to gain and defend our right to vote. Election administration must not be exempt from industry best practices for security, audit and control.

Bruce O'Dell, Partner, Digital Agility Incorporated www.digitalagility.com Member, ACM SIGSOFT, SIGMETRICS, SIGART bodell@digitalagility.com