Like other computer scientists who have studied Diebold voting machines, we were
surprised at the apparent carelessness of Diebold’s security design. It
can be hard to convey this to nonexperts, because the examples are technical.
To security practitioners, the use of a fixed, unchangeable encryption key and
the blind acceptance of every software update offered on removable storage are
rookie mistakes; but nonexperts have trouble appreciating this. Here is an example
that anybody, expert or not, can appreciate:
The access panel door on a Diebold AccuVote-TS voting machine —
the door that protects the memory card that stores the votes, and is the main
barrier to the injection of a virus — can be opened with a standard key
that is widely available on the Internet.
On Wednesday we did a live demo for our Princeton Computer Science colleagues
of the vote-stealing software described in our paper
and video. Afterward, Chris
Tengi, a technical staff member, asked to look at the key that came with
the voting machine. He noticed an alphanumeric code printed on the key, and
remarked that he had a key at home with the same code on it. The next day he
brought in his key and sure enough it opened the voting machine.
This seemed like a freakish coincidence — until we learned how common
these keys are.
Chris’s key was left over from a previous job, maybe fifteen years ago.
He said the key had opened either a file cabinet or the access panel on an old
VAX computer. A little research revealed that the exact same key is used widely
in office furniture, electronic equipment, jukeboxes, and hotel minibars. It’s
a standard part, and like most standard parts it’s easily purchased on
the Internet. We bought several keys from an office
furniture key shop — they open the voting machine too. We ordered
another key on eBay from a jukebox supply shop. The keys can be purchased from
many online merchants.
Using such a standard key doesn’t provide much security, but
it does allow Diebold to assert that their design uses a lock and key. Experts
will recognize the same problem in Diebold’s use of encryption —
they can say they use encryption, but they use it in a way that neutralizes
its security benefits.
The bad guys don’t care whether you use encryption; they care
whether they can read and modify your data. They don’t care whether your
door has a lock on it; they care whether they can get it open. The checkbox
approach to security works in press releases, but it doesn’t work in the