A Technical Report published by BlackBoxVoting.org (4 Jul 2005) details
multiple critical security vulnerabilities in the Diebold Optical Scan
voting equipment that was used to tally approximately 25 million votes in
the 2004 US election.
Full technical report: http://www.blackboxvoting.org/BBVreport.pdf
Harri Hursti, an independent security consultant - with the consent of
election officials in Leon County, Florida - was able to take full control
of the Diebold optical scan device and manipulate vote totals and audit
reports at will.
The Diebold Precinct-Based Optical Scan 1.94w device accommodates a
removable memory card. It had been believed that this card contained only
the electronic "ballot box", the ballot design and the race definitions;
astonishingly enough, the memory card also contains executable code
essential to the operation of the optical scan system. The presence of
executable code on the memory card is not mentioned in the official product
documentation. This architecture permits multiple methods for unauthorized
code to be downloaded to the memory cards, and is wide open to exploitation
by malicious insiders.
The individual cards are programmed by the Diebold GEMS central tabulator
device via a RS-232 serial port connection or via modem over the public
phone network. There are no checksum mechanisms to detect or prevent
tampering with the executable code, and worse yet, there are credible
exploits which could compromise both the checksum and executable. The
report notes that this appears to be in violation of Chapter 5 of the 1990
Federal Election Commission Standards for election equipment, and therefore
should never have been certified for use.
The executable code is written in a proprietary language, Accu-Basic.
Accu-Basic programs are first compiled into ASCII pseudocode, which is then
executed by an interpreter residing in the optical scan device. Hursti
located an inexpensive device capable of reading and updating the memory
cards advertised on the Internet, and using a publicly-available version of
the Accu-Basic compiler (found on the Internet, along with Diebold source
code and other documents, by Bev Harris in 2003) was able to exploit these
vulnerabilities - and publicly demonstrated the ability to modify vote
totals and audit reports at will.
According to the report:
"Exploits available with this design include, but are not limited to:
"1) Paper trail falsification - Ability to modify the election results
reports so that they do not match the actual vote data
"1.1) Production of false optical scan reports to facilitate checks and
balances (matching the optical scan report to the central tabulator
report), in order to conceal attacks like redistribution of the votes or
Trojan horse scripts such as those designed by Dr. Herbert Thompson.(19)
"1.2) An ingenious exploit presents itself, for a single memory card to
mimic votes from many precincts at once while transmitting votes to the
central tabulator. The paper trail falsification methods in this report
will hide evidence of out-of-place information from the optical scan report
if that attack is used.
"2) Removal of information about pre-loaded votes
"2.1) Ability to hide pre-loaded votes
"2.2) Ability to hide a pre-arranged integer overflow
"3) Ability to program conditional behavior based on time/date, number
votes counted, and many other hidden triggers.
"According to public statements by elections officials(20), the paper
produced by the precinct optical scan has been placed into the role of a
vital safeguard mechanism. The paper report from the optical scan machine
is the key record used to confirm the integrity of the central tabulator
record. The exploits demonstrated in the false optical scan machine reports
("poll tapes") shown on page 16 do not change the votes, only the
the votes. When combined with the Trojan horse attack demonstrated by Dr.
Thompson, this attack vector maintains an illusion of integrity by
producing false reports to match the contaminated central tabulator report.
"The [second] exploit demonstrated in the poll tape with a true report
containing false votes, shown on page 18, changes the votes but not the
report. This example pre-stuffs the ballot box in such a way as to produce
an integer overflow. In this exploit, a small number of votes is loaded for
one candidate, offset by a large number of votes for the opposing candidate
such that the sum of the numbers, because of the overflow, will be zero.
The large number is designed to trigger an integer overflow such that after
a certain number of votes is received it will flip the vote counter over to
begin counting from zero for that candidate... combining the false report
method (demonstrated on page 16) with the pre-arranged integer overflow
(demonstrated on 18) seems to be an especially efficient exploit because it
is a one-step process that takes out both the actual process and its
safeguard at the same time, while surviving scrutiny of almost anything
short of a full manual recount."
Reportedly, at least 500 jurisdictions used the vulnerable optical scan system
in 2004; for example, the Diebold Precinct-Based Optical Scan 1.94w system counted
approximately 2.5 million votes in 30 counties, or about one-third of all the
votes in Florida, and nationwide, approximately 25 million votes (http://www.freddevan.com/blog/archives/00006724.html).
Although the exploits described in the report could be uncovered if a full
hand recount was performed, in practice, detection is unlikely. Most
jurisdictions limit the time frame for contesting an election. For
numerous reasons, both candidates and election administrators are reluctant
to question the official tally, while hand recounts are expensive - with
costs borne by the contesting party. Few elections tallied by optical scan
equipment are ever fully recounted, and automatic recounts legally
triggered by a narrow margin of victory will, of course, fail to detect
large-scale manipulation that shifts results outside the recount threshold.
Finally, there are classic problems with paper ballot chain of custody; the
more time passes, and the further a paper artifact travels from its point
of origin, the more vulnerable it is to tampering.
Therefore, the mere presence of a paper trail will not deter or detect
electronic vote manipulation by malicious insiders unless the
voter-verified paper ballot or optical scan ballot is actually randomly
audited - preferably, in-precinct, on election night . Yet the cost and
time required by a truly effective and random audit protocol undermines the
case for electronically-assisted vote tallying. Therefore some analysts
now recommend US implementation of the Canadian system - hand-counting of
paper ballots in-precinct on Election Night, with accommodation for the
visually-impaired - as the best countermeasure to systematic electronic
Based on my experience in the financial services industry, discovery of
multiple security vulnerabilities of this severity in equipment in use by
any bank or brokerage house would trigger an immediate shutdown of all the
affected systems, followed by a full internal and external audit, and, in
all likelihood, formal investigation by regulatory and law enforcement
agencies. We should accept no less from the election services industry.
The affected Diebold optical scan equipment should be immediately withdrawn
from use in any election until independent recertification is achieved, or
a secure alternative is obtained. All other election equipment -
manufactured by Diebold or by other vendors - should be examined, and if
subject to the same vulnerability, should also be withdrawn. An
investigation to determine how equipment with such serious vulnerabilities
to insider manipulation could ever have been certified should also be
launched, and certification and oversight procedures enhanced.
Good people died to gain and defend our right to vote. Election
administration must not be exempt from industry best practices for
security, audit and control.
Bruce O'Dell, Partner, Digital Agility Incorporated www.digitalagility.com
Member, ACM SIGSOFT, SIGMETRICS, SIGART email@example.com