Florida Op-Scan Systems Hacked Three Ways

Blackboxvoting.org Investigators / Tallahassee, FL
Go to original. [2]
SEE TECHNICAL REPORT HERE [3]

"Are we having fun yet?"
This is the message that appeared in the window of a county optical scan machine, startling Leon County Information Systems Officer Thomas James. Visibly shaken, he immediately turned the machine off. Diebold's opti-scan (paper ballot) voting system uses a curious memory card design, offering penetration by a lone programmer such that standard canvassing procedures cannot detect election manipulation.

The Diebold optical scan system was used in about 800 jurisdictions in 2004. Among them were several hotbeds of controversy: Volusia County (FL); King County (WA); and the New Hampshire primary election, where machine results differed markedly from hand-counted localities.

New regs: Counting paper ballots forbidden
Most states prohibit elections officials from checking on optical scan tallies by examining the paper ballots. In Washington, Secretary of State Sam Reed declared such spontaneous checkups to be "unauthorized recounts" and prohibited them altogether. New Florida regulations will forbid counting paper ballots, even in recounts, except in highly unusual circumstances. Without paper ballot hand-counts, the hacks demonstrated below show that optical-scan elections can be destroyed in seconds.

A little man living in every ballot box
The Diebold optical scan system uses a dangerous programming methodology, with an executable program living inside the electronic ballot box. This method is the equivalent of having a little man living in the ballot box, holding an eraser and a pencil. With an executable program in the memory card, no Diebold opti-scan ballot box can be considered "empty" at the start of the election.

The Black Box Voting team proved that the Diebold optical scan program, housed on a chip inside the voting machine, places a call to a program living in the removable memory card during the election. The demonstration also showed that the executable program on the memory card (ballot box) can easily be changed, and that checks and balances, required by FEC standards to catch unauthorized changes, were not implemented by Diebold -- yet the system was certified anyway.

The Diebold system in Leon County, Florida succumbed to multiple attacks.

Ion Sancho: Truth and Excellence in Elections
Leon County Elections Supervisor Ion Sancho and Information Systems Officer Thomas James had already implemented security procedures in Leon County far exceeding the norm in elections management. This testing, done by a team of researchers including Black Box Voting, independent filmmakers, security expert Dr. Herbert Thompson, and special consultant Harri Hursti, was authorized by Mr. Sancho, in an unusual act of openness and courage, to identify any remaining holes in Leon County's election security.

The results of the memory card hack demonstration will assist elections supervisors throughout the U.S., by emphasizing the critical importance of accounting for each and every memory card and protecting access.

Findings:
Computer expert Harri Hursti gained control over Leon County memory cards, which handle the vote-reporting from the precincts. Dr. Herbert Thompson, a security expert, took control of the Leon County central tabulator by implanting a trojan horse-like script.

Two programmers can become a lone programmer, says Hursti, who has figured out a way to control the entire central tabulator by way of a single memory card swap, and also how to make tampered polling place tapes match tampered central tabulator results. This more complex approach is untested, but based on testing performed May 26, Hursti says he has absolutely no reason to believe it wouldn't work.

Three memory card tests demonstrated successful manipulation of election results, and showed that 1990 and 2002 FEC-required safeguards are being violated in the Diebold version 1.94 opti-scan system.

Three memory card hacks
1. An altered memory card (electronic ballot box) was substituted for a real one. The optical scan machine performed seamlessly, issuing a report that looked like the real thing. No checksum captured the change in the executable program Diebold designed into the memory card.

2. A second altered memory card was demonstrated, using a program that was shorter than the original. It still worked, showing that there is also no check for the number of bytes in the program.

3. A third altered memory card was demonstrated with the votes themselves changed, showing that the data block (votes) can be altered without triggering any error message.

How to "Roll over the odometer" in Diebold optical scan machines
Integer overflow checks do not seem to exist in this system, making it possible to stuff the ballot box without triggering any error message. This would be like pre-loading minus 100 votes for Tom and plus 100 votes for Rick (-100+100=ZERO) -- changing the candidate totals without changing the overall number of votes.

A more precise comparison would be this: The odometer on a car rolls over to zero after 999,999. In the Diebold system tested, the rollover to zero happens at 65,536 votes. By pre-loading 65,511 votes for a candidate, after 25 real votes appear (65,511 plus 25 = 65,536) the report "rolls over" so that the candidate's total is ZERO.

This manipulation can be balanced out by preloading votes for candidate "A" at 65,511 and candidate "B" at 25 votes -- producing an articifial 50-vote spread between the candidates, which will not be obvious after the first 25 votes for candidate "A" roll over to zero. The "negative 25" votes from the odometer rollover counterbalance the "plus 25" votes for the other candidates, making the total number of votes cast at the end of the day exactly equal to the number of voters.

While testing the hack on the Leon County optical scan machine, Hursti was stunned to find that pre-stuffing the ballot box to "roll over the odometer" produced no error message whatsoever.*

*We did not have the opportunity to scan ballots after stuffing the ballot box. Therefore, the rollover to zero was not tested in Leon County. This integer overflow capability is discernable in the program itself. We did have the opportunity to test a pre-stuffed ballot box, which showed that pre-loaded ballot boxes do not trigger any error message.

Simple tweaks to pass L&A test and survive zero tape
Though the additional tweaks were not demonstrated at the Leon County elections office, Hursti believes that the integer overflow hack can be covered up on the "zero tape" produced at the beginning of the election. The programming to cover up manipulations during the "logic & accuracy test" is even simpler, since the program allows you to specify on which reports (and, if you like, date and time of day) the manipulation will affect.

The testing demonstrated, using the actual voting system used in a real elections office, that Diebold programmers developed a system that sacrifices security in favor of dangerously flexible programming, violating FEC standards and calling the actions of ITA testing labs and certifiers into question.

In the case of Leon County, inside access was used to achieve the hacks, but there are numerous ways to introduce the hacks without inside access. Outside access methods will be described in the technical report to be released in mid-June.

Security concerns
Putting an executable program into removable memory card "ballot boxes" -- and then programming the opti-scan chip to call and invoke whatever program is in the live ballot box during the middle of an election -- is a mind-boggling design from a security standpoint. Combining this idiotic design with a program that doesn't even check to see whether someone has tampered with it constitutes negligence and should result in a product recall.

Counties that purchased the Diebold 1.94 optical scan machines should not pay for any upgraded program; instead, Diebold should be required to recall the faulty program and correct the problem at its own expense.

None of the attacks left any telltale marks, rendering all audits and logs useless, except for hand-counting all the paper ballots.

Is it real? Or is it Memorex?
For example, Election Supervisor Ion Sancho was unable to tell, at first, whether the poll tape printed with manipulated results was the real thing. Only the message at the end of the tape, which read "Is this real? Or is it Memorex?" identified the tape as a tampered version of results.

In another test, Congresswoman Corrine Brown (FL-Dem) was shocked to see the impact of a trojan implanted by Dr. Herbert Thompson. She asked if the program could be manipulated in such a way as to flip every fifth vote.

"No problem," Dr. Thompson replied.

"It IS a problem. It's a PROBLEM!" exclaimed Brown, whose district includes the troubled Volusia County, along with Duval County -- both currently using the Diebold opti-scan system.

This system is also used in Congressman John Conyers' home district, in contentious King County, Washington, and in Lucas County, Ohio (where six election officials resigned or were suspended after many irregularities were found.)

Diebold optical scans were used in San Diego for its ill-fated mayoral election in Nov. 2004. Optical scan systems have paper ballots, but election officials are crippled in their ability to hand count these ballots due to restrictive state regulations and budget limitations.

The canvassing (audit) procedure used to certify results from optical scan systems involves comparing the "poll tapes" (cash register-like results receipts) with the printout from the central tabulator. These tests demonstrate that both results can be manipulated easily and quickly.

Minimum requirements to perform this hack:
1. A single specimen memory card from any county using the Diebold 1.94 optical scan series. (These cards were seen scattered on tables in King County, piled in baskets accessible to the public in Georgia, and jumbled on desktops in Volusia county.)

2. A copy of the compiler for the AccuBasic program. (These compilers have been fairly widely distributed by Diebold and its predecessor company, and there are workarounds if no compiler is available.)

3. Modest working language of any one of the higher level computer languages (Pascal, C, Cobol, Basic, Fortran...) along with introductory-level knowledge of assembler or machine language. (Machine language knowledge needed is less than an advanced refrigerator or TV repairmen needs. The optical scan system is much simpler than modern appliances).

The existence of the executable program in the memory card was discernable from a review of the Diebold memos. The test hacks took just a few hours for Black Box Voting consultants to develop.

Nearly 800 jurisdictions conducted a presidential election on this system. This system is so profoundly hackable that an advanced-level TV repairman can manipulate votes on it.

Black Box Voting asked Dr. Thompson and Hursti to examine the central tabulator and the optical scan system after becoming concerned that not enough attention had been paid to optical scans, tabulators and remote access.

Thompson and Hursti each found the vulnerabilities for their respective hacks in less than 24 hours.

"Open for Business"

When it comes to this optical-scan system, as Hursti says, "It's not that they left the door open. There is no door. This system is 'open for business.'"

The question now is: How brisk has business been? Based on this new evidence, it is time to sequester and examine the memory cards used with Diebold optical scans in Nov. 2004.

The popularity of tamper-friendly machines that are "open for business" in heavily Democratic areas may explain the lethargy with which Democratic leaders have been approaching voting machine security concerns.

The enthusiasm with which Republicans have endorsed machines with no paper ballots at all indicates that neither party really wants to have intact auditing of elections.

The ease with which a system -- which clearly violates dozens of FEC standards going back to 1990 -- was certified calls into question the honesty, competence, and personal financial transactions of both testing labs and NASED certifiers.

Revamp and update hand-counted paper ballot technology?

Perhaps it is time to revisit the idea of hand-counted paper ballots, printed by machines for legibility, with color-coded choices for quick, easy, accurate sorting and counting. We should also take another look at bringing counting teams in when the polls close, to relieve tired poll workers.

This report is the "non-techie" version of a more formal technical report, which can be found at: http://www.blackboxvoting.org/BBVreport.pdf

Discuss this article here: http://www.bbvforums.org/forums/messages/72/5936.html

Inside A U.S. Election Vote Counting Program

Bald-Faced Lies About Black Box Voting Machines and The Truth About the Rob-Georgia File
Go to original. [4]
IMPORTANT NOTE: Publication of this story marks a watershed in American political history. It is offered freely for publication in full or part on any and all internet forums, blogs and noticeboards. All other media are also encouraged to utilise material. Readers are encouraged to forward this to friends and acquaintances in the United States and elsewhere.

CONTENTS:
Introduction
Part 1 - Can the votes be changed?
Part 2 - Can the password be bypassed?
Part 3 - Can the audit log be altered?

Introduction
According to election industry officials, electronic voting systems are absolutely secure, because they are protected by passwords and tamperproof audit logs. But the passwords can easily be bypassed, and in fact the audit logs can be altered. Worse, the votes can be changed without anyone knowing, even the County Election Supervisor who runs the election system.

The computer programs that tell electronic voting machines how to record and tally votes are allowed to be held as "trade secrets." Can citizen's groups examine them? No. The companies that make these machines insist that their mechanisms are a proprietary secret. Can citizen's groups, or even election officials, audit their accuracy? Not at all, with touch screens, and rarely, with optical scans, because most state laws mandate that optical scan paper ballots be run through the machine and then sealed into a box, never to be counted unless there is a court order. Even in recounts, the ballots are just run through the machine again. Nowadays, all we look at is the machine tally.

Therefore, when I found that Diebold Election Systems had been storing 40,000 of its files on an open web site, an obscure site, never revealed to public interest groups, but generally known among election industry insiders, and available to any hacker with a laptop, I looked at the files. Having a so-called security-conscious voting machine manufacturer store sensitive files on an unprotected public web site, allowing anonymous access, was bad enough, but when I saw what was in the files my hair turned gray. Really. It did.

The contents of these files amounted to a virtual handbook for vote-tampering: They contained diagrams of remote communications setups, passwords, encryption keys, source code, user manuals, testing protocols, and simulators, as well as files loaded with votes and voting machine software.

Diebold Elections Systems AccuVote systems use software called "GEMS," and this system is used in 37 states. The voting system works like this:

Voters vote at the precinct, running their ballot through an optical scan, or entering their vote on a touch screen.

After the polls close, poll workers transmit the votes that have been accumulated to the county office. They do this by modem.

At the county office, there is a "host computer" with a program on it called GEMS. GEMS receives the incoming votes and stores them in a vote ledger. But in the files we examined, which were created by Diebold employees and/or county officials, we learned that the Diebold program used another set of books with a copy of what is in vote ledger 1. And at the same time, it made yet a third vote ledger with another copy.

Apparently, the Elections Supervisor never sees these three sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a detail report (totals for each precinct). She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden. And here is what is quite odd: On the programs we tested, the Election summary (totals, county wide) come from the vote ledger 2 instead of vote ledger 1, and ledger 2 can be altered so it may or may not match ledger 1.

Now, think of it like this: You want the report to add up only the actual votes. But, unbeknownst to the election supervisor, votes can be added and subtracted from vote ledger 2. Official reports come from vote ledger 2, which has been disengaged from vote ledger 1. If one asks for a detailed report for some precincts, though, the report comes from vote ledger 1. Therefore, if you keep the correct votes in vote ledger 1, a spot check of detailed precincts (even if you compare voter-verified paper ballots) will always be correct.

And what is vote ledger 3 for? For now, we are calling it the "Lord Only Knows" vote ledger.

Detailed Examination Of Diebold GEMS Voting Machine Security ( Part 1)

CAN THE VOTES BE CHANGED?
Here's what we're going to do: We'll go in and run a totals report, so you can see what the Election Supervisor sees. Then we'll tamper with the votes. I'll show you that our tampering appears in Table 2, but not Table 1. Then we'll go back and run another totals report, and you'll see that it contains the tampered votes from Table 2. Remember that there are two programs: The GEMS program, which the Election Supervisor sees, and the Microsoft Access database that stores the votes, which she cannot see.

Let's run a report on the Max Cleland/Saxby Chambliss race. (This is an example, and does not contain the real data.) Here is what the Totals Report will look like in GEMS:

As it stands, Cleland is stomping Chambliss. Let's make it more exciting.

The GEMS election file contains more than one "set of books." They are hidden from the person running the GEMS program, but you can see them if you go into Microsoft Access. You might look at it like this: Suppose you have votes on paper ballots, and you pile all the paper ballots in room one. Then, you make a copy of all the ballots and put the stack of copies in room 2.

You then leave the door open to room 2, so that people can come in and out, replacing some of the votes in the stack with their own.

You could have some sort of security device that would tell you if any of the copies of votes in room 2 have been changed, but you opt not to.

Now, suppose you want to count the votes. Should you count them from room 1 (original votes)? Or should you count them from room 2, where they may or may not be the same as room 1? What Diebold chose to do in the files we examined was to count the votes from "room2." Illustration:

If an intruder opens the GEMS program in Microsoft Access, they will find that each candidate has an assigned number:

One can then go see how many votes a candidate has by visiting "room 1" which is called the CandidateCounter:

In the above example, "454" represents Max Cleland and "455" represents Saxby Chambliss. Now let's visit Room2, which has copies of Room1. You can find it in an Access table called SumCandidateCounter:

Now let's put our own votes in Room2. We'll put Chambliss ahead by a nose, by subtracting 100 from Cleland and adding 100 to Chambliss. Always add and delete the same number of votes, so the number of voters won't change.

Notice that we have only tampered with the votes in "Room 2." In Room 1, they remain the same. Room 1, after tampering with Room 2:

Now let's run a report again. Go into GEMS and run the totals report. Here's what it looks like now:

Now, the above example is for a simple race using just one precinct. If you run a detail report, you'll see that the precinct report pulls the untampered data, while the totals report pulls the tampered data. This would allow a precinct to pass a spot check.

Detailed Examination Of Diebold GEMS Voting Machine Security ( Part 2)

CAN THE PASSWORD BE BYPASSED?
At least a dozen full installation versions of the GEMS program were available on the Diebold ftp site. The manual, also available on the ftp site, tells that the default password in a new installation is "GEMSUSER." Anyone who downloaded and installed GEMS can bypass the passwords in elections. In this examination, we installed GEMS, clicked "new" and made a test election, then closed it and opened the same file in Microsoft Access.

One finds where they store the passwords by clicking the "Operator" table.

Anyone can copy an encrypted password from there, go to an election database, and paste it into that.

Example: Cobb County Election file
One can overwrite the "admin" password with another, copied from another GEMS installation. It will appear encrypted; no worries, just cut and paste. In this example, we saved the old "admin" password so we could replace it later and delete the evidence that we'd been there. An intruder can grant himself administrative privileges by putting zeros in the other boxes, following the example in "admin."

How many people can gain access? A sociable election hacker can give all his friends access to the database too! In this case, they were added in a test GEMS installation and copied into the Cobb County Microsoft Access file. It encrypted each password as a different character string, however, all the passwords are the same word: "password." Password replacement can also be done directly in Access. To assess how tightly controlled the election files really are, we added 50 of our friends; so far, we haven't found a limit to how many people can be granted access to the election database.

Using this simple way to bypass password security, an intruder, or an insider, can enter GEMS programs and play with election databases to their heart's content.

Detailed Examination Of Diebold GEMS Voting Machine Security ( Part 3)

CAN THE AUDIT TRAIL BE ALTERED?
Britain J. Williams, Ph.D., is the official voting machine certifier for the state of Georgia, and he sits on the committee that decides how voting machines will be tested and evaluated. Here's what he had to say about the security of Diebold voting machines, in a letter dated April 23, 2003:

"Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to the audit log. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident.

In addition, passwords are used to limit access to the system to authorized personnel." Since Dr. Williams listed the audit data as the primary security feature, we decided to find out how hard it is to alter the audit log.

Here is a copy of a GEMS audit report.

Note that a user by the name of "Evildoer" was added. Evildoer performed various functions, including running reports to check his vote-rigging work, but only some of his activities showed up on the audit log.

It was a simple matter to eliminate Evildoer. First, we opened the election database in Access, where we opened the audit table:

Then, we deleted all the references to Evildoer and, because we noticed that the audit log never noticed when the admin closed the GEMS program before, we tidily added an entry for that.

Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if one deletes audit entries, a gap in the numbering sequence will appear. However, we found that this feature was disabled, allowing us to write in our own log numbers. We were able to add and delete from the audit without leaving a trace. Going back into GEMS, we ran another audit log to see if Evildoer had been purged:

As you can see, the audit log appears pristine.

In fact, when using Access to adjust the vote tallies we found that tampering never made it to the audit log at all. Although we interviewed election officials and also the technicians who set up the Diebold system in Georgia, and they confirmed that the GEMS system does use Microsoft Access, is designed for remote access, and does receive "data corrections" from time to time from support personnel, we have not yet had the opportunity to test the above tampering methods in the County Election Supervisor's office.

From a programming standpoint, there might be reasons to have a special vote ledger that disengages from the real one. For example, election officials might say they need to be able to alter the votes to add provisional ballots or absentee ballots. If so, this calls into question the training of these officials, which appears to be done by The Election Center, under the direction of R. Doug Lewis. If election officials are taught to deal with changes by overwriting votes, regardless of whether they do this in vote ledger 1 or vote ledger 2, this is improper.

If changing election data is required, the corrective entry must be made not by overwriting vote totals, but by making a corrective entry. When adding provisional ballots, for example, the proper procedure is to add a line item "provisional ballots," and this should be added into the original vote table (Table 1). It is never acceptable to make changes by overwriting vote totals. Data corrections should not be prohibited, but must always be done by indicating changes through a clearly marked line item that preserves each transaction.

Proper bookkeeping never allows an extra ledger that can be used to just erase the original information and add your own. And certainly, it is improper to have the official reports come from the second ledger, which may or may not have information erased or added.

But there is more evidence that these extra sets of books are illicit: If election officials were using Table 2 to add votes, for provisional ballots, or absentee voters, that would be in their GEMS program. It makes no sense, if that's what Diebold claims the extra set of books is for, to make vote corrections by sneaking in through the back door and using Access, which according to the manual is not even installed on the election official's computer.

Furthermore, if changing Table 2 was an acceptable way to adjust for provisional ballots and absentee votes, we would see the option in GEMS to print a report of both Table 1 totals and Table 2 so that we can compare them. Certainly, if that were the case, that would be in the manual along with instructions that say to compare Table 1 to Table 2, and, if there is any difference, to make sure it exactly matches the number of absentee ballots, or whatever, were added.

Using Microsoft Access was inappropriate for security reasons. Using multiple sets of books, and/or altering vote totals to include new data, is improper for accounting reasons. And, as a member of slashdot.org commented, "This is not a bug, it's a feature."