[E-voting] BBV Security Alert - Critical Security Issues with
diebold Optical Scan Design
cansbro at eircom.net
Mon Jul 4 20:37:39 IST 2005
Most on this list will want to read the full report (link immediately
below, at the top of the post). It is readable by non-techies.
* Note that this report is only the first of several
* This report deals exclusively with various Memory Card Attacks
(both demonstrated and possible)
* Future reports will deal separately with Central Tabulator Attacks
and Remote Access Attacks
* This report has interesting things to say about the Accu-Basic
programming language used on the MS Access-like programme
* There are serious implications for many kinds of equipment, not
just Diebold optical scanners
* The post below is a few excerpts from the report, PLUS some
important "practical next steps" (after the text in red, "Here we
leave the report by Harri Hursti)
Posted on Monday, July 04, 2005 - 10:39 am: Edit Post
View Post/Check IP
Move Post (Moderator/Admin Only)
SECURITY ALERT: Critical Security Issues with Diebold Optical Scan Design
*EXCERPTS FROM THE REPORT:* Incorporated into the foundation of the
Diebold Precinct-Based Optical Scan 1.94w system is the mother of
security holes, and no apparent cure will produce infertility, or system
...the removable media (memory card), which should contain only the
ballot box, the ballot design and the race definitions, but also
contains a living thing – an executable program which acts on the vote
data. Changing this executable program on the memory card can change the
way the optical scan machine functions and the way the votes are
reported. The system won’t work without this program on the memory card.
Whereas we would expect to see vote data in a sealed, passive
environment, this system places votes into an open active environment.
With this architecture, every time an election is conducted it is
necessary to reinstall part of the functionality into the Optical Scan
system via memory card, making it possible to introduce program
functions (either authorized or unauthorized), either wholesale or in a
targeted manner, with no way to verify that the certified or even
standard functionality is maintained from one voting machine to the next.
...Within the context of expected security responsibilities, one layer
of security should be preventive cost factors. While the system will
always be breakable, the feasibility of penetration should be inhibited
by the cost of such an endeavor. What the author has identified,
however, is an exceptionally flexible one-man exploit requiring only a
few hundred dollars, mediocre technical ability, and modest persuasive
skills (or, in lieu of persuasive skills, just a touch of inside access).
...This design would not appropriately be characterized as “a house with
the door open.” The design of the Diebold Precinct-Based Optical Scan
1.94w system is, in the author’s own view, more akin to “a house with an
unlockable revolving door.”
...Only awareness of the flaws will facilitate development of the
countermeasures needed to hamper the effectiveness of the attack
vectors. If the layers of protection are interconnected and relying on
each other they are not true layers – it is just a one-layer system
which is only as strong as its weakest point. Also bear in mind that
layer interaction removes the layer separation. Therefore, a proper
security analysis should always begin with the assumption that the
previous layer has been compromised.
If that assumption cannot be made, the layers are interconnected and the
dominoes will fall.
... (Background) On May 26, another visit was scheduled at the Leon
County Elections Warehouse, and the author quickly penetrated the
security of the Diebold Precinct-Based Optical Scan 1.94w system three
times, each time with a different memory card manipulation.
...*The Diebold optical scan system*
The Diebold optical scan system consists of three components: The
optical scan reader used at the polling place to scan and interpret
ballot data; the central tabulator, which resides on a standard PC
computer using the Windows operating system, used at the county election
office to collect and tally votes from polling places; and a removable
data storage unit, the memory card that stores the votes.
Before each election, the Diebold central tabulator program, called
“GEMS,” defines the races in the election. The optical scan machine is
then connected to the GEMS server via an RS-232 serial port connection.
The removable storage (memory card) is placed into the optical scan
machine, and GEMS writes information onto the memory card through the
optical scan unit.
According to the Diebold optical scan user’s manual, the programming of
the memory card can also be done remotely by modem connection over a
public telephone network.(7) After the cards have been programmed, they
are interchangeable among voting machines with the same or similar
firmware version. Therefore a single machine can be used to program all
During the election, voters place filled-out ballots into the scanner,
which interprets the ballot data and stores the totals (but not the
individual votes) on the memory card. After the election, the data on
the memory card is transferred into the central tabulator by a modem
through a modem pool, or is physically brought to the county elections
office and uploaded through an optical scan machine there via an RS-232
serial port connection. It is noteworthy that operational practices may
vary -- from election office in-house operated modem pools to a virtual
modem pool purchased as access service from a 3rd party provider.
It has been known for years that Diebold uses its own proprietary
programming language, Accu-Basic, for report-generation. This can be
known from publicly available information, including compiler source
code(10), an unfinished programming manual(11), AccuBasic source code
files(12), pre-compiled files(13) and memos(14).
A large number of experts have reviewed this information but they have
generally failed to understand the role and execution environment of
Accu-Basic. A contributing factor could be that these critical pieces of
information may have been omitted from official documentation, evidenced
from the AccuVote-OS 1.94 Precinct Count User’s Manual, Revision 2.0,
July 18, 2002, page 14, which fails to list the executable program as an
item stored in the memory card.(15)
Accu-Basic programming is a two phase process. First the Accu-Basic
program source code needs to be pre-compiled with a compiler, converting
it from a human readable source code form into token based pseudo-code.
The pseudo-code is still a non-binary, ascii file. This first phase
programming is normally done on a standard PC running Windows or *ix
–variant operating system. The author used the FreeBSD platform. Then
this pseudo-code is transferred to the final execution environment (that
is, to the voting machine), where the pseudo-code is executed by an
Note: The interpreter, built into the optical scan firmware, will
execute the code following the instructions on the memory card. No
information has been provided about the interpreter.
A publicly available Diebold memo from Guy Lancaster to Steve Ricke,
dated 18 Nov 1999 17:28:23, subject “Re: Report Failure”(16) (Provided
in Appendix), revealed that:
- The pre-compiled AccuBasic program is uploaded and is executed from
the memory card.
- The AccuBasic program is not protected against corruption nor
tampering with checksums.
This omission appears to be in conflict with the word and intention of
the 1990 Federal Election Commission Standards, Chapter 5, specifically,
but not limited to, articles 5.1, 5.3 and 5.5.(17)
*Implications of this design:*
With this design, the functionality – the critical element to be
certified during the certification process -- can be modified every time
an election is prepared. Functionality is downloaded separately into
each and every machine, via memory card, for every election. With this
design, there is no way to verify that the certified or even standard
functionality is maintained from one voting machine to the next.
With regard to certification, please also note that, because of the
architecture, a trustworthy certification cannot be done separately for
hardware and software. For a true understanding of the execution
environment, the certifier must understand both of these components.
Exploits available with this design include, but are not limited to:
1) Paper trail falsification – Ability to modify the election results
reports so that they do not match the actual vote data
1.1) Production of false optical scan reports to facilitate checks and
balances (matching the optical scan report to the central tabulator
report), in order to conceal attacks like redistribution of the votes or
Trojan horse scripts such as those designed by Dr. Herbert Thompson.(19)
1.2) An ingenious exploit presents itself, for a single memory card to
mimic votes from many precincts at once while transmitting votes to the
central tabulator. The paper trail falsification methods in this report
will hide evidence of out-of-place information from the optical scan
report if that attack is used.
2) Removal of information about pre-loaded votes
2.1) Ability to hide pre-loaded votes
2.2) Ability to hide a pre-arranged integer overflow
3) Ability to program conditional behavior based on time/date, number of
votes counted, and many other hidden triggers.
According to public statements by elections officials(20), the paper
trail produced by the precinct optical scan has been placed into the
role of a vital safeguard mechanism. The paper report from the optical
scan machine is the key record used to confirm the integrity of the
central tabulator record.
... It is important to understand that, because the AccuBasic program is
aware of the election definitions and structure, attacks can be prepared
months ahead of time, before the candidate and ballot design have been
(Measures like ballot rotation have no affect on these exploits
whatsoever, and do not need to be considered.)
...combining the false report method (demonstrated on page 16) with the
pre-arranged integer overflow (demonstrated on 18) seems to be an
especially efficient exploit because it is a one-step process that takes
out both the actual process and its safeguard at the same time, while
surviving scrutiny of almost anything short of a full manual recount.
*Delivery mechanisms for memory card tampering*
Delivery of a malicious program can be achieved with multiple methods;
- Direct alterations to the memory cards themselves.
- Replacement of the “.abo” (AccuBasic executable) file(s) in the
central tabulator before election definitions are uploaded to memory
cards. In this approach the election office, while not necessarily aware
of the situation, will distribute the malicious code when preparing the
- The central tabulator approach (.abo file replacement) will also
enable even remote work. Remote attacks can either use a technical
approach or a social engineering approach. Social engineering can turn
out to be quite effective to deliver malicious code to the GEMS
computer. An example of this could be providing an automated CD/DVD disc
or USB device “patch” or update, delivered to the elections office
accompanied by a phone call recommending its installation.
Even if checksums were to be implemented in future versions of the
firmware to protect the executable on the memory card, using GEMS to
contaminate the memory card will neutralize the checksums because the
program is inserted before the checksums are calculated.
...*Proof of concept in detail*
To show that the executable program on the memory card controls the
optical scan report and the user interface, and to test the memory card
alteration theory, the author was able to test sample cards from Leon
County, Florida. These memory cards contained an election constructed
for the purpose of educating poll workers for future elections. All
relevant elements were identical to the platform and implementation of
all elections run within the environment in question.
...When the author viewed the raw dump of the image file, which can be
done using any hexadecimal or binary file editor, it became self-evident
where the starting position of the executable pseudo-code was. Because
the program is stored after election specific data, it is safe to assume
that the starting location is not fixed.
(screen shot included in report)
The author also found the end location of the executable block to be
(screen shot included in report)
...The author wrote and pre-compiled his own program. Please note that
the compiler has been publicly available for several years(22). This
significantly helps the average Joe to make his own program for the
voting machine, although for sophisticated programmers this help is far
from necessary. The compiler output is a pseudo-code in the format for
GEMS to upload to the card....
(additional specifics provided in report)
...the memory card was inserted to the Optical Scan unit, and it was
verified that the voting system functionalities changed according the
programming concepts the author had chosen.
...The following images show the original optical scan report
side-by-side with reports that were produced by modifying the program
code on the memory cards. On all memory cards, the vote data remains
identical in this particular exploit. Only the reporting mechanism was
modified to give false results.
(image of scanned poll tapes provided in report)
Note that the run date and time on all reports are the same. The
original report was run in Leon County on May 16, when the author was
not present. However, the reports from the tampered memory cards, which
also state run time to be May 16, were actually run on morning of May
26, when the author conducted the proof of concept test. These reports
demonstrate that report data, including the date and other information,
are easily altered on optical scan reports.
(image of scanned audit tape is provided in report)
Above is the Diebold “audit report” for the optical scan machine,
printed on May 26. This audit log is printed from the optical scan
firmware, not from the executable on the memory card. No changes were
made on this report. Note that it shows no error messages. The memory
card this report purports to be auditing was tampered with on an
airplane at an earlier date in May, but nothing in the audit log
reflects the actual timing of memory card events.
No anomalies appeared on the audit report because none of the changes
made by the author affected any of the Diebold audit log information.
...Manipulation through integer overflows
Currently, many programmers have become accustomed to higher level
programming languages, which give warnings and guidance to adjust
integer overflow problems. The problem defined below will be familiar to
programmers who have worked in earlier environments and/or with lower
level programming languages. Please note that only 16 bit integers (2
byte) are used instead of longer integers, which are the default in
It is clear that the checksum algorithm used was chosen to be the
simplest possible one, because it has been chosen to protect the votes
against random corruption of the data instead of intentional tampering.
This finding led the author to create an exploit with the idea of
inserting votes that will cancel each other out when added.
By the way: There were no error messages during start-up with this card,
nor did any error messages appear afterward.
(image of scanned "zero tape" provided in report, with pre-loaded votes
to trigger integer overflow)
...Pre-stuffing the ballot box with votes 65511 and 25 is essentially
the same as if one candidate had -25 votes and the other +25 votes at
the start. Naturally, the choice of -25 and +25 was arbitrary and
different figures could have been used.
When the firmware turns control over to Accu-Basic, the user is not
notified, nor is the user notified when control returns to the firmware.
The Accu-Basic program on the memory card not only has control over the
printer as output media, but also enables interaction with the user over
the LCD display, and “YES” and “NO” the buttons located underneath the LCD.
The implications of this are:
1) Conditional behavior of malicious code can be based on user input
2) The user can be made to believe that his activities are real, while
they are not, by programming the memory card so that it will not return
control back to firmware.
(image of message "Are we having fun yet" on LCD screen, for the
demonstration of control over the user interface performed in Leon County)
The Accu-Vote Precinct Count Optical Scan system inherits numerous
attack vectors from flexibility to modify over security design.
Operational procedures required to secure the system would put an
un-sustainable burden on the perimeter defense, training of the
personnel and supervision among the other layers of security.
1. Further evaluation should be performed on the 1.96.x and 2.0.x
versions of the Diebold optical scan system to determine whether they do
or do not have the same fundamentally insecure architecture. A similar
examination should also be performed on the Diebold touch-screens,
including the TS-R4 and TS-R6 versions, the TSx version, and the new
“VVPAT” version, along with any other component of the accumulation
process for any of these systems.
2. Because memory cards have been given a pre-eminent position in the
Diebold voting system studied, they should be deemed to contain critical
data and should be considered to be a public document. Of course, they
should be retained for 22 months in federal elections, as required by
U.S. federal election law.
3. Memory cards or, in the event they are not available, the voting
systems themselves, should be examined for all jurisdictions using any
Diebold voting system which relies on this type of architecture. If
manipulation is done properly, there will be no telltale anomalies.
However, in areas like Volusia County, (24)(25)(26) and Brevard County
(27)(28) Florida, where significant anomalies have appeared related to
vote tabulation, memory cards, or poll tapes, the memory cards should be
certainly inspected by a someone experienced in forensics.
4. The architecture of other manufacturers should be examined for
similar vulnerabilities. Priority should be set for this examination
according to the significance of the vendor.
List of Appendices:
Appendix A: Diebold memo about memory cards used
Appendix B: Diebold memo about checksums
Appendix C: Diebold memo with more information about checksums
Appendix D: Sample program
Appendix E: List of locations that use Diebold voting systems
* * * * *
*Here, we leave the report by Harri Hursti. *
Let us now discuss practical next steps. It is important to achieve
1) *A product recall, as this vulnerability is not fixable with any
software patch.* It would be entirely inappropriate for taxpayers to
foot the bill of corrective actions. Those costs should be born by the
vendor. Bear in mind that when Diebold acquired Global Election Systems,
its investment banking partner performed, (or should have done) a due
diligence analysis of this system. Diebold Inc. either knew, and sold
the system anyway, or did not know, but should have known. It is
therefore appropriate that Diebold should foot the bill for the product
recall. Certainly not the taxpayers.
2) *It becomes important to understand who knew what, and when.* Did the
ITA certifiers (Wyle, and Ciber) know of this? If they knew, but
certified it anyway, an investigation of the certification process must
be conducted. If they did not know, their credentials as certifiers
should be revoked. Did the state-level evaluators know? (Paul Craft -
Florida; Britain Williams - Georgia, Maryland, Virginia; Steve Freeman -
Please note that this product was certified to 1990 FEC standards.
However, it appears to violate a number of these standards, which can be
found here: http://www.bbvforums.org/forums/messages/2197/2383.html
One item of review, when you look at the standards, should be the
requirement to use checksums and parity. Another should be the
prohibition against using nonstandard language. A third area to look at
is the prohibition of self-modifying code. Be your own certifier. See
what you think.
3) *It is now very important to do forensics on the memory cards and
voting systems used in the Nov. 2, 2004 election.* Because this system
is so open to tampering, please urge your local and state officials to
sequester the memory cards for recent elections, so that they can be
examined by a forensic expert, or an otherwise qualified expert, like
Hursti, who has shown that he is both competent to evaluate this issue,
and forthcoming about notifying the public. These memory cards are
clearly of public interest, and should be deemed a public document.
4) *Please urge local and state officials to have a competent, qualified
examiner evaluate both the new optical scan systems, including the high
speed central count system, and the touch-screen systems*, because there
are some indications that this architecture is being used (and even
increased) in newer versions. The touch-screens may be using a different
but similar architecture. Contact Black Box Voting when you have
indications that such cooperation is forthcoming. (contact kathleen
(at)blackboxvoting.org to help schedule an evaluation, or call
No new elections should be run on Diebold optical scan systems until
these evaluations are complete.
Please note that any agency that redacted this issue from its report,
perhaps working privately with the manufacturer behind the scenes to
correct it, or working on some other private remedial concept /should be
disqualified from further certification or evaluation work./ The reasons
for this are twofold:
- The presidential primary, and a federal general election, were allowed
to be held on the Diebold system, which is now used in 1,207 locations.
(Some of these locations are new purchases, the number of jurisdictions
using Diebold in the 2004 election is closer to 800. Of these,
approximately 200 used touch-screens at the precinct, with optical scans
counting absentee votes. Of the 600 remaining jurisdictions, a handful
used the 1.96.x firmware version, which probably carries the same
vulnerability but has not yet been field-tested for it. At least 500
jurisdictions used systems that were certainly open to the exploits
described in this report.)
In Nov. 2004, /in Florida alone,/ the Diebold Precinct-Based Optical
Scan 1.94w system counted approximately 2.5 million votes in 30
counties, or about one-third of all the votes in Florida. Nationwide,
this version of Diebold voting machines counted approximately 25 million
votes in Nov. 2004, or about 25 percent of the national election.
Any entity that allowed the Nov. 2004 election to proceed on a system
with a fundamental architecture that is "open for business" -- even if
working with a vendor behind the scenes -- compromised the integrity of
We do not know if any scientists or testing authorities have been
working privately with Diebold to correct the problems, but it is very
difficult to explain why no one has come forth publicly with this
information. It may be that someone feels they have a superior plan of
action, which requires keeping the information quiet, but in view of the
stunning hole through the security of the 2004 presidential election,
this position would seem insupportable.
- The concept of working privately behind the scenes with a vendor to
secretly correct flaws is incorrect as a consumer protection measure.
Running a United States federal election on a voting system with this
architecture is certainly parallel to letting people drive cars with
exploding gas tanks.
* * * * *
Permission to reprint granted with a link to
http://www.blackboxvoting.org, and provided that you do not to edit or
change the text of the EXCERPT FROM THE REPORT in any way. ALL QUOTES
AND EXCERPTS FROM THE REPORT, EVEN BRIEF ONES, MUST BE ATTRIBUTED.
Please send this report to the public officials using Diebold (here is a
list of locations: http://www.blackboxvoting.org/diebold/locations/pdf).
Please also consider sending a printout of this report to the network
security administer of each jurisdiction that uses Diebold systems. This
would be an employee who does not work for the elections division, but
instead is responsible for the integrity of the data for the county or
Please send this report on to other computer professionals.
Please distribute this report to your lists.
More information about the E-voting