[E-voting] huge security vulnerabilities exposed

Justin Mason jm at jmason.org
Wed May 17 10:12:21 IST 2006


Have you got any links to solid technical info about these
vulnerabilities? This is the first remotely technical info I've heard...

--j.

Catherine Ansbro writes:
> This has been breaking over the last week in the USA.  It is huge.  It 
> relates to the most serious security vulnerabilities uncovered so far, 
> as the result of Harri Hursti and Security Innovation's examination of 
> the Diebold TSx voting machine in Emery County Utah as carried out by by 
> BlackBoxVoting.org.
> 
> The vulnerabilities are so devastating that they cannot be remedied.  
> There are several levels of vulnerabilities--
> 
> 1) bootloader (this vulnerability is the most serious of all)
> 2) the Operating System (Windows CE)
> 3) software relating to the voting/counting application (we knew about 
> some of these already)
> 
> There are catastrophic hardware vulnerabilities as well.
> 
> The only mechanisms that could be used to "clean" a compromised machine 
> could also be used to reinfect it  And there's virtually no way to check 
> for contamination in the first place.
> 
> Avi Rubin, Doug Jones and others are practically shitting bricks over 
> this.  (One compared it to a "nuclear bomb"; another said what they knew 
> from previous reports was a 6 out of 10 but this one is a 10 out of 10.)
> 
> There are a number of outstanding threads at BlackBoxVoting.org about 
> all this, including a link to Hursti's first report which covers the 
> three serious vulnerabilities mentioned above.  A second report will be 
> issued tomorrow dealing with 12 more vulnerabilities which, though also 
> serious, are not in the same league of seriousness or irremediability as 
> the first three.
> 
> There is obviously LOTS more to be said about this.
> 
> *Among other things - regarding the Irish system *(which has hopefully 
> bit the dust but since there's no CEV report out yet we cannot be sure).
> 
> For example,
> Did the technical team hired by the CEV have actual physical access to 
> actual voting machines, preferably chosen by them at random?
> Was the OS available for full code inspection?
> Would their inspection have been forensic in nature, and would it have 
> uncovered potential backdoors in the bootloader or elsewhere?
> 
> Catherine
> 
> 
> 
> 
> _______________________________________________
> E-voting mailing list
> E-voting at lists.stdlib.net
> http://lists.stdlib.net/mailman/listinfo/e-voting
> http://evoting.cs.may.ie/



More information about the E-voting mailing list