Diebold Shows Anyone How To Break Into Their E-Voting Machines

from the yikes dept

Wed, Jan 24th 2007 8:15pm — Mike Masnick

Well, this is just fantastic. Following the claims that there's no real problems with e-voting machines, almost immediately followed by reports of massive fraud with e-voting machines in Brazil, Alex Halderman is pointing out that Diebold, in their infinite wisdom, are making it ridiculously easy to break into their machines. Halderman was a part of the team that showed that Diebold's locks on their e-voting machines used a default key that was common to many hotel minibars and could be found easily in many places. However, the researchers who noted this were still careful never to show the actual key, preferring not to help anyone who seriously intended on breaking into the machines. Diebold, on the other hand, isn't so careful. The company, that has continually played down reports of security flaws is apparently selling the very key you need to break into their boxes on their online site... with a picture of the key. You need to be a Diebold account holder to buy it, but anyone can look at the key and then figure out how to make their own copy -- and, in fact, that's exactly what someone did. He used the picture to cut his own keys and sent the keys to Halderman, who found that two of the three keys opened the Diebold locks with ease. The guy who discovered this notified Diebold a month ago, but Diebold did not respond and has not removed the image of the key from their website.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Joe Nagle, 24 Jan 2007 @ 8:32pm

Diebold's e-voting machine security
Jesus.
[ link to this | view in chronology ]
Darren Kopp, 24 Jan 2007 @ 8:48pm

Hooray Beer!
diebold is up the street from me. i should drop in and give them some lessons on security.
[ link to this | view in chronology ]
Ryan, 24 Jan 2007 @ 9:08pm

If this scares you, and you havn't seen the college demo about how to not only alter votes, but spread the code as well here is the link: http://www.youtube.com/watch?v=lwWP-N1HqT0
[ link to this | view in chronology ]
hyphen, 24 Jan 2007 @ 10:02pm

HBO did a documentary called Hacking Democracy. This documentary went on to show how easy it was to manipulate votes / hack Diebold's electronic voting machines. Yeah.... scary stuff. Click here to check out HBO's page on their documentary
[ link to this | view in chronology ]
Geeb, 25 Jan 2007 @ 1:52am

Choices, choices
So, what do you reckon Diebold will do next?

a) Improve their security
b) Take down the pictures
c) Sue the guy who made the keys

Hmmmm....
[ link to this | view in chronology ]
Jess, 25 Jan 2007 @ 2:41am

That's Amazing!!
How come whenever I get my copies for keys only one out of 6 work and they have the actual key!! This guy made a copy from a picture?!! Where's my phone?!!
[ link to this | view in chronology ]
angry poll worker, 25 Jan 2007 @ 2:48am

have you bothered to think.
Ok first off, having worked the elections with the acuvote systems I can tell you that they can not be fooled the way many people seem to think they can.

1. as this is a tech new site I'll assume that many of you know what a CRC/HASH check is. the first action done by the systems bois is a hash check on the CARD and ROM if they fail the system will not boot.

2. the only people with access to the machines that can set the CRC/HASH are your county election staff. not state or national, just the county.

3. the machines are not updated using memory cards. they are plugged in via a Ethernet connection for a push network wipe. I am sure many of you are used to this technology as you use it every time you do a network install of windows.

4. they use a 256 bit floating encryption scheme to protect the results on every machine. that means that a card from one machine would not be able to be accessed by any other machine. they are paired at the election office before ever going to the poll location.

just a thought, but in a lab I can change almost anything to make it look like it will function just as I want it to. however with it being a federal felony with mandatory 5-10 years for election fraud it's funny reading the misinformation being spread.
[ link to this | view in chronology ]
- angry american voter, 25 Jan 2007 @ 5:28am
  
  Re: have you bothered to think.
  OK as this is a tech site, let's just spew out nonsense and hope that everyone is intimidated.
  
  You can say anything you want about 256 floating bit encryption and CRC/HASH all you want.
  
  It seems to me that you're whining because people think you're a moron and/or a Diebold employee.
  (Jury is still out on that...)
  
  You think that any of these so-called security features are valid? Are you actually trying to tell us that the machines are safe and tamper-proof?
  
  Wake up, get out of bed and tell me what color the sun is in your world.
  
  It's been proven time and time again that you're WRONG. The machines have been 'adjusted', can and easily be hacked, by many people.
  
  And you think any of your statements about a felony and 5-10 years mean jack to people? Are these the same people that are sending US soldiers over to die for oil?
  Or the same a@@holes that send me SPAM from bots and hijacked machines? - oh wait there is really good security on those machines as well- couldn't possibly be any SPAM now could there?
  Go back to sticking your head in the sand and keep toting that party line.
  [ link to this | view in chronology ]
  - Enrico Suarve, 25 Jan 2007 @ 6:38am
    
    Re: Re: have you bothered to think.
    Exactly...
    
    Angry Poll Worker - is it not the least bit disturbing to you that in all the areas independent people have looked at there have been significant security flaws
    
    I would suggest that not only country election staff have access to machines - I am supposedly the only person with access to my house, it didn't stop me being burgled (by someone with a lot less to gain than a fixed election)
    
    Relying on the security of some automated CRC check and just sitting back smuggly and stating "its all OK then" is maybe a little blind
    
    At the end of the day the physical security on the machine is built to the same standard as a mini-bar, what exactly does that infer about the rest of the security?
    
    Maybe you do update your machines by network -
    Is that the same everywhere?
    Would it remove a malicious program already present on the machine?
    Are you sure?
    Have you tested?
    How utterly confident are you that there is never one person alone with a machine for over a minute on the entire of election day?
    
    It would probably be unreasonable to seriously respond to Prinston's plea of "We urge public officials to address these issues promptly" http://itpolicy.princeton.edu/voting far more sensible would be stick your fingers in your ears al-la "La, la, laa i'm not listening"
    
    Finally there ARE people out there who fund campaigns (legally) to the tune of millions to get political advantage and there ARE criminals who work for a lot less than this and risk similar penalties. Is it that big a leap of imagination to combine the two?
    [ link to this | view in chronology ]
- Enrico Suarve, 25 Jan 2007 @ 11:08am
  
  Re: have you bothered to think.
  Dear Angry Poll Worker
  Sorry if I was a little harsher earlier - the face of the polling worker around 16min 20secs on this video has softened me slightly and rightly humbled me http://www.youtube.com/watch?v=fKs12idbZ_I
  
  She has just learnt that the Diebold system she has been responsible for overseeing is vulnerable to a hack and votes can be realistically altered. This is the face of a true believer and stalwart of democracy finding out the security on her systems is not secure
  
  I would urge you to watch the clip and decide - the gentleman supervising the test is not a tin-foil hat man - he is one of Florida's senior election officials
  
  I think when dealing with a technology like this which can be messed with this is always going to be the problem - Diebold have always stated their systems are secure and denied all problems allowing presidents, congressmen, senators etc to be selected using them. They still don't admit any problems with the optical system in use in the test - what aren't they telling you about the system you currently use?
  [ link to this | view in chronology ]
Matthew, 25 Jan 2007 @ 5:17am

1, 2, 3, 4, 5
Remind me to change the combination on my luggage -Mel Brooks as President Skroob in Spaceballs
[ link to this | view in chronology ]
Anonymous Coward, 25 Jan 2007 @ 6:02am

Open sourcing
So, people have been whining and moaning that e-voting machine companies should release their sourcecode as a means to make them more secure and this makes a lot of sense to me. The more people know how the code works the easier it will be to detect and trace and fraud. What's the complaint here? So people can make a key to get into a machine. Do you all honestly believe that a person can stick a usb memory stick into one of these boxes and alter human history? We do not live in a hollywood movie. Sometimes I think this site needs to take "Tech" out of it's name.
[ link to this | view in chronology ]
mc123, 25 Jan 2007 @ 6:14am

If you've seen "Hacking Democracy" you would know that it doesn't matter what type of security features the machines themselves have. The vote counts on the machines can be altered simply through the memory cards. All the memory card has to do is start with a negative total for one candidate. It actually seemed like a very simple process. It clearly doesn't matter who has access to the machines because the big shots at Diebold (who promise that elections will have certain outcomes in certain states, go figure) just have to provide pre-determined memory cards and an election can be fixed. Kind of scary knowing that your money probably comes out of an ATM with Diebold's name on it and our country votes in political leaders using Diebold machines.
[ link to this | view in chronology ]
ScytheNoire, 25 Jan 2007 @ 8:58am

any election with an eVoting machine is not a valid election
[ link to this | view in chronology ]
Bill, 25 Jan 2007 @ 12:43pm

Oh, how I yearn to go back to the days of the paper ballot and the "X" in the box.
[ link to this | view in chronology ]
- angry Poll worker, 26 Jan 2007 @ 7:28pm
  
  Re:
  LOL I guess no one here realizes that the paper votes you cherish so much have been being counted my machines for over 40 years. it used to be that to throw an election you had to loose the paper ballets, while feeding the counting machines.
  
  now it's easier to secure the votes are accurate and everyone is claiming they are less accurate.
  
  I guess time will tell.
  [ link to this | view in chronology ]
  - Enrico Suarve, 27 Jan 2007 @ 4:48am
    
    Re: Re:
    I can't be bothered to point out that it's going to be a lot easier to commit fraud if you can automate it - oops
    
    Ah well guess we're back to "la la la i'm not listening then"
    
    PS: time did tell - it already happened, some people are trying to point out it might be nice if it didn't happen every time? you know like you went back to having a democracy and stuff?
    [ link to this | view in chronology ]
SpAM, 25 Jan 2007 @ 6:20pm

Hanging chads anyone?
Does this dispell the notion that physical media are also hack proof? You can thank the Secretary of State for FL (now out on her CHaDss thanks to the voters in FL) for the ridiculous butterfly ballot to begin with. Not that I am defending DIEbold.
[ link to this | view in chronology ]
Proud Brazilian, 26 Jan 2007 @ 12:22pm

Brazilians don't use Diebold machines
All the totals are printed in the voting room in at least 5 copies before closing the machine. So, it's very easy to detect if someone messes up with the data.

Come to visit Brazil, when you want to learn how to do an election with more than 100 million voters and give the results in less than 24 hours, instead of months of paper counting like US did in Bush junior's first election.
[ link to this | view in chronology ]
CJ, 28 Jan 2007 @ 2:11pm

Hacking Democracy
If you've seen Hacking Democracy, you've seen an unchecked group of random thoughts converted conveniently into "facts" by biased documentary makers. I'm not claiming Diebold's machines are hack-proof, but a friggin' HBO documentary is not evidence or proof of anything -- it serves only to muddy the waters. People who get their alleged "news" from entertainment TV need to rethink where their loyalties should lie. Letme guess, you also believed Oliver Stone's JFK...
[ link to this | view in chronology ]
- CH, 30 Jan 2007 @ 3:08pm
  
  Re: Hacking Democracy
  Right, much better to believe the company who manufacturers the machines and guarantees specific results in certain states..... They are much more credible than a documentary, right?
  
  la,la,la,la,la
  [ link to this | view in chronology ]