New Report From Diebold'Hired Testing Company Reveals Security Flaws in Machines Certified By Secretary of State
State Senator Bowen Criticizes Secretary's Refusal To Publicly Vett Two SoS-Requested Reports Identifying Security Flaws in Diebold Machines
Download the CIBER Inc Diebold Report (PDF)
Download the California Voting System Technology Assessment Advisory Board AccuBasic Report (PDF)
As the Secretary of State held a hearing today on whether voting systems from four manufacturers should be certified for use in California, Senator Debra Bowen (D-Redondo Beach), the chairwoman of the Senate Elections, Reapportionment & Constitutional Amendments Committee, criticized the Secretary’s continuing refusal to hold a public hearing on the security flaws that have been identified in the Diebold systems he re-certified for use on February 17.
“The Secretary can’t be allowed to have it both ways,” said Bowen. “He laid out a process for dealing with the Diebold re-certification request, one that people who are concerned about the reliability and accuracy of these machines relied on, and then he ignored it. He says he’s for public hearings and a public process, yet he continually changed the process he established and refused to release critical information about the flaws in the Diebold machines until after he decided to re-certify them.”
Today’s hearing involved the proposed certifications of voting systems from ES&S, Hart InterCivic, Sequoia, and Populex. The Secretary of State did hold a hearing on the Diebold re-certification request on November 21, 2005. However, that hearing was held before the February 17, 2006, release of a report from the Secretary’s Voting Systems Technology Assessment Advisory Board (VSTAAB) that identified 16 security flaws in the Diebold machines, and before the February 28, 2006, release of a report from the independent testing authorities (ITA) that identified three security flaws in the Diebold machines and recommended code changes.
“The Secretary has continued to say one thing and then do another on this certification process, which does nothing but undermine the voters’ confidence,” continued Bowen. “In August, he said he wouldn’t certify any voting system that didn’t meet all of the federal standards, yet the Diebold machines he re-certified in February don’t meet the federal standards. In December, he said he wouldn’t act on Diebold’s re-certification request until he heard back from the ITA, yet he approved the Diebold machines in February without waiting for the ITA’s report on the Diebold memory cards.”
The Secretary released the ITA report on the Diebold memory cards on Tuesday, February 28. The report, which was conducted by CIBER and was dated February 23, 2006, notes in part:
“Certain vulnerabilities in this report may require a portion of the code to be modified in order to correct the vulnerabilities identified. To ensure that the efforts to correct vulnerabilities do not introduce new vulnerabilities, CIBER strongly recommends retesting of the remediated code prior to its migration to a production environment.”
“What’s not clear is whether the Secretary is now going to require Diebold to modify its equipment and re-test it to address the issues raised by the ITA report, or whether he’s going to continue to ignore the security flaws identified by this report and the report put out by his own staff,” continued Bowen. “The Secretary’s decision to rely on elections officials and volunteer poll workers in hundreds of polling places around the state to manually override the embedded security flaws in these machines concerns me and should concern anyone who cares about the reliability, the accuracy, and the integrity of California’s elections.”
Following is a timeline of the important dates and actions related to the Secretary of State’s decision to re-certify the Diebold voting systems:
August 3, 2005 – Secretary McPherson announces, “All systems certified by the Secretary of State’s Office shall comply with the standards and requirements of the Help America Vote Act of 2002 (HAVA) [Public Law 107-22, 106th Congress], including all requirements, standards and regulations promulgated pursuant to authority derived from HAVA, as well as complying with all other applicable requirements and standards explicit in federal and state laws, and any requirements, standards and regulations deriving authority from federal and state laws.” This means all systems certified for use in California have to comply with the 2002 Voting System Standards adopted by the Federal Election Commission (FEC) and the Election Assistance Commission (EAC) that ban the certification of voting machines that contain interpreted code.
October 3, 2005 – The Diebold system is federal qualified and is assigned NASED number N-1-06-22-22-002. However, as the Secretary notes on December 20, this review and qualification failed to look at the machine’s memory cards.
November 21, 2005 – Secretary McPherson conducts a public hearing on Diebold’s application to have its voting systems re-certified for use in California. Although the Secretary’s staff report recommends re-certifying the machines, no decision on re-certification is reached due in part to concerns raised during the hearing.
December 20, 2005 – Secretary McPherson announces he won’t consider approving the Diebold systems until the ITA acts on his request to review the Diebold memory cards. He states, “During a thorough review of the application for the Diebold system currently pending certification, we have determined that there is sufficient cause for additional federal evaluation. I have consistently stated that I will not certify any system for use in California unless it meets the most stringent voting system requirements.” Attached to his statement is a letter from the chief of the Secretary’s Elections Division to Diebold stating, “We require this additional review before proceeding with further consideration of your application for certification in California. Once we have received a report from the federal ITA adequately analyzing this source code, in addition to the technical and operational specifications relating to the memory card and interpreter, we will expeditiously proceed with our comprehensive review of your application.”
January 18, 2006 – The Secretary of State’s staff, in a hearing of the Senate Elections, Reapportionment & Constitutional Amendments Committee, publicly announces that the state process for certifying voting machines can’t begin until the federal process is completed. The Secretary of State’s staff notes it won’t begin the process of determining whether the Diebold machines should be re-certified until the ITA responds to the Secretary’s December 20, 2005, request for further testing.
February 17, 2006 – Secretary McPherson announces that he has re-certified the Diebold machines despite the fact that the ITA report he requested in December hasn’t been completed. The Secretary explains he made his decision after receiving a yet-to-be-released report conducted by his own Voting Systems Technology Assessment Advisory Board (VSTAAB).
February 17, 2006 – After issuing his certification order, Secretary McPherson releases the VSTAAB report, which is dated February 14, 2006. Prior to its release, there was no public notice that such a report was being developed or would be the basis for the Secretary’s decision. The report concludes there are a minimum of 16 security flaws in the Diebold machines, noting, “These bugs would have no effect at all in the absence of deliberate tampering, and would not be discovered by any amount of functionality testing; but they could allow an attacker to completely control the behavior of the [voting machine]. An attacker could change vote totals, modify reports, change the names of candidates, change the races being voted on, or insert his own code into the running firmware of the machine.” The report also notes the Diebold machines rely on interpreted code, stating, “Interpreted code in general is prohibited by the 2002 FEC Voluntary Voting System Standards, and also by the successor standard, the EAC’s Voluntary Voting System Guidelines due to take effect in two years. In order for the Diebold software architecture to be in compliance, it would appear that either the AccuBasic language and interpreter have to be removed, or the standard will have to be changed.” The FEC standards that ban the use of interpreted code are the very standards the Secretary pledged to follow on August 3, 2005.
February 22, 2006 – Senator Bowen writes to Secretary McPherson, calling on him to reverse his February 17 decision to re-certify the machines. The letter states the Secretary’s decision is: 1) Contrary to his August 3, 2005, promise not to certify machines that don’t comply with all federal guidelines and regulations; 2) Contrary to his December 20 statement to wait for the ITA to act; 3) Contrary to state law requiring any machine that’s certified for use in the state to also be federally certified (although technically the Diebold machines have a federal certification number from October 3, 2005, the Secretary himself pointed out on December 20, 2005, that the certification didn’t review the Diebold memory cards, which is why the Secretary sent them back for review); 4) Contrary to the state law requiring all direct recording electronic voting machines to have an accessible voter verified paper trail that provides a visually-impaired voter with an audio read-back of what’s recorded on the paper trail; and 5) Out of compliance with the law requiring a public hearing on a voting system because the report upon which the Secretary’s approval was based wasn’t prepared or released until nearly three months after the original public hearing.
February 28, 2006 – Secretary McPherson releases the ITA report – dated February 23, 2006 – from CIBER on the Diebold memory cards. The report notes the Diebold system uses interpreted code – something banned by the FEC standards the Secretary said on August 3, 2005, he would follow. The report also identifies at least three security vulnerabilities and a number of requirement violations. The report notes, “Certain vulnerabilities in this report may require a portion of the code to be modified in order to correct the vulnerabilities identified. To ensure that the efforts to correct vulnerabilities do not introduce new vulnerabilities, CIBER strongly recommends retesting of the remediated code prior to its migration to a production environment.” The report also states, “Error handling appears to be adequate for a system that executes in a perfect running environment. However, the interpreters do not have the proper degree of effort checking to identify or recover from key failures in a damaged, altered or dysfunctional environment. Our reasoning for increasing the security on the code is because the object code traverses potentially untrustworthy hands . . . Since the object code is on the memory cards being distributed, it is a prime target for potential tampering.”
Comment on This Article
You must login to leave comments...
Other Visitors Comments
You must login to see comments...