Diebold Shows Anyone How To Break Into Their E-Voting Machines

from the yikes dept

Well, this is just fantastic. Following the claims that there's no real problems with e-voting machines, almost immediately followed by reports of massive fraud with e-voting machines in Brazil, Alex Halderman is pointing out that Diebold, in their infinite wisdom, are making it ridiculously easy to break into their machines. Halderman was a part of the team that showed that Diebold's locks on their e-voting machines used a default key that was common to many hotel minibars and could be found easily in many places. However, the researchers who noted this were still careful never to show the actual key, preferring not to help anyone who seriously intended on breaking into the machines. Diebold, on the other hand, isn't so careful. The company, that has continually played down reports of security flaws is apparently selling the very key you need to break into their boxes on their online site... with a picture of the key. You need to be a Diebold account holder to buy it, but anyone can look at the key and then figure out how to make their own copy -- and, in fact, that's exactly what someone did. He used the picture to cut his own keys and sent the keys to Halderman, who found that two of the three keys opened the Diebold locks with ease. The guy who discovered this notified Diebold a month ago, but Diebold did not respond and has not removed the image of the key from their website.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Joe Nagle, Jan 24th, 2007 @ 8:32pm

    Diebold's e-voting machine security

    Jesus.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Darren Kopp, Jan 24th, 2007 @ 8:48pm

    Hooray Beer!

    diebold is up the street from me. i should drop in and give them some lessons on security.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Ryan, Jan 24th, 2007 @ 9:08pm

    If this scares you, and you havn't seen the college demo about how to not only alter votes, but spread the code as well here is the link: http://www.youtube.com/watch?v=lwWP-N1HqT0

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    hyphen, Jan 24th, 2007 @ 10:02pm

    HBO did a documentary called Hacking Democracy. This documentary went on to show how easy it was to manipulate votes / hack Diebold's electronic voting machines. Yeah.... scary stuff. Click here to check out HBO's page on their documentary

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Geeb, Jan 25th, 2007 @ 1:52am

    Choices, choices

    So, what do you reckon Diebold will do next?

    a) Improve their security
    b) Take down the pictures
    c) Sue the guy who made the keys

    Hmmmm....

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jess, Jan 25th, 2007 @ 2:41am

    That's Amazing!!

    How come whenever I get my copies for keys only one out of 6 work and they have the actual key!! This guy made a copy from a picture?!! Where's my phone?!!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    angry poll worker, Jan 25th, 2007 @ 2:48am

    have you bothered to think.

    Ok first off, having worked the elections with the acuvote systems I can tell you that they can not be fooled the way many people seem to think they can.

    1. as this is a tech new site I'll assume that many of you know what a CRC/HASH check is. the first action done by the systems bois is a hash check on the CARD and ROM if they fail the system will not boot.

    2. the only people with access to the machines that can set the CRC/HASH are your county election staff. not state or national, just the county.

    3. the machines are not updated using memory cards. they are plugged in via a Ethernet connection for a push network wipe. I am sure many of you are used to this technology as you use it every time you do a network install of windows.

    4. they use a 256 bit floating encryption scheme to protect the results on every machine. that means that a card from one machine would not be able to be accessed by any other machine. they are paired at the election office before ever going to the poll location.


    just a thought, but in a lab I can change almost anything to make it look like it will function just as I want it to. however with it being a federal felony with mandatory 5-10 years for election fraud it's funny reading the misinformation being spread.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      angry american voter, Jan 25th, 2007 @ 5:28am

      Re: have you bothered to think.

      OK as this is a tech site, let's just spew out nonsense and hope that everyone is intimidated.

      You can say anything you want about 256 floating bit encryption and CRC/HASH all you want.

      It seems to me that you're whining because people think you're a moron and/or a Diebold employee.
      (Jury is still out on that...)

      You think that any of these so-called security features are valid? Are you actually trying to tell us that the machines are safe and tamper-proof?

      Wake up, get out of bed and tell me what color the sun is in your world.

      It's been proven time and time again that you're WRONG. The machines have been 'adjusted', can and easily be hacked, by many people.

      And you think any of your statements about a felony and 5-10 years mean jack to people? Are these the same people that are sending US soldiers over to die for oil?
      Or the same a@@holes that send me SPAM from bots and hijacked machines? - oh wait there is really good security on those machines as well- couldn't possibly be any SPAM now could there?
      Go back to sticking your head in the sand and keep toting that party line.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Enrico Suarve, Jan 25th, 2007 @ 6:38am

        Re: Re: have you bothered to think.

        Exactly...

        Angry Poll Worker - is it not the least bit disturbing to you that in all the areas independent people have looked at there have been significant security flaws

        I would suggest that not only country election staff have access to machines - I am supposedly the only person with access to my house, it didn't stop me being burgled (by someone with a lot less to gain than a fixed election)

        Relying on the security of some automated CRC check and just sitting back smuggly and stating "its all OK then" is maybe a little blind

        At the end of the day the physical security on the machine is built to the same standard as a mini-bar, what exactly does that infer about the rest of the security?

        Maybe you do update your machines by network -
        Is that the same everywhere?
        Would it remove a malicious program already present on the machine?
        Are you sure?
        Have you tested?
        How utterly confident are you that there is never one person alone with a machine for over a minute on the entire of election day?

        It would probably be unreasonable to seriously respond to Prinston's plea of "We urge public officials to address these issues promptly" http://itpolicy.princeton.edu/voting far more sensible would be stick your fingers in your ears al-la "La, la, laa i'm not listening"

        Finally there ARE people out there who fund campaigns (legally) to the tune of millions to get political advantage and there ARE criminals who work for a lot less than this and risk similar penalties. Is it that big a leap of imagination to combine the two?

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Enrico Suarve, Jan 25th, 2007 @ 11:08am

      Re: have you bothered to think.

      Dear Angry Poll Worker
      Sorry if I was a little harsher earlier - the face of the polling worker around 16min 20secs on this video has softened me slightly and rightly humbled me http://www.youtube.com/watch?v=fKs12idbZ_I

      She has just learnt that the Diebold system she has been responsible for overseeing is vulnerable to a hack and votes can be realistically altered. This is the face of a true believer and stalwart of democracy finding out the security on her systems is not secure

      I would urge you to watch the clip and decide - the gentleman supervising the test is not a tin-foil hat man - he is one of Florida's senior election officials

      I think when dealing with a technology like this which can be messed with this is always going to be the problem - Diebold have always stated their systems are secure and denied all problems allowing presidents, congressmen, senators etc to be selected using them. They still don't admit any problems with the optical system in use in the test - what aren't they telling you about the system you currently use?

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Matthew, Jan 25th, 2007 @ 5:17am

    1, 2, 3, 4, 5

    Remind me to change the combination on my luggage -Mel Brooks as President Skroob in Spaceballs

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 25th, 2007 @ 6:02am

    Open sourcing

    So, people have been whining and moaning that e-voting machine companies should release their sourcecode as a means to make them more secure and this makes a lot of sense to me. The more people know how the code works the easier it will be to detect and trace and fraud. What's the complaint here? So people can make a key to get into a machine. Do you all honestly believe that a person can stick a usb memory stick into one of these boxes and alter human history? We do not live in a hollywood movie. Sometimes I think this site needs to take "Tech" out of it's name.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    mc123, Jan 25th, 2007 @ 6:14am

    If you've seen "Hacking Democracy" you would know that it doesn't matter what type of security features the machines themselves have. The vote counts on the machines can be altered simply through the memory cards. All the memory card has to do is start with a negative total for one candidate. It actually seemed like a very simple process. It clearly doesn't matter who has access to the machines because the big shots at Diebold (who promise that elections will have certain outcomes in certain states, go figure) just have to provide pre-determined memory cards and an election can be fixed. Kind of scary knowing that your money probably comes out of an ATM with Diebold's name on it and our country votes in political leaders using Diebold machines.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    ScytheNoire, Jan 25th, 2007 @ 8:58am

    any election with an eVoting machine is not a valid election

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Bill, Jan 25th, 2007 @ 12:43pm

    Oh, how I yearn to go back to the days of the paper ballot and the "X" in the box.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      angry Poll worker, Jan 26th, 2007 @ 7:28pm

      Re:

      LOL I guess no one here realizes that the paper votes you cherish so much have been being counted my machines for over 40 years. it used to be that to throw an election you had to loose the paper ballets, while feeding the counting machines.

      now it's easier to secure the votes are accurate and everyone is claiming they are less accurate.

      I guess time will tell.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Enrico Suarve, Jan 27th, 2007 @ 4:48am

        Re: Re:

        I can't be bothered to point out that it's going to be a lot easier to commit fraud if you can automate it - oops

        Ah well guess we're back to "la la la i'm not listening then"

        PS: time did tell - it already happened, some people are trying to point out it might be nice if it didn't happen every time? you know like you went back to having a democracy and stuff?

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    SpAM, Jan 25th, 2007 @ 6:20pm

    Hanging chads anyone?

    Does this dispell the notion that physical media are also hack proof? You can thank the Secretary of State for FL (now out on her CHaDss thanks to the voters in FL) for the ridiculous butterfly ballot to begin with. Not that I am defending DIEbold.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Proud Brazilian, Jan 26th, 2007 @ 12:22pm

    Brazilians don't use Diebold machines

    All the totals are printed in the voting room in at least 5 copies before closing the machine. So, it's very easy to detect if someone messes up with the data.

    Come to visit Brazil, when you want to learn how to do an election with more than 100 million voters and give the results in less than 24 hours, instead of months of paper counting like US did in Bush junior's first election.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    CJ, Jan 28th, 2007 @ 2:11pm

    Hacking Democracy

    If you've seen Hacking Democracy, you've seen an unchecked group of random thoughts converted conveniently into "facts" by biased documentary makers. I'm not claiming Diebold's machines are hack-proof, but a friggin' HBO documentary is not evidence or proof of anything -- it serves only to muddy the waters. People who get their alleged "news" from entertainment TV need to rethink where their loyalties should lie. Letme guess, you also believed Oliver Stone's JFK...

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      CH, Jan 30th, 2007 @ 3:08pm

      Re: Hacking Democracy

      Right, much better to believe the company who manufacturers the machines and guarantees specific results in certain states..... They are much more credible than a documentary, right?

      la,la,la,la,la

       

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This