CA Releases Source Code Review of Voting Machines -- New Security Flaws Revealed; Old Ones Were Never Fixed: " A team of computer scientists tasked with examining the source code of voting machines used in California (and elsewhere across the country) finally released their much-anticipated report on Thursday and it contains significant information that could lead the secretary of state to decertify the machines on Friday (the last day by which Secretary of State Debra Bowen can make decisions that affect voting machines that will be used in 2008).

The team, led by UC Berkeley computer scientist David Wagner, conducted the most thorough security examination of e-voting machines that has been done to date and examined both touch-screen and optical-scan systems (a separate Red Team conducted hacking tests on the machines and released their report last week).

Wagner's source code team found that the Diebold system still had many of the most serious security flaws that computer scientists had uncovered in the system years ago, despite Diebold's claims that problems had been fixed. These include vulnerabilities that would allow an attacker to install malicious software to record votes incorrectly or miscount them or that would allow an attacker with access to only one machine and its memory card to launch a vote-stealing virus that could spread to every machine in a county.

They also found that the Diebold system lacked administrative safeguards to prevent county election workers from escalating their privileges on the election management software that counts the votes. Essentially, the researchers found that the Diebold software was so 'fragile' that it would require an entire re-engineering of the system to make it secure. From the Diebold report (PDF):

Since many of the vulnerabilities in the Diebold system result from deep architectural flaws, fixing individual defects piecemeal without addressing their underlying causes is unlikely to
render the system secure. Systems that are architecturally unsound tend to exhibit ‘weakness-
in-depth’ — even as known flaws in them are fixed, new ones tend to be discovered. In this sense,
the Diebold software is fragile.

Here's just a sample of what the researchers found in the Diebold system:

Data on the memory cards for the optical-scan machines is unauthenticated

The connection between the voting machines and the server that contains the vote-counting software is unauthenticated

The memory card checksums do not adequately detect malicious tampering

The audit log does not adequately detect malicious tampering

The memory card ‘signature’ does not adequately detect malicious tampering

Buffer overflows in unchecked string operations allow arbitrary code execution

Integer overflows in the vote counters are unchecked

Votes can be swapped or neutralized by modifying the defined candidate voting
coordinates stored on the memory card

Multiple vulnerabilities in the AccuBasic interpreter allow arbitrary code execution

A malicious AccuBasic script can be used to hide attacks against the optical-scan machine and defeat
the integrity of zero and summary tapes printed on the optical-scan machine

The touch-screen machine automatically installs bootloader and operating system updates from the
memory card without verifying the authenticity of the updates

The touch-screen machine automatically installs application updates from the memory card without
verifying the authenticity of the updates

Multiple buffer overflows in .ins file handling allow arbitrary code execution on startup.

The list goes on. The researchers also describe an interesting attack of the voter-verified paper audit trail (see p. 15 of the report).

The researchers found that although some vulnerabilities could be mitigated by making changes to election procedures, poll workers and election officials likely wouldn't be able to implement them adequately (see this story on last year's primary in Cuyahoga County, Ohio, to see why relying on poll workers and election officials to make voting systems secure can be problematic.)

Two other systems (Sequoia and Hart InterCivic) were also examined, with similar results. You can see those reports here and here.

(Read Original Article - Via Threat Level.)