Princeton researchers take a look at voting machines

Researchers at Princeton have released findings from their study of the Diebold AccuVote-DS (which the EFF claims is Diebold's most widely used voting product) and have concluded that there were major flaws in the system that they tested.

Diebold, for their part, answered with a press release, accusing the researchers of doing nasty things and using old software (which, most assuredly no actual voting precinct would do... right? I mean, they all want maintenance contracts because these are cheap and effective means of voting).

Unfortunately, the Marketing folks (yep, not anyone in the research or legal departments, but the director of marketing for the product line) has also included some interesting comments in the press release that are clearly designed to cast doubt through misleading the public. Comments such as "A virus was introduced to a machine that is never attached to a network" were intended to make it look as if the researchers had done something out-of-the- ordinary with the device. However, the virus was introduced through the memory card that each of these machines requires to run--not over a network. Given that each of these machines has an easily-accessible port for memory cards that is required for its proper operation, this is hardly a stretch for an infection vector.

And, whereas it is true that the folks at Princeton opened the machines up (thus causing visible security breaches due to the security tape being compromised), it wasn't the method that was used to actually infect or modify the machines. Instead, it was used to determine how to devise the attack. Expectation that somebody with the intent of vote-rigging would not use this method to figure out how to attack the machines is folly.

However, the real question is whether these "bugs" are fixed in the current shipping software. Diebold says they are (and claims a host of nice security acronyms to prove it), but I don't see them offering to have Princeton rerun the tests now.

An important thing to think about when looking at security on these types of devices is that the best security programs rely on disclosure to encourage penetration and allow for testing at all levels. Why don't Diebold and some of the other voting machine companies take a page from these ideas and encourage people to find the problems for them, fix them, and then challenge them again?