Security Assessment of the Diebold Optical Scan Voting Terminal

We present an independent security evaluation of the AccuVote Optical Scan voting terminal (AV-OS). We identify a number of new vulnerabilities of this system which, if exploited maliciously, can invalidate the results of an election process utilizing the terminal. Furthermore, based on our findings an AV-OS can be compromised with off-the-shelf equipment in a matter of minutes even if the machine has its removable memory card sealed in place. The basic attack can be applied to effect a variety of results, including entirely neutralizing one candidate so that their votes are not counted, swapping the votes of two candidates, or biasing the results by shifting some votes from one candidate to another. Such vote tabulation corruptions can lay dormant until the election day, thus avoiding detection through pre-election tests. Based on these findings, we describe new safe-use recommendations for the AV-OS terminal. Specifically, we recommend installation of tamper-resistant seals for (i) removable memory cards, (ii) serial port, (iii) telephone jacks, as well as (iv) screws that allow access into the terminal’s interior; failure to seal any single one of these components renders the terminal susceptible to the attack outlined above. An alternative is to seal the entire Optical Scan system (sans ballot box) into a tamper-resistant container at all times other than preparation for election and deployment in an election. An unbroken chain of custody must be enforced at all times. Post-election audits are also strongly advised. The Diebold AccuVote Optical Scan voting terminals described in this report are going to be used in November 2006 election in several precincts in the State of Connecticut. The terminals are provided by the LHS Associates of Massachusetts. VoTeR Center personnel assisted the Office of the Connecticut Secretary of the State in developing safe use procedures for the Optical Scan terminals for this election. The procedures in place for the election includes strict physical custody policy, tamper-resistant protection of the equipment, and random post-election audits.