Source Code Review of the Diebold Voting System

to the California Secretary of State as part of a " Top-to-Bottom " review of electronic voting systems certified for use in the State of California. Executive Summary This report is a security analysis of the Diebold voting system, which consists primarily of the AccuVote-TSX (AV-TSX) DRE, the AccuVote-OS (AV-OS) optical scanner, and the GEMS election management system. It is based on a study of the system's source code that we conducted at the request of the California Secretary of State as part of a " top-to-bottom " review of California voting systems. Our analysis shows that the technological controls in the Diebold software do not provide sufficient security to guarantee a trustworthy election. The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes. These vulnerabilities include: • Vulnerability to malicious software The Diebold software contains vulnerabilities that could allow an attacker to install malicious software on voting machines or on the election management system. Malicious software could cause votes to be recorded incorrectly or to be miscounted, possibly altering election results. It could also prevent voting machines from accepting votes, potentially causing long lines or disenfranchising voters. • Susceptibility to viruses The Diebold system is susceptible to computer viruses that propagate from voting machine to voting machine and between voting machines and the election management system. A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county's voting machines. Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines. • Failure to protect ballot secrecy Both the electronic and paper records of the Diebold AV-TSX contain enough information to compromise the secrecy of the ballot. The AV-TSX records votes in the order in which they are cast, and it records the time that each vote is cast. As a result, it is possible for election workers who have access to the electronic or paper records and who have observed the order in which individuals have cast their ballots to discover how those individuals voted. Moreover, even if this vulnerability is never exploited, the fact that the AV-TSX makes it possible for officials to determine how individuals voted may be detrimental to voter confidence and …