University of Connecticut Researchers Demonstrate New Vulnerabilities in Diebold AccuVote-OS Optical Scan Voting Terminal
System can be compromised even if its removable memory card is sealed in placeUConn Voting Technology Research Center
October 31st, 2006
snip
...The basic attack can be applied to effect a variety of results, including entirely
neutralizing one candidate so that their votes are not counted, swapping the votes of two candidates, or biasing the results by shifting some votes from one candidate to another. Such vote tabulation corruptions can lay dormant until the election day, thus avoiding detection through pre-election tests.snip
Comments on the UConn Report
Comments of Michael Fischer, Prof. of Computer Science, Yale University and founding member of True Vote CT:
The UConn report shows just how vulnerable the AccuVote-OS optical scanner is to manipulations of the "programming" on the memory card and how easy it is to reprogram the card, even without removing it from the machine. However,
the most worrisome attack scenario is for the card to be rigged when it is first programmed, before it is delivered to the towns and before it is inserted and sealed into the machine. The safe use procedures in the UConn report are ineffective against such an attack. They do help to prevent the memory card from being altered after it is sealed in the machine, but they do nothing to prevent a malicious program from being written on the card in the first place.
While it is certainly prudent to follow such procedures, one must understand that they are not sufficient to assure a trustworthy election.In Connecticut, the programming of the cards has been contracted out to a private out-of-state company (LHS Associates, Inc., of Massachusetts). The State has no way to verify that the cards are correct when they arrive back at the towns prior to the pre-election logic and accuracy testing. Moreover, pre-election testing is also not adequate to verify the correctness of the programming. The UConn study shows that a card can be programmed so as to behave correctly during the pre-election testing and to only corrupt votes during the real election. This means that LHS has it within their power to completely control the outcomes of all Connecticut votes counted by optical scanners. Of course, the existence of the paper ballots makes it possible to detect such corruption after the fact, but only if the paper is manually counted. In Connecticut, most ballots are not manually counted even in the event of a recount. Rather, the regulations stipulate that the ballots originally counted by machine are to be recounted by running them through the machine again using a new memory card (except for ballots that are determined through a visual inspection to be improperly marked). Obviously, if the second memory card is programmed identically to the first, one can expect the results to be similar, even if wrong.
...Instead of restricting the election programming to simply describing the candidates and races and the positions of the bubbles on the printed ballot,
it allows fairly general programs to be written that affect not only the testable behavior of the machine (e.g., rejecting a ballot in case of an overvote), but also that permit the manipulation of votes, reports, and audit logs....snip
http://verifiedvotingfoundation.org/article.php?id=6411