--- Date: Fri, 5 Dec 2003 15:23:11 -0800 Mime-Version: 1.0 (Apple Message framework v553) Content-Type: text/plain; charset=US-ASCII; format=flowed Subject: Fwd: [E-S] [Fwd: Electronic Voting Device Information] From: Jason Schultz <jason@private> To: declan@private Content-Transfer-Encoding: 7bit Message-Id: <FE504C18-2779-11D8-8824-000A959B27EE@private> Declan -- Thought you might enjoy this additional angle on e-voting security issues from one of our members. [Forwarded with permission] Begin forwarded message: >From: "George Geczy" <george@private> >Date: Thu Dec 4, 2003 11:03:09 PM US/Pacific >To: <election@private> >Cc: <donna@private> >Subject: Electronic Voting Device Information >Reply-To: <george@private> > > >TO: Ohio Secretary of State / Elections office >CC: Electronic Frontier Foundation > >I read the recent press release and backup documentation on the review of >Electronic Voting devices, released by the Ohio Secretary of State. I would >like to thank you for posting the full report online. It is through such >public scrutiny that online voting can truly become reliable. > >The Compuware report did, however, make a mistake in its view of certain >security issues, and as I could not locate their email contact information >maybe you could forward this to them for their future reviews. In their >audit they declared the infrared interface used in systems such as the >iVotronic to be secure as it is proprietary and "will not connect to a >normal Windows, Linux or Mac machine". However, it is in fact very easy to >reverse-engineer infrared communication. A device as simple as a "Palm >Pilot" handheld computer can receive and transmit most custom infrared >signals, and so the use of an infrared interface does NOT preclude hacking >and unauthorized access through this method. In particular, if the data >transmitted through the infrared port is not encrypted and properly keyed, >it should be very simple to reverse-engineer the communications protocols >between the PEB and the iVotronic. Given the Compuware report's comments on >the lack of encryption and security in other elements of the system (such as >writing to the memory card), it would seem that the iVotronic may be relying >on a false sense of security in the use of an Infrared interface. The >Compuware methodology heavily scrutinizes all other forms of interface to a >voting unit (standard network connects and interface ports), but falls into >this trap of not considering the infrared interface to be an at-risk port. > >Given the other security risks identified in the Compuware report, hacking >an iVotronic could be as simple as walking into the voting booth using a >correctly programmed Palm Pilot (a not at all unusual device among citizens) >and using it to simulate a supervisory PEB access device. > >-- George Geczy. > >- George Geczy, Partner, dg technical consulting >- Co-Chair, Hamilton Chamber Science & Technology Committee >- Email: george@private Phone/Fax 905.304.9383 > > > > ----------------------------------------------------------------------- Jason M. Schultz (415) 436-9333 x 112 Staff Attorney jason@private Electronic Frontier Foundation www.eff.org _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 07:46:24 PST