A hacker, using a photograph of keys to a Diebold touch-screen voting system available on the company’s website, successfully duplicated two that were capable of opening the electronic balloting device now used in many states for elections.
BradBlog.com revealed that a team of computer scientists at Princeton University, who have been studying security issues related to electronic voting, was sent three keys made by a hacker-friend of one of the scientists.
Image of keys to Diebold’s AccuVote-TS system (Keyed edges altered by WND)
The hacker, Ross Kinard of SploitCast.com had discovered a photograph of keys to Diebold’s AccuVote-TS model for sale on the company’s website. The keys, similar in design to those used to open an office filing cabinet, sold for $5.90 a pair and were shown with the keyed edges clearly visible.
“I bought three blank keys from Ace [Hardware],” said Kinard. “Then a drill vise and three cabinet locks that used a different type of key from Lowes. I hoped that the spacing and depths on the cabinet locks’ keys would be similar to those on the voting-machine key. With some files I had I then made three keys to look like the key in the picture.”
But Kinard did not have access to a Diebold machine.
“Ross sent me his three homemade keys, and, amazingly, two of them can open the locks on the Diebold machine we used in our study!” said J. Alex Halderman, a Princeton Ph.D. student.
Halderman and his team revealed last summer that the Diebold AccuVote-TS was vulnerable to electronic hacking, demonstrating how non-detectable software could be installed to steal votes and leave no evidence of its activity.
Installing the vote-swapping software could be accomplished within 60 seconds if internal access to the machine was available. Access was achieved by removing screws or picking the lock, which one team member was able to do easily in 10 seconds.
The installed software’s viral qualities allowed it to infect other machines and potentially affect the outcome of an election, Halderman claimed.
In the course of their evaluation of the AccuVote-TS, the Princeton team also discovered that all AccuVote-TS devices were keyed exactly the same. While they publicized the vulnerability of the voting machine’s electronics, they did not release information on the use of a common key, so as to not further compromise security. Diebold will only sell keys to licensed owners of its devices.
Kinard’s duplication of the keys from a Diebold photograph made that policy a moot point. While Diebold has replaced the image of the keys on its site with a picture of a digital access card, the original photograph is widely available online.
Further, since Diebold does not uniquely key each machine, each election gives more poll workers an opportunity to copy the key they temporarily have in their possession.
Acknowledging that the photograph had been removed due to the level of interest on the Internet, Diebold spokesman Mark Radke defended the company’s policy of keying all machines of a particular model the same in a telephone interview with CNET News.
“Can you imagine, if the wrong keys went to the wrong precincts the morning of the election, what would happen?” he asked.
Noting that anyone opening a device with a duplicated key would have to break a seal on the machine to access the lock, Radke said the unauthorized entry would be detected.
“These are people that don’t have election experience making some of these comments,” he said.