The RDV Group InfoSec Blog

Thursday, February 23, 2006

IrDA Protocol Can Compromise Diebold Voting Machines

Bill Glennon pointed me to this article from The Brad Blog: "IrDA Protocol Can 'Totally Compromise Systems Without Detection, Warns Federal Voting Standards Website. So far, no state or federal authority -- to our knowledge -- has dealt with this alarming security threat". He posts a photograph from the side of a Diebold AccuVote TSx touch-screen voting machine, which clearly shows an Infrared port.

Now for those who aren't acquainted with this little guy, Brad goes on to elaborate: "Now we have no idea what that "IrDA" port is meant to be used for with a touch-screen voting machine, but we do know that the IrDA (Infrared Data Association) is an Infrared port used for wireless connection between two devices. We used to have one on the back of our notebook and desktop computers which we used to keep the two systems synched up via wireless data transfers over that Infrared port."

According to NIST (National Institute of Standards and Technology) this is a big no-no. Brad goes on: "They issued a warning [PDF] about the Infrared ports on voting machines in a report which warned "The use of short range optical wireless," like infrared, "particularly on Election Day should not be allowed." Also, issued an alert mentioning it, with a photograph, back on October 26, 2004."

I don't know what the IrDA is used for, but as I explained in my book "Wireless Security Essentials: Defending Mobile Systems from Data Piracy ", just its existence destroys any guarantee of data integrity. Another comment posted to NIST's voting website [PDF] by James C. Johnson on October 5, 2005 states that "...the use of the IrDA protocols could be used at any time, even after final "Logic and Accuracy" tests have been performed, and thus "totally compromising the system."

Especially with the security and accountability issues with Diebold machines, this is a no-brainer. How much longer can Diebold foist off an insecure, unaccountable system on the American voter? And how much longer will the Secretaries of State allow this?


Post a Comment

<< Home