Diebold Quietly Patches Security Flaw in Vote Counting Software

By Kim Zetter
August 12, 2009

Premier Election Solutions, formerly Diebold, has patched a serious security weakness in its election tabulation software used in the majority of states, according to a lab that tested the new version and a federal commission that certified it.

The flaw in the tabulation software was discovered by Wired.com earlier this year, and involved the program’s auditing logs. The logs failed to record significant events occurring on a computer running the software, including the act of someone deleting votes during or after an election. The logs also failed to record who performed an action on the system, and listed some events with the wrong date and timestamps.

A new version of the software does record such events, and includes other security safeguards that would prevent the system from operating if the event log were somehow shut down, according to iBeta Quality Assurance, the Colorado testing lab that examined the software for the federal government.

It’s not known if Premier will offer the more secure version to election officials who purchased previous software. The company did not respond to a call for comment Tuesday.

Called the Global Election Management System, or GEMS, the software is used to tabulate votes cast on Premier/Diebold touchscreen and optical-scan machines, among other functions, and is used in more than 1,400 election districts in nearly three dozen states. Maryland and Georgia, which use Premier systems exclusively, count every vote statewide with the software. GEMS runs on the Windows 2003 and Windows XP operating systems.

Official federal voting system standards require audit logs to record all normal and abnormal events that occur on the system.

Premier publicly acknowledged the flaw two months after Wired.com’s report, in a public hearing last March. When asked by a member of the California secretary of state’s staff if Premier had done anything to address the problem, Justin Bales, general service manager for Premier’s western region said, “No, not yet.”

Bales went on to say that the GEMS logs had been the same since the software was first created more than a decade ago.

“We never, again, intended for any malicious intent and not to log certain activities,” Bales said. “It was just not in the initial program, but now we’re taking a serious look at that.”

At the time, California Secretary of State Debra Bowen called GEMS auditing mechanism “useless.”

Officials at iBeta say the federal officials at the Election Assistance Commission — which recently began overseeing the testing and certification of voting systems — specifically asked the lab to pay careful attention to testing for the audit log issue.

Gail Audette, quality manager at iBeta, said Tuesday that version 1.21.5 of the GEMS software passed their tests. The software now records all “normal and abnormal” events, she says.

“It’s really up to interpretation what is an abnormal event and what is a normal event,” Audette says. “[But] everyone interprets the deletion of votes as abnormal events.”

IBeta tested Premier’s Assure 1.2 voting system, which includes its optical-scan and direct-recording electronic touchscreen devices and version 1.21.5 of the GEMS tabulation software.

Audette said the logs in the latest GEMS software record the date and time that events occur, and also record any attempt to login to the server, successful or not.

The lab tested the audit logs to ensure that they cannot be deleted or modified. If the GEMS event logs shut down for some reason, Audette said the GEMS software will not operate.

Testers also attempted to modify votes in the GEMS database and delete the database, but were unable to do so.

“The database is encrypted and protected by [Windows] WorkSpace,” Audette said.

IBeta’s report on the Premier system (.pdf) and testing plan offer an interesting and rare look at the testing and certification procedures for voting systems, which until recently were closely guarded secrets.
Voting-machine vendors used to pay labs directly to test their systems and forced them to sign nondisclosure agreements to prevent election officials and anyone else from learning about problems the labs found with the systems.

This changed only recently. In 2002 Congress passed the Help America Vote Act, which established the Election Assistance Commission, in part to oversee the testing and certification of election systems. It took until this last February for the EAC to certify its first voting system.

Under the new scheme, instead of paying labs directly for testing, voting machine vendors are required to pay into a general fund, from which the EAC covers the testing costs. Test reports are also now published on the EAC’s web site.

We’d encourage readers to look closely through the report, particularly Appendix E (.pdf), which lists problems encountered during the tests and the vendor’s responses to them.

Map image from Premier Election Solutions



See also:
Diebold Admits Systemic Audit-Log Failure; State Vows Inquiry
Voting-Machine Audit Logs Raise More Questions about Lost Votes in CA Election