US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   Ron Crane
Organization :   N/A
Post Date :   9/30/2005

Section Comments
Section :  .20.6.6
Page no. :  
Line no.:  
Comment :  9b.

b. Vol. II, §6.6(c) requires that the Physical Configuration Audit "include a review of all drawings, specifications, technical data, and test data associated with the system
hardware." But this leaves gaping holes for unscrupulous vendors. For one thing, these requirement are vague, and could be construed by a less-than-thorough test lab not to
include reviews of firmware. For another, even if the test lab does a thorough job of reviewing the firmware, an unscrupulous vendor can simply ship hardware containing
firmware different from that which was reviewed. No one would ever know.

Third, no firmware review is required for COTS hardware. But an unscrupulous vendor could add a malware loader to COTS firmware, such as the video BIOS, then represent it as "unchanged", and therefore not in need of inspection.

Nothing in the Guidelines would
assist the discovery of this subterfuge.