US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   Ron Crane
Organization :   N/A
Post Date :   9/30/2005

Section Comments
Section :  .20.3.3.1
Page no. :  
Line no.:  
Comment :  9a.

The Guidelines contain many loopholes surrounding firmware, which easily can be used to inject malware into the voting application14:

a. Requirements having to do with the verification of firmware's authenticity (e.g., Vol. II,
§3.3.1(a)(1)), are insufficient to deter an unscrupulous vendor from including malware (including malware loaders) in firmware. The vendor would merely ship systems containing "innocent" firmware to the test lab, while shipping cheating systems to jurisdictions. Deterring and detecting these cheats requires a regime of comprehensive,
randomly-conducted hardware inspections, such as the Nevada Gaming Control Board uses to monitor and enforce the proper performance of electronic gaming machines.15

The Guidelines must require such a regime.