Security Poor in Electronic Voting Machines, Study Warns By JOHN SCHWARTZ, NYTimes
Electronic voting machines made by Diebold Inc. that are widely used in several states have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented today to Maryland state legislators.
Authors of the report — the first hands-on attempt to hack Diebold voting machine systems under conditions found during an election — were careful to say that the machines, if not hacked, count votes correctly, and that issues discovered in the “red team” exercise could be addressed in a preliminary way in time for the state’s primaries in March. …
The authors of the report said that they had expected a higher degree of security in the design of the machines. “We were genuinely surprised at the basic level of the exploits” that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.
William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of the Red Team exercise, said, “I can say with confidence that nobody looked at the system with an eye to security who understands security.” …
In the security exercise, members of the attack team said they were surprised to find that the touch-screen machines used by voters all used the same physical key to the two locks that protect their innards from tampering. With hand-held computers and a little sleight of hand, they found, the touch screens could be reprogrammed to make a vote for one candidate count for an opponent, or results could be fouled so that a precinct’s tally could not be used.
In addition, they said, communications between the terminals and the larger server computers that tally results from many precincts do not require that machines on either end of the line prove that they are legitimate, an omission that could allow someone to grab information that could be used to falsify whole precincts worth of votes.
And the server computers do not have the latest protection against the security holes in the Microsoft operating systems, and they are vulnerable to hacker attacks that would allow an outsider to change software, the group found.
The authors of the report also said smart cards that are shipped with the system for voters and supervisors to use during elections have standard passwords that are easily guessed. …
Mr. Wertheimer said the application of security was inconsistent, with encryption applied in some places without the accompanying technology of authentication to ensure that the machines that are communicating with each other are the ones that are supposed to be communicating and that an interloper has not jumped in. “It’s like washing your face and drying it with a dirty towel,” he said. …
There is much more to be done, Mr. Arbaugh said. Working on the exercise for just a week to prepare for the one-day attack, he said, “we got the tip of the iceberg.”
He added, “It seemed everywhere we scratched, there was something that’s pretty troubling.”
The panel recommended that election officials take several steps to improve security, including placing tamper-proof tape on vulnerable parts of voting machines and installing software that will alert officials to any changes to the machine.
If those steps are taken, Mr. Arbaugh said, “the assurance of this election will be comparable to that of past elections.”
The report can be found at www.raba.com.