States Beef Up E-Voting Security After Report on Weaknesses
May 12, 2006 2:06 PM PT
A report saying that a popular electronic voting machine can be tampered with to alter or erase votes has prompted states that have purchased the devices to order increased security ahead of upcoming elections.
On Thursday, Black Box Voting, a nonprofit group, issued a report based on the findings of Harri Hursti, a Finnish computer expert. The report outlined what one expert called the most severe security flaw discovered to date in electronic voting machines made by Diebold.
Black Box issued a redacted version of its report, stripping details that could help hackers identify and exploit the security flaw.
"While these flaws in design are not in the vote-processing system itself, they potentially seriously compromise election security," the report said. "It would be helpful to learn how existing oversight processes have failed to identify this threat."
It appears possible that the vulnerability could be exploited and lay dormant for years before a hacker returns to actively use it to change election outcomes, researchers said, putting long periods of voting results at risk.
Diebold has downplayed the risks to its machines and noted that there are no known successful hacking attempts. It also points out that hacking would require physical access to the machines and the cases they are transported in. The company said the "flaw" Hursti discovered was built in to enable future software updates that could extend the machines' lives.
In letters to customers, Diebold maintained the "probability for exploiting this vulnerability to install unauthorized software that could affect an election is considered low."
As a result of the report and warnings from Diebold, officials in California, Iowa and Pennsylvania -- states that have primary elections scheduled in coming weeks and months -- issued orders to local officials to increase security around the machines before and during the upcoming votes.
Fixing the Fix
States across the U.S. turned to electronic voting en masse in the wake of the 2000 Presidential election debacle, when razor-thin margins of victory for Republican George Bush in Florida and elsewhere were called into question because of outdated voting systems that led to confusion about thousands of votes.
E-voting has been touted as a more efficient and accurate alternative, with the technology helping to reduce much of the possibility for human error that has caused election snafus in the past.
From the outset, however, e-voting has had its critics, with many deriding the "black box" approach that relies heavily on technology from vendors such as Diebold and, in some cases, makes it all but impossible to verify a vote, since many of the machines eliminate paper records altogether.
The latest problem appears to be "the most severe security flaw ever discovered in a voting system," said Michael I. Shamos, a professor of computer science at Carnegie Mellon University and an independent examiner of voting systems for Pennsylvania, which holds a primary election on Tuesday.
Shamos said the decision by Diebold to build in the access to the code raises questions as well.
This week, Voter Action, a nonprofit group, helped Arizona voters file a lawsuit aimed at blocking the state from buying touch-screen electronic voting systems. The group is hoping to obtain a court order halting planned purchases on the grounds that the machines would disenfranchise some voters.
"There is a crisis in voter confidence," said Voter Action co-director Lowell Finley. "Touch-screen electronic voting systems have proven vulnerable to hacking and lost and switched votes -- in expert testing and actual elections across the country. These electronic voting systems also are difficult, if not impossible, to audit. All-paper balloting is more reliable, transparent and secure."
Among the issues raised about e-voting machines is so-called chain-of-custody. Because the machines are moved around often and stored for long periods of time, often with little security oversight, critics say election officials wouldn't even know if a hacker had altered a machine. The Black Box report says someone with significant knowledge of computer code could install a malicious program on a machine in a matter of minutes.
E-voting supporters point out that tampering with traditional election results is even easier than hacking software.
"As it stands now, in using paper to vote, all one has to do to tamper with an election is toss a bag of ballots in the ocean," said Sonia Arrison, director of Technology Studies at the California-based Pacific Research Institute. "E-voting machines are a good solution, as average poll workers are unlikely to know how to hack into or re-code the voting machines."
"Fears that the machines will cause problems help to ensure proper precautions, but these fears can be overblown," she said. "Unlike paper ballots, no one has found any evidence of the machines being used for fraudulent purposes."