William Jackson | E-voting machines still not reliable
Cybereye | Commentary: Electronic voting systems still have too many holes to be trusted.
- By William Jackson
- Aug 24, 2007
California's secretary of state has imposed some stiff restrictions on the use of electronic voting machines in the state's upcoming 2008 primary elections, all but banning two commonly used models from the polling places in February. It was a sound choice.
The decision followed a technical review of the systems by scientists at the University of California at Berkeley that found many serious flaws in the software and its implementation in the voting systems.
Secretary of State Debra Bowen said her decision would cause some headaches for local election officials and workers. But some inconvenience at polling places on Election Day is better than a complete lack of confidence in the results.
Let's hope other states are paying attention.
In March, Bowen ordered a top-to-bottom review of the eight electronic voting systems used in the state. Four vendors did not submit their systems and are out of the game. One did not submit in time. The remaining three systems were from Diebold, Hart InterCivic and Sequoia. All three were recertified with conditions.
Flaws in voting systems are not new. But in this case, the reviews carry the weight of state certification, and the vendors cooperated. Vendors may complain that the tests were unrealistically tough, but the researchers are not buying that.
'In developing our attacks, we made no assumptions about constraints on the attackers,' they wrote in their report. ' 'Security through obscurity' ' or the practice of assuming a veneer of security by relying on attackers not having access to protocol specifications or'using tools that are perceived to be difficult to acquire ' is not an acceptable option.'
The results are sobering. In the Diebold system, examiners were able to verify attacks that could compromise the results of an election.
When testing the Global Election Management Systems server, 'there were stark discrepancies between the GEMS server as Diebold technicians delivered it and the GEMS server configuration as described in the Diebold documentation.' The Microsoft Windows 2000 Server operating system was not properly patched, and the red team testing it was able to download exploits.
The TSx touch-screen terminal on which votes are cast had poor physical security and was susceptible to malicious code. The printer that produced the paper ballots that would serve as the official votes in audits and recounts could be disabled or manipulated to produce additional ballots.
'Ninety-nine percent of these issues were fundamental things in the software,' for which remedies are readily available, said Ryan Berg, chief scientist at Ounce Labs, which produces software risk analysis tools.
California precincts will be allowed to use only one Diebold or Sequoia system in each polling place to meet requirements for access by disabled voters. But those systems and the Hart InterCivic systems will require additional security controls.
'The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities,' the researchers wrote. 'All members of the team strongly believe that more remains to be done in this field ' and, more specifically, on these systems.'