Voting machine insecurity
Technical glitches and security incidents from the past still cast a long shadow over the electronic voting.
- By Jabulani Leffall
- Nov 04, 2008
U.S. national election polling is taking place today, but
computer glitches and security issues of the past still cast a long
shadow over the vote. Stakes are high in the 2008 election season
after electronic voting irregularities were reported in the past
two U.S. presidential elections.
The nation's most populous state, California, even took measures
against problematic e-voting machines.
According to the findings of a 2007 review of voting systems in California,
e-voting machines aren't secure. Last year, California decertified
them for general use. Secretary of State Debra Bowen subsequently
limited the use of such machines to one per polling place, to be
used only by disabled voters.
When it comes to counting votes, there is a genuine need for
"preventing the preventable" with voting machines, one security
expert said, citing the example of Premier Voting Systems (PVS), a
Diebold subsidiary that has seemed to "figure out how to get them
all wrong." Even the physical keys to Diebold's voting
machines seemed insecure.
Earlier this year, in response to a lawsuit by Ohio's Secretary
of State, PVS claimed that McAfee Antivirus was to
blame for vote counting errors. They later claimed that the
antivirus software was not on the voting machines, but rather on
servers used to count the votes. PVS later admitted that its own
software was to blame.
"First of all, a voting machine that requires antivirus software
is an insecure voting machine," said Randy Abrams, director of
technical education at IT security firm ESET. "This machine should
be so locked down that nothing can run on it if it has not been
rigorously tested and certified before being added to a white list.
Yes, this is an application that white listing makes a ton of sense
for."
Then there is physical security, which goes a long way in any IT
protection program, Abrams added.
"That is to say, can I go in wearing a Diebold uniform, tell
them that machine 203 in Booth 4 has reported a malfunction via its
built-in wireless connection and gain access to the machine to
tamper with it? This is something people should be asking vendors
and technicians."
It may be too late to do a clean sweep of all voting machines
for vulnerabilities nationwide before Tuesday November 4, but the
media as well as the IT security community will be following the
issue closely, waiting to pounce on any perceived irregularity.
ESET's Abrams said experience -- with the 2000 and 2004
elections, where both electronic and paper votes were lost or
miscounted -- has taught that at least some of the companies
producing electronic voting machines are not interested in spending
the money required to produce secure equipment but "only in getting
paid for a product."
The prospect of compromised elections, caused either by the
negligence of voting-machine vendors or exploitation by hackers,
won't be going away soon.
"It is clear that rigorous oversight is needed before the
security of voting machines can be trusted. While [I'm] generally
neither in the pro-open source camp, nor against it, in this case I
believe that complete transparency is probably the best approach,"
Abrams said.