Some versions of electronic voting software could allow for ballot fraud on a massive scale, computer security researchers reported Thursday. The researchers made their claim based on an analysis of computer code that was purportedly taken from one of the country’s top suppliers of voting equipment. But the supplier, Ohio-based Diebold Election Systems, said it believed the software was “outdated and never was used in an actual election.”
The source code was analyzed over the past couple of weeks by researchers at Johns Hopkins University and Rice University, and their findings were posted on the Web as an Adobe Acrobat file.
“Common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal,” they contended.
The code that the researchers analyzed came from a New Zealand-based Web site, with the claim that it was downloaded via the Internet from an unprotected Diebold site.
The researchers said they couldn’t verify independently whether the code was currently being used in Diebold machines, and Diebold issued a statement saying “we believe that the software code they evaluated, while sharing similarities to the current code, is outdated and never was used in an actual election.”
The company also said the research “overlooked the total system of software, hardware, services and poll worker training that have made Diebold electronic voting systems so effective in real-world implementations.”
Diebold is a major supplier of electronic voting equipment in the United States, with more than 50,000 of its voting stations installed in Georgia, California, Kansas and other states.
Were the flaws fixed?
The company said its e-voting software is constantly updated to comply with certification requirements, but the researchers said the software would have to be rebuilt from scratch in order to address the security vulnerabilities they found.
“The stuff that we looked at is not something from which you could evolve a secure system,” Avi Rubin, technical director of Johns Hopkins’ Information Security Institute, told MSNBC.com.
In addition to Rubin, the research team included Yoshi Kohno and Adam Stubblefield, doctoral students at Johns Hopkins, and Dan Wallach, a computer science professor at Rice.
Kohno said Rubin suggested the project just two weeks ago. “Adam and I put the rest of our lives on hold and we just started focusing on the source code,” he told MSNBC.com.
Within a half-hour, the students started seeing “red flags, lots of problems,” Kohno said.
“We found vulnerabilities everywhere we looked,” Rubin said.
Among the issues highlighted were “unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes,” the researchers reported.
They noted that the voting system relied on a smart-card chip to ensure that each person casts only one ballot on a direct-recording e-voting system. The software’s vulnerabilities could allow someone to create a specially programmed smart card, and surreptitiously use it in the voting booth to cast multiple ballots.
“A 15-year-old computer enthusiast could make these counterfeit cards in a garage and sell them,” Rubin said. “Then even an ordinary voter, without knowing anything about computer code, could cast more than one vote for a candidate at a polling place that uses this electronic voting system.”
If attackers gained access to the link between the machines and the back-end servers, they could stir up even more mischief: “I click on George Bush and it’s really counted for Al Gore, I click on Al Gore and it’s really counted for George Bush,” Kohno said.
The researchers knew of no evidence that voting systems have yet been compromised in this way, but said they decided to make their findings public out of concern that such fraud could occur as e-voting systems become more prevalent. Since the Florida punch-card debacle of the 2000 elections, states have been spending millions of dollars on voting-system upgrades. Just this week, the state of Maryland struck a an e-voting deal with Diebold that could be worth as much as $55.6 million.
Call for decertification
Douglas Jones, a University of Iowa computer science professor who serves on Iowa’s board of examiners for electronic voting systems, said he recognized one of the encryption flaws cited by the researchers’ report as one he called attention to during a board meeting at least five years ago.
“I can say with great confidence that several Diebold representatives were at the meeting, and one of their people who was described to me as being one of their main programmers,” he told MSNBC.com. “The fact that that flaw is still there, half a decade later, is as far as I’m concerned grounds for decertifying their machine.”
Jones said that based on the researchers’ report, he recommended decertification to Iowa’s secretary of state on Wednesday. The issue would have to be considered by the full board of election examiners, he said.
Seeking a paper trail
Some critics of e-voting contend that the software flaws could affect optical-scan voting machines as well. Jones said he would not call for decertification of those machines, however, because Iowa election law requires on-paper confirmation of optical-scan results at the precinct level.
He also noted that with optical-scan systems, there was a paper trail that could be retraced in case there were any questions. Indeed, the bottom line for Jones as well as Rubin and other e-voting skeptics is that any voting system should have a voter-verifiable paper audit.
“With the direct-reporting electronic system, where all these questions about security actually touch on the authenticity of anything the machine retains, we have nothing to fall back on,” Jones said.
Such a “paper trail” requirement has been proposed in a House bill introduced by U.S. Rep. Rush Holt, D-N.J.
Jones, who said he was involved in the drafting of the bill, quoted a phrase oft used by e-voting skeptics: “If you have a voter-verifiable audit trail, even the devil himself could design the software, and you’d still be able to conduct an honest election.”