Security Poor in Electronic Voting Machines, Study Warns   Story here   RABA Report Here
January 29, 2004
By JOHN SCHWARTZ, NY Times
 
Electronic voting machines made by Diebold Inc. that are widely used in several states have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented today to Maryland state legislators.

Authors of the report — the first hands-on attempt to hack Diebold voting machine systems under conditions found during an election — were careful to say that the machines, if not hacked, count votes correctly, and that issues discovered in the "red team" exercise could be addressed in a preliminary way in time for the state's primaries in March.

"I don't want to beat people up," said Michael Wertheimer, the security expert who ran the attack team for RABA Technologies, a consulting firm in Columbia, Md. "I want to get an election that people can feel good about in March."

Further steps could be taken to ensure a safe general election in November, the report concludes. But ultimately, the report says, Diebold election software has to be rewritten to meet industry security standards and called for limited use of paper receipts to help verify voting.

A representative of Diebold said the issues raised by the new report had already been addressed by the company. "There is nothing that has not been or can't be mitigated" before the election, said David Bear, a spokesman for the company.

In a statement released today, Bob Urosevich, president of Diebold Election Systems, said this report and another by the Science Applications International Corporation "confirm the accuracy and security of Maryland's voting procedures and our voting systems as they exist today."

Mr. Urosevich added: "With that said, in our continued spirit of innovation and industry leadership, there will always be room for improvement and refinement. This is especially true in assuring the utmost security in elections."

Maryland has bought more than $55 million worth of the machines. Georgia has chosen Diebold machines for elections statewide, and they have been chosen by populous counties in California and Ohio, among other states.

The authors of the report said that they had expected a higher degree of security in the design of the machines. "We were genuinely surprised at the basic level of the exploits" that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.

William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of the Red Team exercise, said, "I can say with confidence that nobody looked at the system with an eye to security who understands security."

The new report vindicates a controversial report that found Diebold software lacked the level of security necessary to safeguard the election process or even to meet the standard practices of the computing industry, and it underscores the results of two subsequent studies. Last July, an analysis of voting machine software by academic security experts at Johns Hopkins and Rice Universities found serious security problems. At the time, Diebold stated that the code used by the researchers, which had been taken from a company Internet site and circulated online, was outdated.

In response, Maryland hired the Science Applications International Corporation to review the Johns Hopkins report and to do a quick risk analysis. The company confirmed that many of the security vulnerabilities discovered in the earlier study did constitute serious problems, but said they could be corrected. An unrelated report for Ohio that was released December found serious security flaws in voting systems produced by all four major makers of electronic voting machines and offered suggestions for reducing risk.

In December, Diebold announced in response to the Ohio report that the problems discovered in Ohio had been "successfully resolved" thanks to its efforts to address issues raised in Maryland reports. The company also said it had created a new "executive-level position dedicated to meeting compliance and certification requirements" to address the issues going forward.

The latest study found that some issues discovered last July in the Johns Hopkins study had not, in fact, been corrected, and that other issues that had not been discovered in other studies were equally troubling. The report can be found at www.raba.com.

In the security exercise, members of the attack team said they were surprised to find that the touch-screen machines used by voters all used the same physical key to the two locks that protect their innards from tampering. With hand-held computers and a little sleight of hand, they found, the touch screens could be reprogrammed to make a vote for one candidate count for an opponent, or results could be fouled so that a precinct's tally could not be used.

In addition, they said, communications between the terminals and the larger server computers that tally results from many precincts do not require that machines on either end of the line prove that they are legitimate, an omission that could allow someone to grab information that could be used to falsify whole precincts worth of votes.

And the server computers do not have the latest protection against the security holes in the Microsoft operating systems, and they are vulnerable to hacker attacks that would allow an outsider to change software, the group found.

The authors of the report also said smart cards that are shipped with the system for voters and supervisors to use during elections have standard passwords that are easily guessed. That problem was cited in the original Johns Hopkins report, and it could allow anyone with a hand-held card reader and small computer to get the access of an election official. The company said that it has provided the capability for election officials change those passwords and increase security, though it still ships the products with the easily broken password.

Mr. Wertheimer said the application of security was inconsistent, with encryption applied in some places without the accompanying technology of authentication to ensure that the machines that are communicating with each other are the ones that are supposed to be communicating and that an interloper has not jumped in. "It's like washing your face and drying it with a dirty towel," he said.

Though individual members of the attack team said that they found the original Johns Hopkins study, which called for the state to abandon the machines, to be alarmist in tone and written in the kind of sound-bite language to grab the attention of the news media, Mr. Arbaugh said this team's results "vindicate" the work of the leader of that effort, Aviel D. Rubin, who goes by Avi, and showed that Diebold did not do enough after the report to fix the problems that he identified.

"Avi told them the door was wide open and unlocked," Mr. Arbaugh said. "They closed the door, but they didn't lock it," he said.

Mr. Rubin said he had not yet seen the study, but had been informed of its results. "If our report was unable to convince Maryland that the Diebold machines were vulnerable, then surely this work will set them straight," he said.

There is much more to be done, Mr. Arbaugh said. Working on the exercise for just a week to prepare for the one-day attack, he said, "we got the tip of the iceberg."

He added, "It seemed everywhere we scratched, there was something that's pretty troubling."

The panel recommended that election officials take several steps to improve security, including placing tamper-proof tape on vulnerable parts of voting machines and installing software that will alert officials to any changes to the machine.

If those steps are taken, Mr. Arbaugh said, "the assurance of this election will be comparable to that of past elections."

"The problem is, people who know elections know there's a lot of play in them already," he said. "We can do better, and we should. It's just going to be a long process."

Linda H. Lamone, the administrator of the Maryland State Board of elections, said that the group had produced "a very good report," and that the state would take its recommendations seriously.

Still, she noted that tampering with voting equipment is a felony. "I'm not sure how many people would be willing to get a felony conviction and risk going to jail over an election," she said. Citing the problem of easily opened locks on the machines, she said an attempt to unlock a machine "would be very unlikely to succeed, because it would have to occur in a public place."