[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NY Times today
http://www.nytimes.com/2004/01/29/technology/29CND-SECU.html
Security Poor in Electronic Voting Machines, Study Warns
By JOHN SCHWARTZ
Published: January 29, 2004
Electronic voting machines made by Diebold Inc. that are widely used
in
several states have such poor computer security and physical security
that an election could be disrupted or even stolen by corrupt insiders
or determined outsiders, according to a new report presented today to
Maryland state legislators.
Authors of the report the first hands-on attempt to hack Diebold
voting machine systems under conditions found during an election were
careful to say that the machines, if not hacked, count votes
correctly, and that issues discovered in the "red team" exercise could
be addressed in a preliminary way in time for the state's primaries in
March.
"I don't want to beat people up," said Michael Wertheimer, the
security expert who ran the attack team for RABA Technologies, a
consulting firm in Columbia, Md. "I want to get an election that
people can feel good about in March."
Further steps could be taken to ensure a safe general election in
November, the report concludes. But ultimately, the report says,
Diebold election software has to be rewritten to meet industry
security standards and called for limited use of paper receipts to
help verify voting.
A representative of Diebold said the issues raised by the new report
had already been addressed by the company. "There is nothing that has
not been or can't be mitigated" before the election, said David Bear,
a spokesman for the company.
In a statement released today, Bob Urosevich, president of Diebold
Election Systems, said this report and another by the Science
Applications International Corporation "confirm the accuracy and
security of Maryland's voting procedures and our voting systems as
they exist today."
Mr. Urosevich added: "With that said, in our continued spirit of
innovation and industry leadership, there will always be room for
improvement and refinement. This is especially true in assuring the
utmost security in elections."
Maryland has bought more than $55 million worth of the machines.
Georgia has chosen Diebold machines for elections statewide, and they
have been chosen by populous counties in California and Ohio, among
other states.
The authors of the report said that they had expected a higher degree
of security in the design of the machines. "We were genuinely
surprised at the basic level of the exploits" that allowed tampering,
said Mr. Wertheimer, a former security expert for the National
Security Agency.
William A. Arbaugh, an assistant professor of computer science at the
University of Maryland and a member of the Red Team exercise, said, "I
can say with confidence that nobody looked at the system with an eye
to security who understands security."
The new report vindicates a controversial report that found Diebold
software lacked the level of security necessary to safeguard the
election process or even to meet the standard practices of the
computing industry, and it underscores the results of two subsequent
studies. Last July, an analysis of voting machine software by academic
security experts at Johns Hopkins and Rice Universities found serious
security problems. At the time, Diebold stated that the code used by
the researchers, which had been taken from a company Internet site and
circulated online, was outdated.
In response, Maryland hired the Science Applications International
Corporation to review the Johns Hopkins report and to do a quick risk
analysis. The company confirmed that many of the security
vulnerabilities discovered in the earlier study did constitute serious
problems, but said they could be corrected. An unrelated report for
Ohio that was released December found serious security flaws in voting
systems produced by all four major makers of electronic voting
machines and offered suggestions for reducing risk.
In December, Diebold announced in response to the Ohio report that the
problems discovered in Ohio had been "successfully resolved" thanks to
its efforts to address issues raised in Maryland reports. The company
also said it had created a new "executive-level position dedicated to
meeting compliance and certification requirements" to address the
issues going forward.
The latest study found that some issues discovered last July in the
Johns Hopkins study had not, in fact, been corrected, and that other
issues that had not been discovered in other studies were equally
troubling. The report can be found at www.raba.com.
In the security exercise, members of the attack team said they were
surprised to find that the touch-screen machines used by voters all
used the same physical key to the two locks that protect their innards
from tampering. With hand-held computers and a little sleight of hand,
they found, the touch screens could be reprogrammed to make a vote for
one candidate count for an opponent, or results could be fouled so
that a precinct's tally could not be used.
In addition, they said, communications between the terminals and the
larger server computers that tally results from many precincts do not
require that machines on either end of the line prove that they are
legitimate, an omission that could allow someone to grab information
that could be used to falsify whole precincts worth of votes.
And the server computers do not have the latest protection against the
security holes in the Microsoft operating systems, and they are
vulnerable to hacker attacks that would allow an outsider to change
software, the group found.
The authors of the report also said smart cards that are shipped with
the system for voters and supervisors to use during elections have
standard passwords that are easily guessed. That problem was cited in
the original Johns Hopkins report, and it could allow anyone with a
hand-held card reader and small computer to get the access of an
election official. The company said that it has provided the
capability for election officials change those passwords and increase
security, though it still ships the products with the easily broken
password.
Mr. Wertheimer said the application of security was inconsistent, with
encryption applied in some places without the accompanying technology
of authentication to ensure that the machines that are communicating
with each other are the ones that are supposed to be communicating and
that an interloper has not jumped in. "It's like washing your face and
drying it with a dirty towel," he said.
Though individual members of the attack team said that they found the
original Johns Hopkins study, which called for the state to abandon
the machines, to be alarmist in tone and written in the kind of
sound-bite language to grab the attention of the news media, Mr.
Arbaugh said this team's results "vindicate" the work of the leader of
that effort, Aviel D. Rubin, who goes by Avi, and showed that Diebold
did not do enough after the report to fix the problems that he
identified.
"Avi told them the door was wide open and unlocked," Mr. Arbaugh said.
"They closed the door, but they didn't lock it," he said.
Mr. Rubin said he had not yet seen the study, but had been informed of
its results. "If our report was unable to convince Maryland that the
Diebold machines were vulnerable, then surely this work will set them
straight," he said.
There is much more to be done, Mr. Arbaugh said. Working on the
exercise for just a week to prepare for the one-day attack, he said,
"we got the tip of the iceberg."
He added, "It seemed everywhere we scratched, there was something
that's pretty troubling."
The panel recommended that election officials take several steps to
improve security, including placing tamper-proof tape on vulnerable
parts of voting machines and installing software that will alert
officials to any changes to the machine.
If those steps are taken, Mr. Arbaugh said, "the assurance of this
election will be comparable to that of past elections."
"The problem is, people who know elections know there's a lot of play
in them already," he said. "We can do better, and we should. It's just
going to be a long process."
Linda H. Lamone, the administrator of the Maryland State Board of
elections, said that the group had produced "a very good report," and
that the state would take its recommendations seriously.
Still, she noted that tampering with voting equipment is a felony.
"I'm not sure how many people would be willing to get a felony
conviction and risk going to jail over an election," she said. Citing
the problem of easily opened locks on the machines, she said an
attempt to unlock a machine "would be very unlikely to succeed,
because it would have to occur in a public place."