News

Voting Machine Security Is Still an Open Question

• By Jabulani Leffall
• 11/03/2008

The nation's most populous state, California, even took measures against problematic e-voting machines.

According to the findings of a 2007 review of voting systems in California, e-voting machines aren't secure. Last year, California decertified them for general use. Secretary of State Debra Bowen subsequently limited the use of such machines to one per polling place, to be used only by disabled voters.

When it comes to counting votes, there is a genuine need for "preventing the preventable" with voting machines, one security expert said, citing the example of Premier Voting Systems (PVS), a Diebold subsidiary that has seemed to "figure out how to get them all wrong." Even the physical keys to Diebold's voting machines seemed insecure.

Earlier this year, in response to a lawsuit by Ohio's Secretary of State, PVS claimed that McAfee Antivirus was to blame for vote counting errors. They later claimed that the antivirus software was not on the voting machines, but rather on servers used to count the votes. PVS later admitted that its own software was to blame.

"First of all, a voting machine that requires antivirus software is an insecure voting machine," said Randy Abrams, director of technical education at IT security firm ESET. "This machine should be so locked down that nothing can run on it if it has not been rigorously tested and certified before being added to a white list. Yes, this is an application that white listing makes a ton of sense for."

Then there is physical security, which goes a long way in any IT protection program, Abrams added.

"That is to say, can I go in wearing a Diebold uniform, tell them that machine 203 in Booth 4 has reported a malfunction via its built-in wireless connection and gain access to the machine to tamper with it? This is something people should be asking vendors and technicians."

It may be too late to do a clean sweep of all voting machines for vulnerabilities nationwide before Tuesday November 4, but the media as well as the IT security community will be following the issue closely, waiting to pounce on any perceived irregularity.

ESET's Abrams said experience -- with the 2000 and 2004 elections, where both electronic and paper votes were lost or miscounted -- has taught that at least some of the companies producing electronic voting machines are not interested in spending the money required to produce secure equipment but "only in getting paid for a product."

The prospect of compromised elections, caused either by the negligence of voting-machine vendors or exploitation by hackers, won't be going away soon.

"It is clear that rigorous oversight is needed before the security of voting machines can be trusted. While [I'm] generally neither in the pro-open source camp, nor against it, in this case I believe that complete transparency is probably the best approach," Abrams said.