Most vote machines lose test to hackers

Forums: Politics
Email this Topic • Print this Page

Most vote machines lose test to hackers
John Wildermuth, San Francisco Chronicle Staff Writer
Saturday, July 28, 2007

http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/28/VOTING.TMP

This article appeared on page A - 1 of the San Francisco Chronicle

State-sanctioned teams of computer hackers were able to break through the security of virtually every model of California's voting machines and change results or take control of some of the systems' electronic functions, according to a University of California study released Friday.

The researchers "were able to bypass physical and software security in every machine they tested,'' said Secretary of State Debra Bowen, who authorized the "top to bottom review" of every voting system certified by the state.

Neither Bowen nor the investigators were willing to say exactly how vulnerable California elections are to computer hackers, especially because the team of computer experts from the UC system had top-of-the-line security information plus more time and better access to the voting machines than would-be vote thieves likely would have.

"All information available to the secretary of state was made available to the testers,'' including operating manuals, software and source codes usually kept secret by the voting machine companies, said Matt Bishop, UC Davis computer science professor who led the "red team" hacking effort, said in his summary of the results.

The review included voting equipment from every company approved for use in the state, including Sequoia, whose systems are used in Alameda, Napa and Santa Clara counties; Hart InterCivic, used in San Mateo and Sonoma Counties; and Diebold, used in Marin County.

Election Systems and Software, which supplied equipment to San Francisco, Contra Costa, Solano and Los Angeles counties in last November's election, missed the deadline for submitting the equipment, Bowen said. While their equipment will be reviewed, Bowen warned that she has "the legal authority to impose any condition'' on its use.

Bowen said in a telephone news conference Friday that the report is only one piece of information she will use to decide which voting systems are secure enough to use in next February's presidential primary election.

If she is going to decertify any of the machines, she must do it by Friday, six months before the Feb. 5 vote.

A day-long hearing in Sacramento on Monday will give the UC investigators a chance to present their finding and allow the various voting machine companies to present a response. The hearing also will be open for comments from the public.

The study was designed to discover vulnerabilities in the technology of voting systems used in the state. It did not deal with any physical security measures that counties might take and "made no assumptions about constraints on the attackers,'' Bishop said.

"The testers did not evaluate the likelihood of any attack being feasible,'' he added.

Some county elections officials in the state were among the most critical of the study, saying they worry that they could be forced to junk millions of dollars in voting machines if Bowen decertifies them for the February election.

Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines "is like giving a burglar the keys to your house,'' said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials.

The study also determined that many voting systems have flaws that make it difficult for blind voters and those with other disabilities to cast ballots.

During her election campaign last year, Bowen made it clear she had little confidence in the security of electronic voting machines and vowed to review their use in the state.

"Voting systems are tools of our democracy,'' she said Friday. "We want to ensure that the voting systems used in the state are secure, accurate, reliable and accessible to all. This (study result) is not a big deal to me. It's a big deal for everyone in the country.''

Vendors and other advocates of electronic voting machines have suggested that because of Bowen's well-publicized concerns, she has her thumb on the scale when it comes to reviewing the systems. But the secretary of state said she purposely avoided the scientists doing the study.

Bowen admitted that she's "enough of a geek" that she would have enjoyed working closely with the study, but "I've stayed out of the way ... It's not my review,'' she said. "I didn't want (the researchers) to be influenced by my questions.''

Weir said the UC study "is only a hologram of what could be done technically without considering the real-world mitigation,'' the locks, access cards and other physical security measures typically used.

The study found "absolutely no evidence of any malicious source code anywhere,'' he added. "They found nothing that could cast doubt on the results of elections.''

Bishop, however, said he was surprised by the weakness of the security measures, both physical and electronic, protecting the voting systems. His team of hackers found ways to get into the systems not only through the high-tech equipment in election headquarters but also through the machines in the polling places.

If the testers had had more time, they would have found more flaws, he added.

"The vendors appeared to have designed systems that were not high assurance (of security)," said Bishop, a recognized expert on computer security. "The security seems like it was added on.''

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 254 • Replies: 1

No top replies

Ohio Elections Official Calls Machines Flawed
December 15, 2007
Ohio Elections Official Calls Machines Flawed
By BOB DRIEHAUS
New York Times

CINCINNATI ?- All five voting systems used in Ohio, a state whose electoral votes narrowly swung two elections toward President Bush, have critical flaws that could undermine the integrity of the 2008 general election, a report commissioned by the state's top elections official has found.

"It was worse than I anticipated," the official, Secretary of State Jennifer Brunner, said of the report. "I had hoped that perhaps one system would test superior to the others."

At polling stations, teams working on the study were able to pick locks to access memory cards and use hand-held devices to plug false vote counts into machines. At boards of election, they were able to introduce malignant software into servers.

Ms. Brunner proposed replacing all of the state's voting machines, including the touch-screen ones used in more than 50 of Ohio's 88 counties. She wants all counties to use optical scan machines that read and electronically record paper ballots that are filled in manually by voters.

She called for legislation and financing to be in place by April so the new machines can be used in the presidential election next November. She said she could not estimate the cost of the changes.

Florida, another swing state with a history of voting problems, is also scrapping touch-screen machines and switching to optical scan ones for the election. Such systems have gained favor because experts say they are more reliable than others and, unlike most touch screens, they provide a paper trail for recounts.

Ms. Brunner, a Democrat, succeeded J. Kenneth Blackwell, a Republican who came under fire for simultaneously overseeing the 2004 election and serving as co-chairman of President Bush's re-election campaign in Ohio.

She ordered the study as part of a pledge to overhaul voting after problems made headlines for hours-long lines in the 2000 and 2004 elections and a scandal in Cuyahoga County, which includes Cleveland, that led to the convictions of two elections workers on charges of rigging recounts. Ms. Brunner's office temporarily seized control of that county's board of elections.

The study released Friday found that voting machines and central servers made by Elections Systems and Software; Premier Election Solutions, formerly Diebold; and Hart InterCivic; were easily corrupted.

Chris Riggall, a Premier spokesman, said hardware and software problems had been corrected in his company's new products, which will be available for installation in 2008.

"It is important to note," he said, "that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States."

Ken Fields, a spokesman for Election Systems and Software, said his company strongly disagreed with some of the report's findings. "We can also tell you that our 35 years in the field of elections has demonstrated that Election Systems and Software voting technology is accurate, reliable and secure," he said.

The $1.9 million federally financed study assembled corporate and academic teams to conduct parallel assessments. A bipartisan group of 12 election board directors and deputy directors acted as advisers.

The academic team, made up of faculty members and students from Cleveland State University, Pennsylvania State, the University of California, Santa Barbara, and the University of Pennsylvania, said systemic change was needed. "All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election," the team wrote.

In addition to switching machines, Ms. Brunner recommended eliminating polling stations that are used for fewer than five precincts as a cost-cutting measure, and introducing early voting 15 days before Election Day.

0 Replies

Most vote machines lose test to hackers

Related Topics

Quick Links

My Account

able2know