Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


California Hammers on E-Voting

Comprehensive audit and penetration test designed to end voters' fears about electronic voting

Debra Bowen is tired of all the hype about vulnerabilities in e-voting systems. And next week, she and a herd of researchers are going to do something about it.

Bowen, the secretary of state for Calif., said yesterday that the state is ready to begin a "top-to-bottom review" of its e-voting systems, using three teams of experts from universities and private companies all over the state. The researchers will review all of the data they can find about hacking electronic polling systems, and they will try to break into the systems themselves.

Just how vulnerable such voting machines are -- and their underlying software -- has been a sore subject debated by politicians, jurists, and technology experts. (See E-Voting Tested on Election Day, E-Voting Hacks Facts, and Diebold Disses Democracy.) Many states have shunned the electronic systems and reverted to punch cards or good old-fashioned paper ballots marked with a pencil.

The Calif. review, which will begin May 14 and run through July, will result in one of three conclusions, Bowen says:

  • Calif.'s systems will be found to be secure, and voters can rest easy.
  • The systems will be found to be flawed but fixable with additional security measures.
  • The systems will be found to be so flawed that they will have to be decertified and eliminated from the state's voting process.

    The review, which will be led by the University of California, will consist of three separate review teams, each with about seven people, Bowen says. Each team will evaluate documents pertaining to e-voting vulnerabilities, conduct a source-code audit on the state's currently-used voting systems, and execute a "red team penetration test" to see if they can break into the systems and tamper with voting results.

    The state will spend about $1.8 million on the review, which is said to be the first of its kind among state governments. Calif. has spent or allocated more than $450 million on computerized voting equipment in the past few years, the state says.

    The tests will not focus solely on the systems used to cast ballots, but will also investigate the systems used to count ballots, including tabulating devices, software, and peripherals, the state says. Among the vendors to be tested are Diebold, ES&S, and Hart Interactive.

    The vendors will be required to submit all currently-certified equipment used in Calif., as well as new systems they hope to sell to the state in the future, according to the state. If a vendor chooses not to submit a particular model or declines to participate in the tests, then the excluded equipment may immediately be decertified.

    The results of the penetration tests will not be made public, but Bowen says the teams will issue reports on their progress. Several other states -- including N.Y. -- are also considering conducting reviews of their voting systems, particularly after Congress' decision last week to investigate anomalies that occurred in Fla.'s 13th district in 2006.

    — Tim Wilson, Site Editor, Dark Reading

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
    PUBLISHED: 2020-02-25
    A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
    PUBLISHED: 2020-02-24
    An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
    PUBLISHED: 2020-02-24
    When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...