E-Voting Hacks Facts

What every security pro should know about the potential for e-voting hackery

Tim Wilson, Editor in Chief, Dark Reading

November 07, 2006

As election day comes to a head, so does the discussion of security in electronic voting systems. All over the country, TV news reports indicate operational problems and vulnerabilities with e-voting machines. Change the channel to HBO, and you might catch "Hacking Democracy," the cable network's documentary on security flaws in voting systems. And you can't escape it by going to the movies: Robin Williams' "Man of the Year" is all about a TV commentator who wins the presidency through a glitch in an e-voting system.

And if you're a security professional -- even one who has nothing to do with e-voting -- you're probably getting a lot of questions from friends, executives, and end users about whether e-voting hacks can really happen. Need some fodder to feed these inquiring minds? We thought so.

Here, for use at the water cooler or over election night cocktails, is a look at some of the news and research that have come out on e-voting security since the beginning of September. Keep this little ditty handy and amaze your friends and colleagues into believing you really do know something about security.

As of this writing, major news agencies and wire services have reported no security-related problems with voting machines today. There have been scattered reports in several states of programming errors and operations problems in which votes couldn't be cast or were not accurately recorded.

"Lots of fender benders, but no major tie-ups," said Doug Chapin, director of Electionline.org, a nonpartisan group that tracks voting changes, in a wire report. "It's been a steady drumbeat but nothing that rises to the level of 'This could compromise the results.'"

Diebold, the company that makes many of the voting systems covered in "Hacking Democracy," has issued a statement asking HBO to pull the documentary off the air because it contains "significant factual errors." The company says it was "not in the electronic voting business" in 2000, when the events that predicated the documentary occurred.

Despite Diebold's protests, two independent university studies released in the last six weeks indicate that there are significant security flaws in its machines. Researchers at Princeton in Sept. issued a report which states that Diebold's AccuVote-TS machines are vulnerable to malware and viruses that could make it easy to steal votes or stuff the ballot box.

On Oct. 30, researchers at the University of Connecticut's Voting Technology Research Center issued a separate report which states that Diebold's Optical Scan Voting Terminal can be compromised "with off-the-shelf equipment in a matter of minutes" even if its removable memory card is sealed in place. This basic attack could be used to swap votes between candidates or to prevent one candidate's votes from being counted, the researchers say.

Problems with voting machines are not limited to Diebold. A study completed last month by a Dutch group called "We Do Not Trust Voting Computers" offers details on flaws in the Nedap/Groenendaal ES3B voting machine, which is used in 90 percent of the voting in the Netherlands as well as some parts of Germany and France.

The study offers details on how "anyone, when given brief access to the devices at any time before the election, can gain complete and virtually undetectable control over the election results." Following the report, the Dutch government banned the use of some voting machine models for its Nov. 22 election, and officials in Ireland put their plans to use the machines on hold.

Despite the reports, governments across the U.S. and in other countries continue to ramp up their use of e-voting devices, and experts are calling for tougher security assessments of the equipment.

David Wagner, a professor in the Computer Science Division at U.C.-Berkeley, told Congress earlier this year that independent testing authorities used by federal and regional governments are not catching key flaws in voting systems before they allow them to be used. He reported that systems in Tarrant County, Texas counted 100,000 votes that were never cast by voters in 2004.

"The state of electronic voting security is not good," said Wagner. "Many of today's electronic voting machines have security problems."

— Tim Wilson, Site Editor, Dark Reading