Diebold touchscreen voting machine
Teams of computer hackers sanctioned by California Secretary of State Debra Bowen were able to hack without difficulty into various vendors’ touch-screen voting machines during a “top to bottom review” of every system certified by the state, according to a University of California study released yesterday.
The report concluded the machines could be manipulated using “tools that can be found in a typical office and could be executed by a very low-skilled attacker.”
Voting equipment for the timed test included devices from Sequoia, Hart InterCivic and Diebold. Election Systems and Software failed to submit its equipment for the review prior to the deadline, but Bowen said she has “the legal authority to impose any condition” on use of the vendor’s equipment in the state.
Under the state’s constitution, Bowen has until Friday, Aug. 3, to certify voting machines for California’s February 2008 presidential primary election. California counties have invested millions in acquisition of electronic voting devices and would be hard pressed, both financially and time-wise, to replace equipment within six months.
As WND reported in January, a hacker, using a photograph of keys to a Diebold touch-screen voting system available on the company’s website, successfully duplicated two that were capable of opening the electronic balloting device now used in many states for elections.
Concerns over the security of Sequoia’s voting systems increased last October when it was revealed the federal government was investigating whether anti-American Venezuelan President Hugo Chavez controlled Smartmatic, owner of Sequoia Voting Systems, the company that operates electronic voting machines in 17 states.
UC researchers in the California test “were able to bypass physical and software security in every machine they tested,” said Bowen.
Bowen and the investigators would not reveal many details of the machines’ vulnerabilities, both because they did not want to make an attack easier for potential hackers and because the tests, which were conducted under controlled conditions, gave the review teams certain advantages real-life hackers might not have.
The sanctioned hackers had “all information available to the secretary of state,” including operating manuals, software and source codes usually kept secret by the voting machine companies, said UC Davis computer science professor Matt Bishop in his summary of results.
The study was designed to identify vulnerabilities in the various systems and did not address “assumptions about constraints on the attackers,” Bishop said.
“The testers did not evaluate the likelihood of any attack being feasible,” he added.
Critics of the report included manufacturers and county election officials, as well as voting-rights activists who have long been critical of electronic voting machines and who said the tests didn’t go far enough.
A Diebold spokesman said new security software, currently being evaluated by federal testers, was excluded by Bowen who limited the review to previously approved technology, reported the San Diego Union-Tribune.
“We believe that when used in conjunction with proper security procedures and protocols, our voting solutions encourage voter participation, reduce voter errors and ensure that every vote is safe, secure and accurate,” Diebold President David Byrd said in a statement.
Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines “is like giving a burglar the keys to your house,’ Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials, told the San Francisco Chronicle.
He dismissed the study as “only a hologram of what could be done technically without considering the real-world mitigation” of security measures like locks, access cards and other physical measures typically used.
The study found “absolutely no evidence of any malicious source code anywhere,” he claimed. “They found nothing that could cast doubt on the results of elections.”
San Francisco’s Registrar of Voters, Deborah Seiler, both agreed and disagreed with Weir’s criticism, noting that the vulnerabilities found by the study have been long known but, given actual security measures used, it would be almost impossible for “someone to walk into a polling place, pull out a screwdriver, tamper with a machine and not get caught.”
However, Seiler, a former Diebold sales representative, said the study did not go far enough and insisted researchers did not look for malicious code already embedded in the software that could be used to change votes.
Ken Karan, co-founder of Psephos, a voting-rights advocate group long critical of San Francisco’s use of Diebold’s equipment, felt vindicated with the new findings.
“It appears to me the veneer of security has evaporated,” he said.
Despite the review being conducted under favorable conditions for the hacker teams, Bishop said he was surprised by the voting systems’ weak physical and electronic security measures. His researchers were able to find their way into the systems through high-tech equipment in election headquarters and through the machines in the polling places.
“The vendors appeared to have designed systems that were not high assurance (of security),” he told the Chronicle. “The security seems like it was added on.”
If you would like to sound off on this issue, participate in today’s WND Poll.