IT security researchers say they have uncovered
significant vulnerabilities in the electronic voting systems that
nearly a third of all registered voters will use in the
US presidential election in November.
The researchers warned that without voter-verifiable paper
receipts, the 50 million Americans who will use electronic voting
machines this autumn will have no way of knowing if their votes
were subject to electronic tampering.
Moreover, the code base powering the systems is so large and
complex that there is no efficient way for election officials to be
sure that it is free of malicious code designed to manipulate
election results.
Avi Rubin, a professor at the Johns Hopkins University
Information Security Institute in Baltimore, said his biggest
concern is the threat of individuals who have access to the code
base rigging the election. "And it's virtually undetectable," he
added.
"The trusted computing base is approximately 50,000 lines of
computer code sitting on top of tens of millions of lines of
[operating system] code," Rubin said. "It is impossible to secure
such a large trusted-computing base."
Rubin recently had 40 PhD candidates design Trojan horse
programs to assess the security of the e-voting systems.
"I was astounded to see the cleverness and ease with which the
malicious code was hidden and how difficult it was to find. In the
short term, meaning November 2004, a voter-verifiable paper ballot
is necessary. It's the only way to get around all of the security
problems in the machines."
Rubin, who has come under fire from IT suppliers and their
lobbying group, the Information Technology Association of America,
recently worked as a polling official to observe the process first
hand.
Although Rubin said that the experience forced him to rethink
some of his early concerns about the security of the systems, he
added that he came away with new concerns about the risk of
manipulation and fraud.
"At the end of the day, the memory cards were taken out of all
of the machines and put into one machine . . . and then they were
[transmitted via modem] to back-end servers," said Rubin. He also
noted that the polling station used a broken cipher for encryption
and a key that was hard-wired to all of the machines. That
constituted "a single point of vulnerability", he said.
Ted Selker, a professor at MIT and a former IBM fellow, said
there are ways to counter such vulnerabilities, but encryption
would be too difficult to deploy in time for the November vote. In
some cases, registration databases remain full of errors - a
problem that led to the loss of between 1.5 million and three
million votes during the 2000 election, he added.
The IT suppliers that make the systems in question sought to
discredit Rubin's research by characterising it as laboratory work
that has little relevance to a real-world voting environment. Some
also complained that until last year, election officials were more
interested in usability improvements than in better security.
"What's been missing from these laboratory-originated critiques
has been the real-world experience of the voting booth," said Mark
Radke, director of marketing at Diebold Election Systems, which
made the system tested by Rubin and his students.
The questions and doubts raised are "theoretical in nature," he
added.
Neil McClure, general manager of Hart InterCivic, which
manufactures the eSlate electronic voting system, said product
changes should be based on risk assessments, not solely on the
existence of vulnerabilities. He discounted the threat of
electronic tampering, saying it would require a long-term
commitment by a motivated attacker.
In any case, both the IT suppliers and the researchers agreed
that properly securing the existing systems will also be a
long-term process.
Dan Verton writes for Computerworld