IT security researchers say they have uncovered significant vulnerabilities in the electronic voting systems that nearly a third of all registered voters will use in the US presidential election in November.
The researchers warned that without voter-verifiable paper receipts, the 50 million Americans who will use electronic voting machines this autumn will have no way of knowing if their votes were subject to electronic tampering.
Moreover, the code base powering the systems is so large and complex that there is no efficient way for election officials to be sure that it is free of malicious code designed to manipulate election results.
Avi Rubin, a professor at the Johns Hopkins University Information Security Institute in Baltimore, said his biggest concern is the threat of individuals who have access to the code base rigging the election. "And it's virtually undetectable," he added.
"The trusted computing base is approximately 50,000 lines of computer code sitting on top of tens of millions of lines of [operating system] code," Rubin said. "It is impossible to secure such a large trusted-computing base."
Rubin recently had 40 PhD candidates design Trojan horse programs to assess the security of the e-voting systems.
"I was astounded to see the cleverness and ease with which the malicious code was hidden and how difficult it was to find. In the short term, meaning November 2004, a voter-verifiable paper ballot is necessary. It's the only way to get around all of the security problems in the machines."
Rubin, who has come under fire from IT suppliers and their lobbying group, the Information Technology Association of America, recently worked as a polling official to observe the process first hand.
Although Rubin said that the experience forced him to rethink some of his early concerns about the security of the systems, he added that he came away with new concerns about the risk of manipulation and fraud.
"At the end of the day, the memory cards were taken out of all of the machines and put into one machine . . . and then they were [transmitted via modem] to back-end servers," said Rubin. He also noted that the polling station used a broken cipher for encryption and a key that was hard-wired to all of the machines. That constituted "a single point of vulnerability", he said.
Ted Selker, a professor at MIT and a former IBM fellow, said there are ways to counter such vulnerabilities, but encryption would be too difficult to deploy in time for the November vote. In some cases, registration databases remain full of errors - a problem that led to the loss of between 1.5 million and three million votes during the 2000 election, he added.
The IT suppliers that make the systems in question sought to discredit Rubin's research by characterising it as laboratory work that has little relevance to a real-world voting environment. Some also complained that until last year, election officials were more interested in usability improvements than in better security.
"What's been missing from these laboratory-originated critiques has been the real-world experience of the voting booth," said Mark Radke, director of marketing at Diebold Election Systems, which made the system tested by Rubin and his students.
The questions and doubts raised are "theoretical in nature," he added.
Neil McClure, general manager of Hart InterCivic, which manufactures the eSlate electronic voting system, said product changes should be based on risk assessments, not solely on the existence of vulnerabilities. He discounted the threat of electronic tampering, saying it would require a long-term commitment by a motivated attacker.
In any case, both the IT suppliers and the researchers agreed that properly securing the existing systems will also be a long-term process.
Dan Verton writes for Computerworld