With improvements, e-voting could be good, says researcher.

Researcher who found vulnerabilities in California's e-voting systems looks ahead to better auditing.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi
2 min read

WASHINGTON--In a keynote address at this year's ShmooCon, an East Coast computer hacker conference, J. Alex Halderman said that electronic voting machines could be good for the electorate--with some modifications.

Halderman is a graduate student studying under Ed Felten, a professor of computer science at Princeton, who is best known for demonstrating that the electronic voting machines produced by Diebold and other companies are vulnerable to attack. Diebold has since changed the name of election equipment to Premier Election Solutions. Felten was to make the keynote address, but canceled at the last minute due to the flu. Halderman is no less qualified to speak to the convention of computer hackers; this past summer, Halderman and others from Felten's team assisted California Secretary of State Debra Brown in her investigation of electronic voting machines.

At issue are direct-recording electronic (DRE) voting machines. Halderman points out that DREs are, basically, computers, susceptible to viruses, bugs, and crashes. What troubles Halderman and his team is that "a conspiracy of one could launch an attack on all the voting machines in a county or in a state." He said that while paper ballots could be rigged, paperless electronic ballots were even easier to exploit.

With the Diebold machines Halderman studied, he found that the company provided potential attackers with an upgrade process that was easy to manipulate. By giving a malicious file a specific file name, the Diebold DREs simply ran the code, allowing a devious programmer to inject malicious code into one or more voting machines. Since the same PCMIA card can be used to load a specific ballot within a precinct, county, or state, one tainted card could easily spread the infection.

Halderman also found, when working on the voting machines used in California that voting machines could also, with very little work, expose who voted for whom, violating voter secrecy.

Diebold has previously dismissed the claims by Felten, Halderman, and others. Another California e-voting system vendor, Sequoia, issued a press release faulting the secretary of state's study. Despite their objections, most states with electronic voting systems have now required the vendors to provide some kind of a paper audit.

Once the e-voting vendors improve their systems, Halderman said e-voting could ultimately be good. Voters like it. It provides faster reporting. It also offers more accessibility to disabled voters. With the addition of paper receipts, said Halderman, e-voting will also allow for better and less expensive vote auditing.

Currently, Halderman said, recounting votes in a disputed election is costly. Using machine-assisted auditing, however, taxpayers would save money and receive a much more accurate recount. One method Halderman showed at ShmooCon involved auditing only the winning candidate's vote to see if there was any evidence of electronic vote switching. As an example, he cited a recent election in Virgina where less than 1 percent of the vote decided the winner; by the current method, 1 million ballots would need to be recounted, but by his machine-assisted auditing method only 1,000 would be needed.