E-voting machines again under fire

Princeton analysis says Diebold's AccuVote-TS isn't secure, while legal action over e-vote supervision continues.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
3 min read
Concerns about electronic voting machines, whose reliability has been heavily criticized in recent years, resurfaced this week in a recently published Princeton University study.

Released on Wednesday, the Princeton research paper, "Security Analysis of the Diebold AccuVote-TS Voting Machine," says that the e-voting machine, produced by Diebold Election Systems, was vulnerable to malicious attacks and potential voter fraud.

The Princeton report (click here for PDF) comes amid renewed debate over e-voting as the November elections near and onging legal action by the Electronic Frontier Foundation (EFF), which advocates stricter supervision of e-voting systems.

The EFF on Wednesday filed a brief with the U.S. Circuit Court of Appeals, asking the court to reject a request to dismiss an EFF lawsuit against the Ohio secretary of state and governor. The suit alleges the defendants abdicated their responsibilities to ensure Ohio residents had a right to vote. Some e-voting machines in Ohio had malfunctioned during the 2004 election, in some cases causing votes cast for one candidate to go to the opposition.

"Ohio's procedures, like many used elsewhere across the country, simply don't do enough to protect voters from the serious vulnerabilities in the current generation of electronic voting equipment," Matt Zimmerman, EFF staff attorney, said in a statement.

Authorities in some states have grown increasingly uncomfortable with e-voting security measures. California, for example, found last year it could not certify Diebold's electronic voting systems results without adding federal review.

Princeton's research found the AccuVote-TS, as well as a newer version of the machine, the TSx, are expected to be used in 357 counties, representing nearly 10 percent of registered voters.

"Analysis of the machine...shows that it is vulnerable to extremely serious attacks," the report states. "An attacker who gets physical access to a machine or its removable memory card for as little as a minute could install malicious code."

From there, the virus could allegedly steal votes without detection and modify all records, logs and counters so the machine's tabulations would be consistent with the bogus votes it creates, according to the report.

The malicious attack could also spread to other e-voting machines, creating a voting machine virus, the report states. It suggested the machine's software and hardware be updated and strict election procedures be implemented.

But a Diebold executive disagreed and said that the e-voting machine used for the research project has security software that is two generations old.

"By any standard--academic or common sense--the study is unrealistic and inaccurate," Dave Byrd, Diebold Election Systems president, said in a statement.

He noted the unit used in the research allegedly did not have normal security procedures followed. The unit's numbered security tape, 18 enclosure screws and number security tags were allegedly destroyed or missing to allow researchers to get inside the machine.

The latest version of the AccuVote TS software includes 128-bit data encryption, digitally signed memory card data, secure socket layer (SSL) data encryption for transmitting results and dynamic passwords.

"Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day," Byrd said.