|
Electronic
voting machines from Diebold Inc. have computer security and
physical security problems that might allow corrupt insiders or
determined outsiders to disrupt or even steal an election, according
to a report presented yesterday to Maryland state legislators.
But authors
of the report — which described the first official effort to hack
Diebold voting systems under election conditions — were careful to
say the machines, if not hacked, count votes correctly. And they
said the vulnerabilities the exercise found could be addressed in a
preliminary way in time for the state's primaries in March.
"I don't want
to beat people up," said Michael Wertheimer, a security expert for
RABA Technologies in Columbia, Md., who oversaw the exercise. "I
want to get an election that people can feel good about."
Further steps
could be taken to ensure a safe general election in November, the
report concluded. But ultimately, it said, Diebold election software
had to be rewritten to meet industry security standards and limited
use of paper receipts to verify votes would be needed.
A spokesman
for Diebold, which is based in North Canton, Ohio, emphasized the
report's positive elements. "There is nothing that has not been, or
can't be, mitigated" before the election, David Bear, the spokesman,
said.
In a
statement, Bob Urosevich, president of the Diebold election-systems
unit, said that this report and another by the Science Applications
International Corporation "confirm the accuracy and security of
Maryland's voting procedures and our voting systems as they exist
today."
Maryland has
spent more than $55 million for the machines. Georgia has chosen
Diebold for elections statewide, and major counties in California
and Ohio, among other states, have picked the machines.
The report's
authors said they had expected a higher degree of security. "We were
genuinely surprised at the basic level of the exploits" that allowed
tampering, said Mr. Wertheimer, a former security expert for the
National Security Agency.
The report
supports the findings of a study released in July, by academic
security experts at Johns Hopkins and Rice universities, that found
Diebold software lacked the level of security needed to safeguard
elections. Diebold stated that the code used by the researchers,
which had been taken from a company Internet site and circulated
online, was outdated. A subsequent report by Science Applications
International found some similar problems.
Aviel D.
Rubin, who led the Johns Hopkins effort, said, "If our report was
unable to convince Maryland that the Diebold machines were
vulnerable, then surely this work will set them straight."
The latest
study found that some problems identified in the Hopkins study had
not been corrected, and discussed other issues it found equally
troubling.
Security
experts found that the touch-screen voting machines all used the
same key to two locks that protect them from tampering. With
handheld computers and a little sleight of hand, they also found,
the touch screens could be reprogrammed to make a vote for one
candidate count for another, or results could be fouled so that a
precinct's vote could not be used.
Communications between the terminals and the larger server computers
that tabulate results from many precincts do not require that
machines on either end of the line prove they are legitimate, which
could let someone grab information that could be used to falsify
whole precincts' worth of votes.
The group
also found that the server computers did not have the latest
protection against the security holes in the Microsoft operating
systems, and were vulnerable to hacker attacks that would allow an
outsider to change software. |
