The source code report was released today (Thursday, Aug.2) by California Secretary of State Debra Bowen as part of an unprecedented "Top-to-Bottom Review" of electronic voting systems.
Bowen commissioned the review May 31 to restore the public's confidence in the integrity of the electoral process, and to ensure that California voters are being asked to cast their ballots on machines that are secure, accurate, reliable and accessible. Bowen is expected to make a decision regarding the certification of the electronic voting machines by tomorrow (Friday, Aug. 3), six months before the state's primary election is to be held.
David Wagner, UC Berkeley associate professor of computer science, and Matt Bishop, UC Davis professor of computer science, are the co-principal investigators of the project, which was divided into four parts.
The Red Team and Accessibility reports were led by UC Davis and released last week. The Red Team testers were charged with compromising the voting systems, and the Accessibility team evaluated the system's usability for voters with disabilities and with special language requirements.
The other two components of the project, led by UC Berkeley, are a review of electronic voting system documentation to determine whether those materials are complete and consistent, and a review of the system source codes, the computer language that controls system operations.
Wagner headed the team that reviewed the software source codes for the voting systems in an effort to detect weaknesses that could be exploited.
Each of the three electronic voting systems examined was made by a different manufacturer. These manufacturers are Diebold Elections Systems, Sequoia Voting Systems and Hart InterCivic. The voting systems are used in 43 of the 58 counties in California by 9 million of the state's 15.7 million registered voters. These systems are also used in dozens of other states around the country, Wagner added.
The researchers said that many of the security problems they encountered were fairly similar across the three systems.
"The most severe problem we found was the potential for viruses to be introduced into a machine and spread throughout the voting system," said Wagner. "In the worst-case scenario, these malicious codes could be used to compromise the votes recorded on the machines' memory cards or render the machines non-functional on election day."
The researchers said it is possible for viruses on one machine to spread to an entire county's system when its votes are being uploaded to a central computer for tabulation, although they did not demonstrate this in their review.
"We found flaws that could allow an attacker to defeat all the technological countermeasures in the software," said Wagner. "Unfortunately, these vulnerabilities are not trivial implementation bugs that can be patched up. The software just wasn't designed with fundamental safeguards in place to make them resilient to intrusion. It was troubling to discover this."
The researchers acknowledge that a real-world hacker would need access to an electronic voting machine to discover these security flaws. "Getting a machine may be difficult, but it is not impossible. Maintaining the physical security of the voting equipment can be a challenge when there are tens of thousands of these machines across the country," said Wagner. "You don't have to be an election official or employee of the manufacturer to get your hands on one."
Indeed, recent news reports and voter watchdog groups have noted that electronic voting machines have been put on sale and purchased through eBay.
The security holes identified by the source code reviewers were passed on to the Red Team testers at UC Davis, who were charged with compromising the voting systems. However, many security flaws were discovered by the Red Team testers on their own. The researchers emphasized that knowledge of a voting system's source code, while helpful, is not critical to breaking down its security barriers.
The researchers also found problems that could jeopardize the secrecy of ballots in two of the systems. For instance, time stamps on electronic ballots could allow votes to be matched to individuals if it is known when they voted, something an observant poll worker could figure out. Machines that record votes in the same order in which they are cast can also help identify a voter.
"These problems in electronic vote records are fairly easy to fix by eliminating time stamps, which are gratuitous, and by randomizing the order in which votes are recorded," said Wagner.
"Our hope is that the results of our testing will help Secretary Bowen, election officials and the vendors understand where the potential problems exist in the electronic voting systems so they can take appropriate measures to address them," said Wagner. "Secretary Bowen should be commended for embarking on this important review of electronic voting systems. She is serving the voters of California well by gathering information to help her, and others, to make informed decisions."-Berkeley University