IT security researchers said they have uncovered significant vulnerabilities in the electronic voting systems that nearly 30 percent of all registered voters will use in this November's presidential election.
In testimony before the U.S. Election Assistance Commission last week, security researchers said that without voter-verifiable paper receipts, the 50 million Americans who will use electronic voting machines this fall will have no way of knowing if their votes were subject to electronic tampering. Moreover, the code base powering the systems is so large and complex that there's no efficient way for election officials to be sure that it's free of malicious code designed to manipulate election results.
Avi Rubin, a professor at the Johns Hopkins University Information Security Institute in Baltimore, said his biggest concern is the threat of individuals who have access to the code base rigging the election. "And it's virtually undetectable," he said.
"The trusted computing base is approximately 50,000 lines of computer code sitting on top of tens of millions of lines of (operating system) code," Rubin said. "It is impossible to secure such a large trusted-computing base."
Rubin recently had 40 Ph.D. candidates design Trojan horse programs to assess the security of the e-voting systems. "I was astounded to see the cleverness and ease with which the malicious code was hidden and how difficult it was to find," he told the commission. "In the short term, meaning November 2004, a voter-verifiable paper ballot is necessary. It's the only way to get around all of the security problems in the machines" and, if necessary, to conduct meaningful recounts.
Rubin, who has come under fire from IT vendors and their Washington lobbying group, the Information Technology Association of America, recently worked as a polling official to observe the process firsthand.
Although Rubin said that the experience forced him to rethink some of his early concerns about the security of the systems, he added that he came away with new concerns about the risk of manipulation and fraud.
"At the end of the day, the memory cards were taken out of all of the machines and put into one machine . . . and then they were (transmitted via modem) to back-end servers," said Rubin. He also noted that the polling station used a broken cipher for encryption and a key that was hard-wired to all of the machines. That constituted "a single point of vulnerability," he said.
Ted Selker, a professor at MIT and a former IBM Corp. fellow, said there are ways to counter such vulnerabilities. But encryption would be too difficult to deploy in time for the November vote, he said. And in some cases, registration databases remain full of errors -- a problem that led to the loss of between 1.5 million and 3 million votes during the 2000 election, Selker said.
The IT vendors that make the systems in question sought to discredit Rubin's research by characterizing it as laboratory work that has little relevance to a real-world voting environment. Some also complained that until last year, election officials were more interested in usability improvements than in better security.
"What's been missing from these laboratory-originated critiques has been the real-world experience of the voting booth," said Mark Radke, director of marketing at McKinney, Texas-based Diebold Election Systems, which made the system tested by Rubin and his students. The questions and doubts raised are "theoretical in nature," he said.
Neil McClure, general manager of Hart InterCivic Inc. in Austin, said product changes should be based on risk assessments, not solely on the existence of vulnerabilities. He discounted the threat of electronic tampering, saying it would require a long-term commitment by a motivated attacker.
In any case, both the IT vendors and the researchers agreed that properly securing the existing systems will also be a long-term process.
"For 2004, we have the equipment we have," said Selker.