E-voting system security, integrity under fire
- 07 May, 2004 15:04
IT security researchers have uncovered significant vulnerabilities in the electronic voting systems that nearly 30 percent of all registered voters will use in the upcoming presidential election, raising concerns about what already looks to be one of the most divisive elections in U.S. history.
In testimony before the U.S. Election Assistance Commission Wednesday, security researchers said that without voter-verifiable paper receipts, the 50 million Americans who will use electronic voting machines this fall will have no way of knowing if their votes were recorded properly. Even worse, the code base powering the systems is so large and complex that there's little way for election officials to be sure it is free of malicious code designed to manipulate election results.
"My biggest concern is that in a very large trusted computing base, the threat of somebody with access to the development environment of the code base, particularly the vendor, basically is in position to make the outcome of the election come out how they would like, and it's virtually undetectable," said Avi Rubin, a professor at the Johns Hopkins University Information Security Institute. "The trusted computing base is approximately 50,000 lines of computer code sitting on top of tens of millions of lines of (operating system) code. It is impossible to secure such a large trusted computing base," said Rubin.
Commission members also expressed concern about the potential for vendors to influence elections, especially since some have taken active roles in operating polling stations and, in the case of Diebold Election Systems' CEO Walden O'Dell, stated publicly the intent to deliver election results to President George W. Bush.
Rubin recently had 40 Ph.D. candidates design Trojan horse programs to assess the security of the systems. "I was astounded to see the cleverness and ease with which the malicious code was hidden and how difficult it was to find," Rubin told the commission. "In the short term, meaning November 2004, a voter-verifiable paper ballot is necessary. It's the only way to get around all of the security problems in the machines" and, if necessary, to conduct meaningful recounts.
Rubin, who has come under fire from IT vendors and their Washington lobby, the Information Technology Association of America, recently worked as a polling official to observe the process firsthand. While that experience forced him to rethink some of his early concerns about the security of the system, he came away with new concerns about the risk of manipulation and fraud.
"At the end of the day, the memory cards were taken out of all of the machines and put into one machine ... and then they were [transmitted via modem] to back-end servers," said Rubin, noting that the polling station used a broken cipher for encryption and a key that was hard-wired to all of the machines.
He called that "a single point of vulnerability" and pointed out that there is no encryption to protect the transmission.
Ted Selker, a professor at MIT and a former IBM Corp. fellow, said there are ways to counter such vulnerabilities. But encryption would be too difficult to deploy in time for the November vote, he said. And in some cases, registration databases remain full of errors -- a problem that led to between 1.5 million and 3 million votes being lost during the 2000 election.
The IT vendors that make the systems in question, sought to discredit Rubin's research by characterizing it as laboratory work that has little relevance to a real-world voting environment. Some also complained that until last year, election officials were more interested in usability improvements than better security.
"What's been missing from these laboratory-originated critiques has been the real-world experience of the voting booth," said Mark Radke, director of marketing at McKinney, Texas-based Diebold Election Systems Inc., which made the system tested by Rubin and his students. The questions and doubts raised are "theoretical in nature," he said.
Neil McClure, general manager of Hart Intercivic Inc. in Austin, said product changes should be based on risk assessments, not solely on the existence of vulnerabilities. He discounted the threat of electronic tampering, saying it would require a long-term commitment by a motivated attacker.
Unfortunately, both the IT vendors and the researchers agreed that properly securing the existing systems would take equally as long. "For 2004, we have the equipment we have," said Selker.