The following piece was produced by HuffPost's OffTheBus.
Do you have a Palm Treo? Then take it with you when you vote. You might be able to alter an election.
An intensive review of Ohio's voting machines has revealed serious security flaws in voting machines that are used in elections throughout the country. The report found that, in some cases, machines could be compromised with everyday objects such as magnets or PDAs.
On December 14th, Ohio Secretary of State Jennifer Brunner released the results of the Evaluation & Validation of Election-Related Equipment, Standards & Testing study, known as EVEREST. The study evaluated analyzed DRE (Direct Recording Electronic) and optical scan systems made by Premiere Election Systems (formerly Die Bold), Hart InterCivic, and Election Systems & Software (ES&S). Teams of scientists from both the academic and corporate world analyzed the actual voting machines, system source codes, and election procedures. The complete report is available here.
A statement from study team leaders Patrick McDaniel (Pennsylvania State University), Matt Blaze (University of Pennsylvania), and Giovanni Vigna (WebWise Security) summarized their findings, including the following description of the voting systems' failures:
"The security failures themselves affected the entirety of the election process. We found vulnerabilities in different vendor systems that would, for example, allow voters and poll-workers to place multiple votes, to infect the precinct with virus software, or to corrupt previously cast votes-sometimes irrevocably. Further problems persist at the election headquarters, where election software running on commodity Microsoft Windows 2000 or XP machines could be compromised by viruses arriving from precincts, or by an attacker with seconds at the controller terminal. These latter security failures could expose precinct or county-wide ballots and tallies to widespread manipulation.
Two characteristics of the all of the vendor systems emerged from our analysis bear further comment. First, the systems exhibited a near universal lack of effective protections against insiders. Unmonitored poll-workers and election officials can frequently exploit security failures to circumvent protections or misuse software features to manipulate voting equipment, vote counts, and audit information. Second, there was a pervasive lack of quality in the implementation (coding and manufacturing) of these systems. Failures were present in almost every device and software module we investigated. Such problems may lead to serious stability issues, and are the source of many security issues."
Secretary of State Brunner, along with a bipartisan team of election board directors and deputy directors, issued a series of recommendations in response to the report, including a move to central counting of ballots; eliminating DREs and precinct-based optical scan machines that count ballots at polling locations; requiring all ballots to be optical scan ballots; "no fault" absentee balloting; and the establishment of early (15 days prior to the election) voting and election day vote centers to take the place of polling places of less than five precincts. The state did not require counties to replace all their machines, but did suggest that counties such as the heavily populated Cuyahoga, apply for funding to buy high-speed optical scanners in time for the March 2008 primary.
Brunner's recommendations were met with some criticism. Brad Friedman noted that Brunner did not decertify any of the systems. In comparison, a similar study of voting systems last summer led California Secretary of State Debra Bowen to decertify all machines and recertify them using new security measures. The results of California's review and the changes made in California systems are available here.
In addition, Brunner's plan to move to a central ballot counting system was considered potentially less secure than precinct-based counting. In a Columbus Free Press report posted by Friedman, it is noted that:
"Voting system and security experts have previously argued that decentralized precinct-based counting was more secure than central, county-based counting since results could be both counted, and posted at the polling place on election night, prior to transport of ballots, and vulnerable recording media to county offices."
In a precinct-based counting system, tampering will only affect the votes of one precinct. In a central-based system, however, one security breach can alter the results of an entire county. An increase in absentee balloting, another of Brunner's recommendations, is also considered vulnerable to corruption.
Ohio, like many other states, uses a mix of different voting systems from different companies. South Carolina, however, uses the ES&S iVotronic DRE system throughout the state. The iVotronic is one of the machines analyzed in the Ohio report. The study concluded that the ES&S systems failed eleven out of the testers' twelve "best practices requirements." Failures of the iVotronic included:
"Physical battering of a DRE by a voter at the precinct could easily cause the voting machine to have to be rebooted, causing delays and confusion during the voting process."
"The computers hosting the software failed to be secured from physical attack in even the basic ways," and unauthorized individuals could leverage these security weaknesses to introduce malware or compromise elections data."
"The DRE units showed a vulnerability in the printer connection where unauthorized individuals could easily connect their own device to the VVPAT (voter verified paper audit trail) printer and print their own results or rewind the paper tape to print over the existing voter records."
"MicroSolved (the testing team) was able to cause a DRE to crash by tampering with a memory card, which could cause an unauthorized individual to introduce malware into the DRE component or its memory card and transfer illicit code to the Unity server. While access to memory cards is protected with tamper seals, MicroSolved found the seals were "easily circumvented."
"A mechanism exists in the Unity (ES&S system) software for a user to arbitrarily edit vote totals."
South Carolina, an important early primary state, tells citizens on its voter FAQ that the machines have been tested; their votes are safe; and that, using the iVotronic, "no vote is cast in error, lost, or is in anyway altered."
When contacted for a reaction to Ohio's findings of the problems with the ES&S machines used throughout South Carolina, Gary Baum, Public Information Director for the State Election Commission, said he was not familiar with the report and could not comment.
The South Carolina Republican primary takes place on January 19th. The Democratic primary is on January 26th.