Studies question e-voting security

IDG News Service - A series of new reports have again raised questions about the security of electronic voting machines, with one report identifying multiple vulnerabilities.

The Brennan Center for Justice at New York University School of Law, in a report released today, said three popular electronic voting systems are vulnerable to software attacks that could threaten the integrity of elections.

The center's Task Force on Voting System Security, made up of computer security experts from the U.S. government, universities and the private sector, unanimously recommended states conduct routine audits comparing voter-verified paper trails to the electronic record. The task force also recommended a ban on wireless components in voting machines. Currently, only three states ban wireless components on e-voting machines, but at least two e-voting machine vendors offer models with wireless technology.

"These machines are vulnerable to attack," Michael Waldman, the Brennan Center's executive director, said in a statement. "That's the bad news. The good news is that we know how to reduce the risks and the solutions are within reach."

Lawmakers need to take a "hard look" at the recommendations in the report, Howard Schmidt, a member of the task force, said in a statement. Schmidt is former White House cyber security advisor and former chief security officer at Microsoft Corp. and eBay Inc.

E-voting vendors have questioned the need for a paper trail with electronic machines, saying printers could add cost to the machines and cause machine shut-downs without providing more security. E-voting vendors say their machines are secure and a printout would do nothing more than replicate the voting numbers inside the machine.

The report details nine categories of possible attacks on e-voting machines, including attacks on tally servers and attacks designed to shut down e-voting machines.

While supporters of e-voting vendors say there's no evidence of software-based attacks on e-voting machines, the report suggests such attacks should be expected because "in the last several years, there have been increasingly sophisticated attacks on nonvoting computer systems."

The Information Technology Association of America  (ITAA), a trade group representing e-voting vendors, questioned the report, saying it was based on speculation, not performance. "Voting systems have to pass many levels of testing and scrutiny that detect vulnerabilities and allow for fixes," said Bob Cohen, ITAA's senior vice president. "To date, voting systems have not been successfully attacked in a live election. The purported vulnerabilities presented in this study, while interesting in theory, would be extremely difficult to exploit."

The report, available at http://www.brennancenter.org/programs/downloads/Full%20Report.pdf, also calls for Election Day testing of machines.

The Brennan Center study follows two other reports questioning e-voting security released this month. Last week, advocacy group Common Cause said 17 states using e-voting machines are at high risk of their election results being compromised because they use machines without paper backups. Among those states are Pennsylvania, Texas, New Jersey, Indiana and Maryland, Common Cause said.

Earlier in the month, Verified Voting, a group pushing for new security measures for e-voting machines, released a report on vulnerabilities of Diebold Inc. discovered by Harri Hursti of Black Box Voting. Twenty-seven states using Diebold machines are at risk of election fraud, some because they do not use paper trails, Verified Voting said.