California report slams e-voting system security
Every tested machine had problems -- yes, every single one
IDG News Service - Researchers commissioned by the state of California have found security issues in every electronic voting system they tested, California Secretary of State Debra Bowen said Friday.
The report was published Friday as part of a complete review of the state's e-voting systems initiated earlier this year by Bowen's office.
Its findings were not encouraging for backers of e-voting.
"The security teams were able to bypass both physical and software security in every system they tested," Bowen said Friday during a conference call with media.
The report documents 15 security problems found in the devices. For example, researchers were able to exploit bugs in the Windows operating system used by the Diebold GEMS election management system to circumvent the system's audit logs and directly access data on the machine. They were able to get a similar level of access to Sequoia WinEDS data as well.
Testers were also able to overwrite firmware, bypass locks on the systems, forge voter cards, and even secretly install a wireless device on the back of a GEMS server.
Bowen is set to decide by Aug. 3 which systems will be certified for use in the 2008 presidential primaries. She declined to comment on how the report's findings will affect this decision until she has completely reviewed the report. "The severity of it, what it means ... that's a matter for us to investigate and pull apart and analyze between now and next Friday."
But she did acknowledge that the security problems found by researchers were important. "It's a big deal for many people in this country," she said. "We are a democracy and our very existence as a democracy is dependent on having voting systems that are secure, reliable and accurate."
California's review is the most thorough review of voting machine technology yet undertaken in the U.S.
A team of researchers assembled by the University of California has spent the past two months evaluating the security, accessibility and manufacturer documentation of voting machines. A "red team" of penetration testers attempted to gain access to the voting systems to see if they could disrupt an election or alter the results, while another team examined the source code to the machines.
Researchers examined devices manufactured by Diebold Election Systems Inc., Hart InterCivic Inc. and Sequoia Voting Systems Inc.
Representatives from Diebold and Sequoia said Friday that they needed more time to review the research before commenting in depth. "We are very anxious to review the findings," said Michelle Shafer, a Sequoia spokeswoman, via e-mail. "We will be providing our official response ... early next week."
She noted, however, that the "testing done during this Top to Bottom Review did not employ the processes and procedures used in the conduct of an actual election."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts