You can just jump to the extended text if you want.

Electronic voting machines made by Diebold Inc. that are widely used in several states have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented today to Maryland state legislators.

Authors of the report — the first hands-on attempt to hack Diebold voting machine systems under conditions found during an election — were careful to say that the machines, if not hacked, count votes correctly, and that issues discovered in the "red team" exercise could be addressed in a preliminary way in time for the state's primaries in March.

"I don't want to beat people up," said Michael Wertheimer, the security expert who ran the attack team for RABA Technologies, a consulting firm in Columbia, Md. "I want to get an election that people can feel good about in March."

…A representative of Diebold said the issues raised by the new report had already been addressed by the company. "There is nothing that has not been or can't be mitigated" before the election, said David Bear, a spokesman for the company.

…Maryland has bought more than $55 million worth of the machines. Georgia has chosen Diebold machines for elections statewide, and they have been chosen by populous counties in California and Ohio, among other states.

The authors of the report said that they had expected a higher degree of security in the design of the machines. "We were genuinely surprised at the basic level of the exploits" that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.

William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of the Red Team exercise, said, "I can say with confidence that nobody looked at the system with an eye to security who understands security."
The latest study found that some issues discovered last July in the Johns Hopkins study had not, in fact, been corrected, and that other issues that had not been discovered in other studies were equally troubling. The report can be found at www.raba.com.

In the security exercise, members of the attack team said they were surprised to find that the touch-screen machines used by voters all used the same physical key to the two locks that protect their innards from tampering. With hand-held computers and a little sleight of hand, they found, the touch screens could be reprogrammed to make a vote for one candidate count for an opponent, or results could be fouled so that a precinct's tally could not be used.

Advertisement

In addition, they said, communications between the terminals and the larger server computers that tally results from many precincts do not require that machines on either end of the line prove that they are legitimate, an omission that could allow someone to grab information that could be used to falsify whole precincts worth of votes.

And the server computers do not have the latest protection against the security holes in the Microsoft operating systems, and they are vulnerable to hacker attacks that would allow an outsider to change software, the group found.

The authors of the report also said smart cards that are shipped with the system for voters and supervisors to use during elections have standard passwords that are easily guessed. That problem was cited in the original Johns Hopkins report, and it could allow anyone with a hand-held card reader and small computer to get the access of an election official. The company said that it has provided the capability for election officials change those passwords and increase security, though it still ships the products with the easily broken password.

Mr. Wertheimer said the application of security was inconsistent, with encryption applied in some places without the accompanying technology of authentication to ensure that the machines that are communicating with each other are the ones that are supposed to be communicating and that an interloper has not jumped in. "It's like washing your face and drying it with a dirty towel," he said.

Though individual members of the attack team said that they found the original Johns Hopkins study, which called for the state to abandon the machines, to be alarmist in tone and written in the kind of sound-bite language to grab the attention of the news media, Mr. Arbaugh said this team's results "vindicate" the work of the leader of that effort, Aviel D. Rubin, who goes by Avi, and showed that Diebold did not do enough after the report to fix the problems that he identified.

"Avi told them the door was wide open and unlocked," Mr. Arbaugh said. "They closed the door, but they didn't lock it," he said.