[online version is full of links - oh yes - these machines run - wait
for it - Windows!!! lol... my only question is, have these
vulnerabilities already been used to swing elections in the past?
This research shows how it could have been done. The question is:
was it? - Stu]
Researchers at Princeton University have demonstrated major security
holes in U.S. electronic voting machines made by Diebold that make
vote-stealing viruses a reality.
The Diebold AccuVote-TS and TSx systems are the mostly widely
deployed voting systems in the United States. The research summary
and the full paper (PDF) do not mince words, clearly stating that the
election machines are vulnerable to "extremely serious attacks."
The Princeton study was summarized in four main points. First, they
found that malicious software, likely in the form of a virus, would
be capable of "steal[ing] votes with little if any risk of
attention." Second, the study concluded that anyone with physical
access to a voting machine, or a memory card that would later be
inserted into the machine, could easily install malicious software.
Third, the Princeton researchers demonstrated a proof-of-concept
virus that manipulates voting results, both on screen and in printed
format, stealing votes and potentially rigging a U.S. election. They
discuss how such a virus could easily be spread to numerous machines
in an election riding. Finally, the paper concludes that the only
feasible remedy to such major security concerns is through replacing
the voting machines themselves, along with changes to electoral
procedures in the U.S. - noting that software changes alone would be
insufficient to patch the Diebold design flaws.
Researchers Ariel J. Feldman, Alex Halderman, and Edward W. Felten
further provide a chilling, narrated video (including a high
resolution version) that demonstrates how easy it is to fool voters
and election officials with an infected machine. The narrator clearly
explains how a criminal's malicious software "can steal votes, and it
can cover its tracks so that the theft cannot be detected."
The researcher's video and accompanying paper show how easily a
criminal could install, in advance, malicious software on a voting
machine in just a few minutes. They demonstrate how voting results
can be manipulated, both on-screen and on the paper printouts that
verify the results. The Princeton team further discuss how a virus
could spread via the system's removable memory cards, and then remove
itself at the end of an election - leaving no trace of a rigged
election. The actual discussion of a virus' spreading mechanism,
using election officials who are unaware the voting machine is
infected, can be likened to viruses in PCs that spread by floppy
disks and other removable media in the 1980s.
Reports of major vulnerabilities in Diebold voting machines, which
run a version of the Windows operating system, have appeared many
times in the past few years. Earlier this year, Avi Rubin at John
Hopkins University detailed critical flaws in the same Diebold
systems. Rubin is quoted as saying about his 2006 research: "It is
like the nuclear bomb for e-voting systems. It's the deal breaker. It
really makes the security flaws that we found (in prior years) look
trivial."
Diebold's source code for its voting software, used to run its voting
machines, was also stolen in 2003 - giving criminals ample time to
evaluate the program's overall architecture and construct a similar
virus to what the Princeton team demonstrated.
The larger issue of how rigged voting machines could have an impact
on U.S. Presidential elections, and the implications overall for
American democracy and freedom, was not directly addressed by the
Princeton team.
