The attacks described in Hursti’s report would allow anyone who had physical access to a voting machine for a few minutes to install malicious software code on that machine, using simple, widely available tools. The malicious code, once installed, would control all of the functions of the voting machine, including the counting of votes. Hursti’s findings suggest the possibililty of other attacks, not described in his report, that are even more worrisome. In addition, compromised machines would be very difficult to detect or to repair. The normal procedure for installing software updates on the machines could not be trusted, because malicious code could cause that procedure to report success, without actually installing any updates. A technician who tried to update the machine’s software would be misled into thinking the update had been installed, when it actually had not. On election day, malicious software could refuse to function, or it could silently miscount votes.
As I’ve written before, I’m not convinced there are any good reasons to use computerized voting machines. It seems to be driven by a simplistic notion that computerized stuff is always better than non-computerized stuff. But as Felten says, these sorts of vulnerabilities are inevitable on a general-purpose computer.
The most important features for a voting machine are reliability and transparency. In general, the simpler a machine is, the easier it is to verify that it’s working correctly and the more likely ordinary voters are to trust it. Optical-scan voting machines appear to be plenty reliable, and they have the advantage that if anything goes wrong, there’s always an option for a manual recount.
When it comes to voting, we should be very, very hesitant to fix what’s not broken.