Ed Felten reports on the results of California’s studies of the source code of e-voting machines used in the state. I haven’t had time to read the reports myself, but according to Felten, they’re pretty devastating:
All three reports found many serious vulnerabilities. It seems likely that computer viruses could be constructed that could infect any of the three systems, spread between voting machines, and steal votes on the infected machines. All three systems use central tabulators (machines at election headquarters that accumulate ballots and report election results) that can be penetrated without great effort.
It’s hard to convey the magnitude of the problems in a short blog post. You really have read through the reports — the shortest one is 78 pages — to appreciate the sheer volume and diversity of severe vulnerabilities.
It is interesting (at least to me as a computer security guy) to see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities. They store votes in a way that compromises the secret ballot.
I think there are two policy lessons to take away from all of this. First, source code secrecy is a lousy way to protect voting machines. Any moderately skilled hacker who gets his hands on an e-voting machine will be able to reverse-engineer enough of the voting machines’ innards to uncover one of the many flaws in these machines. Secrecy simply shields e-voting vendors from public scrutiny and criticism, thereby making it less likely that these security problems will be detected and fixed in a timely manner.
Secondly, given the sheer number of vulnerabilities, it’s not reasonable to expect there to be secure voting machines on the market any time soon. Even if it were theoretically possible to create such machines, it will take several iterations of companies developing new machines and security experts tearing them apart before they get it right. So for at least the next couple of elections, states that care about security should be using paper ballots.