Security experts say new electronic voting machines can be hacked

Posted on by

Rapid advances in the development of cyberweapons and malicious software mean that electronic-voting machines used in the 2012 election could be hacked, potentially tipping the presidential election or a number of other races.

Since the machines are not connected to the Internet, any hack would not be a matter of someone sneaking through cyberspace to change ballots. Rather, the concern is that an individual hacker, a partisan group, or even a nation state could infect voting machines by gaining physical access to them or by targeting the companies that service them.

The 2010 discovery of the Stuxnet cyberweapon, which used a thumb drive to attack Iran’s nuclear facilities and spread among its computers, illustrated how one type of attack could work. Most at risk are paperless e-voting machines, which don’t print out any record of votes, meaning the electronically stored results could be altered without anyone knowing they had been changed.

In a tight election, the result could be the difference between winning and losing. A Monitor analysis shows that four swing states – Pennsylvania, Virginia, Colorado, and Florida – rely to varying degrees on paperless machines.

“The risk of cyber manipulation of these machines is quite real,” says Barbara Simons, a computer researcher and author of “Broken Ballots,” a book documenting e-voting vulnerabilities. “Most people don’t understand that these computer-based voting machines can have software bugs or even election-rigging malicious software in them.”

There are plenty of software vulnerabilities to exploit, says Matt Blaze, a computer scientist at the University of Pennsylvania in Philadelphia. In 2007, he was on a team investigating touch-screen and other voting systems for California and Ohio. The resulting study concluded “virtually every important software security mechanism is vulnerable.”

The paperless machines, however, stand out as particularly vulnerable.

“If there’s no paper trail, you can have the corrupted software display on the voting-machine screen whatever you want to display – and then after the voter leaves, record something completely different inside,” says Richard Kemmerer, a computer scientist who heads the University of California, Santa Barbara, Computer Security Group.

From the The Christian Science Monitor (http://s.tt/1r7Gh)