Princeton report questions electronic voting machine security

September 16, 2006 Researchers at Princeton University have conducted research into the security of electronic voting machines. They have created a virus that could breach voting machines and change votes. The creators of the voting machine say the research was unrealistic.

Edward William Felten, a professor of computer sciences and public affairs at Princeton University, and two Princeton graduate students, Ariel Feldman and Alex Halderman, created a computer virus that they say could remain concealed in tests, "steal" votes, delete itself to go undetected and spread to other machines.

They used a Diebold AccuVote-TS which is a small computer with a touch screen. The latest version of the software used 128-bit data encryption, digitally signed memory card data, secure socket layer (SSL) data encryption for transmitting results and dynamic passwords.

They opened the drawer with a key, picked the lock or undid screws to open the compartment that allows them to change the memory card. They suppressed the beep created by the computer when it reboots by using headphones. They say the virus can spread by using the same memory card which when inserted into a different machine will infect the machine.

The researchers say they received the machine they tested on from someone who wants to keep their name anonymous.

"You have to be a good programmer — not a genius — to do this," Halderman said. "I believe a good programmer could reproduce our virus without very much effort."

"Analysis of the machine...shows that it is vulnerable to extremely serious attacks," the report states. "An attacker who gets physical access to a machine or its removable memory card for as little as a minute could install malicious code."

Diebold Election Systems president Dave Byrd said that the research was done with security software that were two generations old.

"By any standard--academic or common sense--the study is unrealistic and inaccurate," he said in a statement.

"Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit. A virus was introduced to a machine that is never attached to a network."

"Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day,"

"That's what they were saying a few years ago," said Halderman. He said he would very much like to study Diebold's newer machines and software. "We expect and fear, unfortunately, that if we were to examine the newer version of the software, we could find similar problems."