Electronic voting system is vulnerable to tampering

July 24, 2003

The software believed to be at the heart of an electronic voting system being marketed for use in elections across the nation has weaknesses that could easily allow someone to cast multiple votes for one candidate, computer security researchers at The Johns Hopkins University have determined.

The researchers reached this conclusion after studying computer code believed to be for Ohio-based Diebold Election Systems' electronic voting equipment. The code, which included modifications made through 2002, was posted anonymously to a public Web site earlier this year. During 2002, approximately 33,000 Diebold voting stations, which allow ballots to be cast via a 15-inch touch-screen monitor, were used in elections in Georgia, California, Kansas and other locations, according to a company news release. On July 21, the company finalized an agreement with the state of Maryland to provide up to $55.6 million in touch-screen voting technology and related services.

But after analyzing tens of thousands of lines of programming code purportedly used to make this electronic voting system work, three researchers from the Information Security Institute at Johns Hopkins, aided by a computer scientist at Rice University in Houston, have expressed serious concerns about the voting system. The researchers said they uncovered vulnerabilities in the system that could be exploited by an individual or group intent on tampering with election results. In particular, they pointed to the use of a "smart card," containing a tiny computer chip, that each eligible voter receives. The card, inserted into the electronic voting machine, is designed to ensure that each person casts only one ballot. But the researchers believe a voter could hide a specially programmed counterfeit card in a pocket, withdraw it inside the booth and use it to cast multiple votes for a single candidate.

"A 15-year-old computer enthusiast could make these counterfeit cards in a garage and sell them," said Avi Rubin, technical director of the Information Security Institute at Johns Hopkins and one of the researchers involved in the study. "Then, even an ordinary voter, without knowing anything about computer code, could cast more than one vote for a candidate at a polling place that uses this electronic voting system."

The researchers were quick to note that no evidence exists that anyone has used such tactics to tamper with an election. They chose, however, to make their findings public because of concerns that election fraud will almost certainly occur if weaknesses in the electronic voting system are not addressed before many more jurisdictions move to this method of picking public officials.

The security flaws were discovered this summer after Rubin assigned Adam Stubblefield, 22, and Yoshi Kohno, 25, two computer science doctoral students at the institute, to review the voting software code found on the Web. The students analyzed only those files that were publicly accessible and did not attempt to breach others that were protected by passwords. "Many of the attacks are very simple," Kohno said. "It is unfortunate to find such flaws in a system potentially as important as this one." Stubblefield added, "When people vote in the United States, they have to believe the election is fair."

The researchers, joined by Dan Wallach, an assistant professor of computer science at Rice University, were able to reconstruct the electronic voting terminal in a Johns Hopkins computer lab and detected the security problems. "Even without access to the protected files, we've determined this system is fundamentally flawed," Rubin said. "There will be no easy fix for this."

The issue is important, Rubin said, because problems related to Florida's punch card ballots during the 2000 presidential election have prompted many cities and states to consider computer screen voting systems as a better alternative. But Rubin, who has conducted extensive research into electronic voting and has been tapped to review the security of a federal electronic voting proposal, said the move to high-tech balloting should not be conducted in haste. "People are rushing too quickly to computerize our method of voting before we know how to do it securely," he said.

The researchers have detailed their findings in a technical paper posted at this Web address: http://avirubin.com/vote.pdf

Although the researchers have not independently verified the current or past use of the code by Diebold or that the code they analyzed is actually Diebold code, they stated in their technical paper that "the copyright notices and code legacy information in the code itself are consistent with publicly available systems offered by Diebold and a company it acquired in 2001, Global Election Systems. Also, the code itself compiled and worked as an election system consistent with Diebold's public descriptions of its system."
-end-
THE JOHNS HOPKINS UNIVERSITY
OFFICE OF NEWS AND INFORMATION
3003 N. Charles Street, Suite 100
Baltimore, Maryland 21218-3843
Phone: 410-516-7160 / Fax: 410-516-5251

Rice University Media Contact:
Terry Shepard
713-348-6280
tshepard@rice.edu

Color photos of the Johns Hopkins researchers available; Contact Phil Sneiderman.

Related Links:
Information Security Institute at Johns Hopkins: http://www.jhuisi.jhu.edu
Avi Rubin's Web Page: http://www.avirubin.com

Johns Hopkins University

Related Voting Articles from Brightsurf:

Time is not on their side: physicians face barriers to voting
Two new UT Southwestern studies published today report some surprising findings: Only half of practicing physicians are registered to vote, and the most common obstacle faced by resident physicians is the lack of time to vote.

Relative restrictiveness of each state's voting environment in 2020
Texas has the most restrictive electoral environment in 2020, and Oregon has the least restrictive voting practices of the 50 states.

COVID opens a partisan gap on voting by mail
Study by UC's New Electorate Project documents a growing divide on preferences for absentee ballots.

COVID-19 and the threat to American voting rights
The COVID-19 pandemic has illuminated three main pathologies of American voting rights.

New model shows how voting behavior can drive political parties apart
If voters gravitate toward the center of the political spectrum, why are the parties drifting farther apart?

Correlations identified between insurance coverage and states' voting patterns
Researchers at Case Western Reserve University reviewed national data from the U.S.

Eurovision voting points to more than just musical tastes
Although this year's Eurovision Song Contest has been postponed due to the COVID-19 outbreak, academics from the University of Stirling and University of Glasgow have revealed interesting patterns from previous years' public votes.

Demographic shifts, voter fears, and presidential voting
New research from University of Pennsylvania, University of California, San Diego and Yale University shows Donald Trump's 2016 presidential campaign didn't benefit from voters' fears of immigrants in communities experiencing greater demographic change, a finding that surprised even the political scientists who conducted the study, including Penn political scientist Daniel J.

Exclusive analysis: College student voting doubled in 2018
College-student voting rates in the 2018 midterm elections doubled compared to the 2014 midterms, marking a watershed election year for student voter turnout, according to a report today from the Institute for Democracy & Higher Education (IDHE) at Tufts University's Tisch College of Civic Life.

Arrival of refugees in Eastern German communities has no effect on voting behavior, attitudes on immigration
The arrival of refugees in eastern German communities has had no effect on local residents' voting behavior or on their attitudes toward immigration, finds a new study of citizens in more than 200 regional municipalities.

Read More: Voting News and Voting Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.