Researchers reveal 'extremely serious' vulnerabilities in e-voting machines

September 13, 2006

In a paper published on the Web today, a group of Princeton computer scientists said they created demonstration vote-stealing software that can be installed within a minute on a common electronic voting machine. The software can fraudulently change vote counts without being detected.

"We have created and analyzed the code in the spirit of helping to guide public officials so that they can make wise decisions about how to secure elections," said Edward Felten, the director of the Center for Information Technology Policy, a new center at Princeton University that addresses crucial issues at the intersection of society and computer technology.

The paper appears on the Web site for the Center for Information Technology Policy.

The researchers obtained the machine, a Diebold AccuVote-TS, from a private party in May. They spent the summer analyzing the machine and developing the vote-stealing demonstration.

"We found that the machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces," wrote Felten and his co-authors, graduate students Ariel Feldman and Alex Halderman.

In a 10-minute video on their Web site, the researchers demonstrate how the vote-stealing software works. The video shows the software sabotaging a mock presidential election between George Washington and Benedict Arnold. Arnold is reported as the winner even though Washington gets more votes. (The video is edited from a longer continuously shot video; the long single-shot version will be available for downloading from the center's site as well.)

The researchers also demonstrate how the machines "are susceptible to computer viruses that can spread themselves automatically and invisibly from machine to machine during normal pre- and post-election activity."

Felten said that policy-makers should be concerned about malicious software infecting the Diebold AccuVote-TS and machines like it, from Diebold and other companies. "We studied these machines because they were available to us," the researchers wrote in their Web posting. "If we had gotten access to another kind of machine, we probably would have studied it instead."

Felten said, "There is reason for concern about other machines as well, even though our paper doesn't directly evaluate them. Jurisdictions using these machines should think seriously about finding a backup system in time for the November elections."

Felten, a professor of computer science and public affairs who is known for his groundbreaking work in computer security, said that some of the problems discussed in the paper cannot be fixed without completely redesigning the machine.

Other problems can be fixed by addressing software or electronic procedures. "But time is short before the next election," he said.

According to the researchers' paper, the Diebold machine they examined and another newer version are scheduled to be used in 357 U.S. counties representing nearly 10 percent of all registered voters. About half those counties, including all Maryland and Georgia, will use the exact machine examined by Felten's group.

Felten said that, out of security concerns, the Diebold machine infected with the vote-stealing software has been kept under lock and key in a secret location.

"Unfortunately election fraud has a rich history from ballot stuffing to dead people voting," he said. "We want to make sure this doesn't fall into the wrong hands. We also want to make sure that policy-makers stay a step ahead of those who might create similar software with ill intent."
-end-
Princeton's Center for Information Technology Policy includes members from diverse departments, including computer science, economics, electrical engineering, operations research and financial engineering, sociology and the Woodrow Wilson School of Public and International Affairs.

Princeton University

Related Computer Security Articles from Brightsurf:

UCLA computer scientists set benchmarks to optimize quantum computer performance
Two UCLA computer scientists have shown that existing compilers, which tell quantum computers how to use their circuits to execute quantum programs, inhibit the computers' ability to achieve optimal performance.

Computer-based weather forecast: New algorithm outperforms mainframe computer systems
The exponential growth in computer processing power seen over the past 60 years may soon come to a halt.

Focus on food security and sustainability
The number of malnourished people is increasing worldwide. More than two billion people suffer from a lack of micronutrients.

Eliminating infamous security threats
Speculative memory side-channel attacks like Meltdown and Spectre are security vulnerabilities in computers.

UBC study: Publicizing a firm's security levels may strengthen security over time
New research from the UBC Sauder School of Business has quantified the security levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one's security levels leads to improved defense levels against cybercrime.

Discovery casts dark shadow on computer security
Two international teams of security researchers have uncovered Foreshadow, a new variant of the hardware vulnerability Meltdown announced earlier in the year, that can be exploited to bypass Intel Processors' secure regions to access memory and data.

Shh! Proven security for your secrets
Researchers show the security of their cipher based on chaos theory.

A library for food security
Researchers are uncovering the genome of cowpeas, also known as black-eyed peas, in response to challenging growing conditions and the need for food security.

Bring your own (security) disaster
Bring your own device (BYOD) to work is common practice these days.

'Security fatigue' can cause computer users to feel hopeless and act recklessly
A new study from National Institute of Standards and Technology researchers found that a majority of the typical computer users they interviewed experienced security fatigue -- weariness or reluctance to deal with computer security -- that often leads users to risky computing behavior at work and in their personal lives.

Read More: Computer Security News and Computer Security Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.