In May 2007, California Secretary of State Debra Bowen commissioned a “top-to-bottom” review of electronic voting systems used in the state. In late July and early August, she released reports by researchers from UC Davis and UC Berkeley who evaluated three systems from various standpoints.
Intended to restore public confidence in the integrity of the electoral process through machines that are secure, accurate, reliable, and accessible, the review did not have good news.
Security-wise, there’s a Swiss-cheese factor. All three systems, by different manufacturers, had common problems.
David Wagner M.S. ’99, Ph.D. ‘00, the associate professor of computer science who led the Berkeley contingent, said “The most severe problem we found was the potential for viruses to be introduced into a machine and spread throughout the voting system. In the worst-case scenario, these malicious codes could be used to compromise the votes recorded on the machines’ memory cards or render the machines non-functional on election day.”
Furthermore, Wagner said, “We found flaws that could allow an attacker to defeat all the technological countermeasures in the software. Unfortunately, these vulnerabilities are not trivial implementation bugs that can be patched up. The software just wasn’t designed with fundamental safeguards in place to make them resilient to intrusion.”
The researchers acknowledge that in the real world someone intent on hacking in would need an electronic voting machine in hand to find the security flaws. However, as recent news reports and voter watchdog groups have pointed out, people have bought them on eBay.
The 42 members of the Berkeley and Davis teams included internationally recognized experts in computer science, computer security, electronic voting, law, and public policy — faculty, postdocs, grad students, and experts from industry and other universities.
- UC Berkeley press release
- Also quoting Wagner, on the security flaw that allowed hacking on the iPhone (MIT’s Technology Review article)
(Originally published in eGrad, August 2007)