California’s e-voting systems are full of holes

Public hearing today will discuss security flaws

Democracy has taken another blow in the US where a team of investigators has found fundamental security flaws in all the e-voting systems it tested in California.

The tests were carried out over the last two months as part of a review of e-voting by California Secretary of State Debra Bowen.

According to the Californian government website the review was “designed to restore the public's confidence in the integrity of the electoral process and … ensure that California’s voters are being asked to cast their ballots on machines that are secure, accurate, reliable, and accessible.”

But it has achieved exactly the opposite.

A public hearing on the report is being held today in the State capital, Sacremento.

The team of investigators, led by Matt Bishop from the Davis University of California, concluded that “the security mechanisms provided for all systems analysed were inadequate to ensure accuracy and integrity of the election results.”

Bishop’s team was able to forge voter cards and manipulate counts from voting terminals and even the reports from servers which aggregate results. They found terminals and servers where they could overwrite firmware, run malicious code and even undo screws on protective locks to gain access to the innards of voting machines.

“Many of the components tested appear to have been hardened by taking their basic design and adding security features,” Bishop reported. “As a result, the testers were able to exploit inconsistencies between the protective mechanisms and that which they were intended to protect.”

The systems tested were supplied by Sequoia, Diebold and Hart InterCivic. Systems supplied by Election Systems and Software arrived too late to test.

Bishop said his researchers were impeded in obtaining sufficient security data to carry out their tests and recommends in his report that in future all vendors be compelled to provide all the source code and documentation for their systems before testing commences.

“All team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities,” reported Bishop.