Md. Voting Machines Vulnerable, Firm
Says
By Nelson Hernandez
The "Red Team" members attacked Maryland's
new electronic voting system ruthlessly. They picked locks,
yanked on wires, ripped out monitors and hacked into
central computers. One agent even slipped a rubber
keyboard into his polling booth to do his dirty work.
With cool efficiency, the
computer security professionals did what they were hired to
do: They gained control of the system, corrupting vote
counts and deleting election results.
But the assault on
Maryland's new computerized, touch-screen balloting
machines, manufactured by Diebold Election Systems Inc., was
not real: It had been ordered up by the state Department of
Legislative Services, which hired a consulting firm to
expose vulnerabilities in voting machines that have become
increasingly controversial as the November presidential
election approaches.
Maryland has agreed to
spend $55.6 million on the machines, which face their first
statewide trial in the primary election barely a month away.
Maryland lawmakers learned
the results of the attacks in a report issued yesterday by
the department and the consulting firm, RABA Technologies
LLC. In two hearings, a consultant assured lawmakers the
machines would be "worthy of voter trust" in the March 2
primary, but outlined physical weaknesses and electronic
vulnerabilities that would allow a determined hacker to
corrupt or destroy election results.
Removable memory cards
inside the machine can be tampered with if a lock is picked
or if one of thousands of keys is stolen. If hackers find
the phone number of the central computers used to compile
vote totals, they could easily break into the system and
tamper with results or introduce worms and viruses, said
consultant Michael A. Wertheimer, a former National Security
Agency analyst.
"You are more secure
buying a book from Amazon than you are uploading your
results to a Diebold server," said Wertheimer, recommending
several changes to increase security.
Linda H. Lamone, the
administrator of the Maryland State Board of Elections,
assured lawmakers that the board would comply with many of
the recommendations but said that some of them would be
impossible to put in place before the primary.
"I don't disagree with
what they say -- they're the experts," Lamone said after the
Senate hearing. But, she added, "I think it's a very good
system."
The report clearly rattled
lawmakers and others skeptical of the voting machines.
"Every nightmare scenario we envisioned is coming true,"
said Cheryl Kagan, a former state delegate from Montgomery
County and one of the strongest critics of the technology
when it was being debated by the General Assembly. "We said
Maryland would be a guinea pig, that this was untested
technology, that there would be security problems. We said
we didn't want the state to be on the risky cutting edge.
And here we see a dozen hackers undermine our entire
election process with just a month to fix it."
The legislature is
considering a measure requiring a paper backup to verify
computer vote totals. "I want to have confidence beyond a
reasonable doubt," said Del. Anne R. Kaiser (D-Montgomery).
"How else do we do it?"
The department's audit,
ordered by the House and Senate in October, urged adoption
of a series of security measures to protect the system from
attack, including placing "tamper tape" over locks and
vulnerable parts of the voting machine, and a new policy of
keeping the modems used to transmit vote totals turned off
until they are required.
Lamone welcomed the
recommendation, saying, "We're going to put tamper tape on
everything." But she said another recommendation, that
software patches be applied to the machines to bring them up
to date, would be impossible before March.
Henry Fawell, a spokesman
for Gov. Robert L. Ehrlich Jr., who championed the new
machines, said that "the governor welcomes the additional
input from the legislature. . . . It is absolutely critical
that the State Board of Elections closely monitor the
machines and implement the recommendations."
Maryland officials became
concerned about the voting machines in July after Johns
Hopkins University researchers found numerous problems with
the Diebold software. Ehrlich asked for a review by a
computer science research firm, which suggested several
fixes. Legislators then asked their analysts to conduct
their own study.
Problems have also
surfaced in Virginia, where the machines were first used in
several counties, including Fairfax, in November. On
Election Day, many of the devices crashed in Fairfax,
causing long lines. Some vote totals were not known until
the next day because of glitches in the tallying software.
State election officials conceded that the machines were
certified without a comprehensive security or software
review.
Staff writers Matthew Mosk
and David Cho contributed to this report.