With only eight days to go until the presidential election, Princeton University has reported that one of the types of e-voting machines used in New Jersey and other states has serious security flaws. In fact, according to the researchers, in only seven minutes, a hacker can load fraudulent firmware onto the Sequoia AVC Advantage 9.00H DRE Voting Machine—causing votes to be changed from one candidate to another.
The study found that by prying one ROM chip from its socket and pushing a new one in, or by replacing the Z80 processor chip, votes could be altered. In addition, the chip can be programmed to run only on Election Day, thereby eluding detection during equipment tests.
"Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges," the report states. There are no paper audit trails on this machine; all electronic records of the votes are under control of the firmware.
The report recommends a system that incorporates "software independence"—votes would be auditable independent of the behavior of any computer software. The only currently available technology that combines computer technology with software independence is the voter-verified paper ballot. An individual paper record of each vote cast is seen and verified by the voter at the time the vote is cast. That vote is then collected in a ballot box so that it can be recounted by hand if necessary.
The researchers found that anyone with undergraduate training in computer science could hack these machines. In addition, they reported that the tampering could also be done by reverse-engineering the firmware and that a hacker does not need full access to the source code to do so.
Sequoia is vigorously defending the machine's capabilities, claiming that simple, established, and previously used accuracy and security protections - which the manufacturer claims were removed from the Advantages studied in the report -- make the items in their report, "next to impossible," said Edwin Smith, Vice President of Compliance and Fulfillment for Sequoia Voting Systems.
Sequoia released a report of its own, in which it noted that the Princeton team evaluated the AVC Advantage against inappropriate standards.
"For example, the academics declare that the Advantage 'must be correct in all circumstances,'" without explaining that nothing can meet this standard -- not mechanical systems, not electronic systems, and not human systems," according to the Sequoia report.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
