The state of Ohio has released a comprehensive study of voting machine security and the report will have you longing for paper.
A 334-page PDF report from the Ohio Secretary of State reveals insufficient security, poor implementation of security technology, lax auditing and shoddy software maintenance. The report, which covers voting systems from Election Systems and Software (ES&S), Hart InterCivic and Premier Election Solutions formerly known as Diebold, was conducted by Ohio's EVEREST (Evaluation and Validation of Election-Related Equipment, Standards and Testing) initiative in conjunction with research teams from Penn State, University of Pennsylvania and WebWise Security.
The EVEREST report was released Dec. 7 and I found it via Slashdot. Overall, the report really raises questions about election systems. Buffer overflows, leaky encryption, audit problems and firmware issues abound. One machine, the M100, from ES&S accepts counterfeit ballots. The Premier AV-TSX allows an unauthenticated user to read or tamper with its memory. The Hart EMS has audit logs that can be erased.
In fact, the first 17 pages of the report--essentially the table of contents--is an indictment of these systems. To make matters worse, these machines don't run constantly. That means malicious software could be planted and not turn up until election time. These machines aren't patched regularly either.
The report is too massive to detail completely here, but at a high level here are the takeaways from the EVEREST report:
Why would these machines be so enticing as a target? You could swing an entire election, produce incorrect results, block groups of voters, cast doubt on an election or delay results. And it may not take a brain surgeon to alter these systems. The EVEREST teams reported that they were able to subvert every voting system and not be detected "within a few weeks." Meanwhile, the EVEREST teams found the issues with only limited access since vendors weren't exactly cooperative (Section 2.4 of the PDF has the details).
The researchers say:
Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact.
As for the attackers, EVEREST ranks the following folks in ascending order of capabilities:
Add it up and any hack the vote opportunities will most likely be an inside job of some sort. The attacks may or may not be detectable.