Hack the Vote! Electronic Voting Systems and Democracy in the 21st Century

This being an election year, I got to thinking about the security (or lack thereof) of our electronic voting machines.  I'm talking about security from malicious hardware/software designed to change election results...

Okay, so the story actually starts with an automated error email I received from one of the websites we host.  I usually get those when somebody (or, more often than not, some bot) attempts to access a page in a manner inconsistent with what the page is expecting (think SQL Injection Attack - don't worry, our code is designed to prevent those).  Occasionally, some computer science student somewhere will be working on their own benign web crawler that manages to do something it shouldn't, and when that causes a page to throw an error, I'll get those emails as well.

Being in the mood to peruse the error messages that came in overnight while I drank my morning coffee, I noticed one from a crawler with the following user agent:

UCSB? I thought. That's my alma mater, the University of California, Santa Barbara. Somebody in the computer science department is crawling our web sites. Intriguing.

I followed the link back to Marco Cova. It turns out that he's a graduate student there, working in the Computer Security Group.  After looking through a few of his blog posts, I found one from about a month ago on the topic of the security of the Sequoia electronic voting machines in California.  It pointed out how easy it would be to infect a machine with various types of malware to alter the voting results, even the so-called paper trail, and how the infected machines pass the tests to verify the sanctity of the software because both the software and checksum have been altered.  As if that all wasn't bad enough, the malicious software is shown to be capable of spreading itself from one machine to another because of the mechanism used to initialize the voting smart cards.

What about Maryland's voting machines?  In this state, we use AccuVote-TS devices developed by Premier Election Solutions (formerly Diebold Election Systems).  Unfortunately, these machines are also highly susceptible to malicious code injection and other ways of rigging the vote, as a security analysis by a team at Princeton University determined.

Viral adjustment of voting records, electronic log changes, modified paper trail results, a fraudulent vote count that looks real...  This is scary stuff that tears at the very fabric of Democracy.  A political candidate with enough resources and no sense of ethics could hire a couple of equally shady programmers and a handful of ground troops to infect voting machines in key demographics, rigging an election in their favor.  It wouldn't take a lot of people, just a few smart people with the right resources.  With malicious code that can pass verification tests, alter log results, and even adjust the printed results accordingly, there is not way of going back and reconstructing the legitimate results of an election.

Welcome to Democracy in the 21st century.  What now?