T he democratic process rests on a fair, universally accessible voting system through which all citizens can easily and accurately cast a vote. With the 2000 US presidential election, however, the country got a firsthand look at the results of a flawed voting system, which fueled renewed public interest in voting system reliability. People became especially enchanted by the computer's siren song, so election officials have increasingly examined and adopted voting systems that rely primarily on computers to record and tabulate votes. Much of their attention has centered on direct recording electronic (DRE) voting systems, which completely eliminate paper ballots. DRE voting systems have some inherent advantages over paper-based voting schemes, including a decrease in voter error. If the system's interface has been well designed, for example, it seeks confirmation if the voter fails to cast a vote in a particular race and disallows multiple votes in the same race. DREs also make it possible to accommodate people with different disabilities, helping them vote without human assistance. Unfortunately, recent analyses of one popular vendor's DRE voting system indicated numerous security oversights, 1,2 including • Voters can cast multiple votes without leaving a trace.• Anyone with access to a voting machine can perform administrative actions, including viewing partial results and terminating an election early. • Communications between voting terminals and the central server are not properly encrypted, making it possible for a malicious "man in the middle" to alter communication content.According to analysts, this flawed state is the result of undisciplined software development and a process that failed to encourage developers to anticipate or fix security holes. The closed-source approach to software development, which shielded the source code from public review and comment, only served to delay the necessary scrutiny. Of course, as daily headlines demonstrate, neither a commitment to software security nor an open-source approach to software development prevents software security holes. (For example, see www.cert.org/advisories, which lists security holes that have been discovered in the past year.) Software developers and auditors who follow standard software engineering practices have proven unable to ship bugfree software. In general, producing software free from all security holes is significantly harder than an attacker's goal: to find and exploit a single bug.We recently conducted a project to demonstrate that electronic voting software is not immune from these security concerns. Here, we describe Hack-a-Vote, a simplified DRE voting system that we initially developed to demonstrate how easy it might be to insert a Trojan horse into a voting system. Having accomplished this, we used Hack-aVote in an associated course project, in which student teams implemented their own Trojan horses, then searched the source code for their classmates' malicious code. The Hacka-Vote project revealed the potential damage individu...
