Electronic voting machines from Diebold Inc. have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented Thursday to Maryland state legislators.
Authors of the report _ the first hands-on attempt to hack Diebold voting machine systems under conditions found during an election _ were careful to say that the machines, if not hacked, count votes correctly.
And they said that vulnerabilities discovered in the exercise could be addressed in a preliminary way in time for the state's primaries in March.
"I don't want to beat people up," said Michael Wertheimer, a security expert for RABA Technologies, a consulting firm in Columbia, Md. "I want to get an election that people can feel good about in March."
Further steps could be taken to ensure a safe general election in November, the report concludes. But ultimately, the report said, Diebold election software has to be rewritten to meet industry security standards, and that limited use of paper receipts to verify voting will be necessary.
A representative of Diebold stressed the positive elements of the report. "There is nothing that has not been, or can't be, mitigated" before the election, said David Bear, a spokesman for the company.
In a statement released Thursday, Bob Urosevich, president of Diebold Election Systems Inc., said that this report and another by Science Applications International Corp. "confirm the accuracy and security of Maryland's voting procedures and our voting systems as they exist today."
Maryland has bought more than $55-million worth of the machines. Georgia has chosen Diebold for elections statewide, and the company has been chosen by populous counties in California and Ohio, among other states.
The authors of the report said that they had expected a higher degree of security. "We were genuinely surprised at the basic level of the exploits" that allowed tampering, said Wertheimer, a former security expert for the National Security Agency.
The new report supports the findings of a controversial study released last July that found Diebold software lacks the level of security necessary to safeguard the election process. The analysis of voting machine software by academic security experts at Johns Hopkins and Rice Universities found serious security problems. Diebold stated that the code used by the researchers, which had been taken from a company Internet site and circulated online, was outdated. A subsequent report by the Science Applications International Corp. found some similar problems.
Aviel D. Rubin, who led the Johns Hopkins effort, said, "If our report was unable to convince Maryland that the Diebold machines were vulnerable, then surely this work will set them straight."
The latest study found that some issues discovered last July in the Hopkins study had not, in fact, been corrected, and discussed other issues that had not been discovered in other reviews of Diebold products that it found equally troubling.