Princeton Warning on E-Voting Machine Hack Shows Human Touch Can Be a Good Thing

A report released by Princeton University claims an electronic voting machine used in New Jersey can be hacked in 7 minutes. Sequoia, the company that makes the machines, denies the report's conclusions. Still, the Princeton report is a reminder that, sometimes, it's nice to have a set of human eyes go over data.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Sometimes it's better to do things the old-fashioned way-at least partly.

Perhaps that's the lesson to be learned from a report released by Princeton University that outlines security concerns surrounding an electronic voting machine used in New Jersey.

With the U.S. presidential election looming, the report states it is possible to hack the Sequoia AVC Advantage 9.00H DRE (direct-recording electronic) voting machine in 7 minutes by loading fraudulent firmware.

By replacing the Z80 processor chip in the machine or removing one ROM chip from its socket and putting in a new one, a hacker can potentially siphon votes from one candidate and give them to another.

"The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do," the report states. "The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously."

The subject of the voting machines entered the legal arena in 2004, when the Coalition for Peace Action, a Princeton-based civic group, sued the state over its use of the machines. The case was dismissed by the trial court in January 2005 and then reinstated in 2006 by the Appellate Court. While the appeal was pending in the summer of 2005, a bill was passed requiring that any voting system in New Jersey produce a voter-verified paper ballot as of Jan. 1, 2008. The state was given a six-month extension to comply on two occasions.

Twitter, Google and Yahoo tailor Web services for the presidential election. Click here to learn more.

Having a verifiable paper ballot, the report's authors say, is the only way for voters to be safe. A paper record of every vote cast should be generated and be viewable to the voter at the time the vote is cast. Seems logical enough, and such a system would provide an extra check for auditing purposes. However, it also should be noted that no election has ever been overturned in New Jersey due to the machine, and 7 minutes is a rather long window for someone to be left alone with a voting machine.

For its part, Sequoia has responded to the Princeton study with a report of its own, rebutting many of the claims in the Princeton report. Whether or not the Princeton findings are valid, one thing is clear: Going back to the 19th century during election time isn't going to work. As any election worker can tell you, handwritten ballots come with their own set of problems, like misspellings and illegible penmanship.

A print-out of a digital ballot and perhaps some additional security for the sake of chain of custody of the machines-as well as to ensure they are properly stored-seems like a fair trade-off.

"Software independence does not mean that computers (and computerized voting machines) cannot be involved in elections," the Princeton report states. "It means that any calculations done by the computers must be verifiable independently of the computer program. In fact, it is reasonable and often desirable to have computers involved in elections, as long as software independence can be achieved."