https://arstechnica.com/tech-policy/2020/06/researchers-say-online-voting-tech-used-in-5-states-is-fatally-flawed/
By Timothy B. Lee
Ars Technica
06/10/2020
OmniBallot is election software that is used by dozens of jurisdictions in the
United States. In addition to delivering ballots and helping voters mark them,
it includes an option for online voting. At least three states—West Virginia,
Delaware, and New Jersey—have used the technology or are planning to do so in
an upcoming election. Four local jurisdictions in Oregon and Washington state
use the online voting feature as well. But new research from a pair of computer
scientists, MIT's Michael Specter and the University of Michigan's Alex
Halderman, finds that the software has inadequate security protections,
creating a serious risk to election integrity.
Democracy Live, the company behind OmniBallot, defended its software in an
email response to Ars Technica. "The report did not find any technical
vulnerabilities in OmniBallot," wrote Democracy Live CEO Bryan Finney.
This is true in a sense—the researchers didn't find any major bugs in the
OmniBallot code. But it also misses the point of their analysis. The security
of software not only depends on the software itself but also on the security of
the environment on which the system runs. For example, it's impossible to keep
voting software secure if it runs on a computer infected with malware. And
millions of PCs in the United States are infected with malware.
The issue has particular urgency right now because the ongoing COVID-19
pandemic is forcing election officials to make significant changes to election
procedures. Right now, most jurisdictions using the OmniBallot software don't
use its "electronic ballot delivery" feature. But enabling the feature would
require little more than a configuration change. There's a risk that election
officials, under pressure to make remote voting easier, will decide to enable
the software's online voting feature for this November's general election.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
