For example, Alex Halderman, a researcher at the University of Michigan, and a colleague at Princeton University hacked into a paperless touch-screen voting machine in 2010 and installed the video game Pac-Man. That lab exercise took three afternoons but did not break any tamper-proof seals and left no traces.
Similarly, he and Princeton researchers in 2006 demonstrated that if someone could get a few minutes’ unattended access to a paperless machine, that person could install a software virus that could spread to other machines and switch those machines’ votes before deleting all traces of itself.
In fact, Dr. Halderman quips, he has a paperless e-voting machine in his office now. It plays the University of Michigan fight song “on command because I hacked it," he says.
Such exploits have not gone unnoticed. States rushed to adopt e-voting machines after the contentious 2000 presidential vote recount in Florida, but now they are backpedaling. All but 17 have already mandated a return to paper ballots or paper verification for e-voting, including electronic optical scan or other equipment. Other states, like Florida, have gotten rid of most, but not quite all, paperless voting machines. Yet other battleground states, like Pennsylvania and Virginia, continue to use the vulnerable machines widely.
Some of the security improvements states are taking are obvious. In past years, poll workers were sometimes sent home with voting machines they were to set up the next day. But because access to a machine for even a minute can be enough to modify software, these "sleepover" practices have been largely abandoned, voting machine experts say.
Moreover, machines once sitting unmonitored in school gymnasium closets are today stored in locked rooms with surveillance equipment watching them, say officials in some states. Local officials also conduct pre- and postelection audits to check the accuracy of machines.