Diebold Election Systems Inc. electronic voting machines are not secure enough to guarantee a trustworthy election, and an attacker with access to a single machine could disrupt or change the outcome of an election using viruses, according to a review of Diebold's source code.

"The software contains serious design flaws that have led directly to specific vulnerabilities that attackers could exploit to affect election outcomes," read the University of California at Berkeley report, commissioned by the California secretary of State as part of a two-month "top-to-bottom" review of electronic voting systems certified for use in California.

The assessment of Diebold's source code revealed an attacker needs only limited access to compromise an election.

"An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive -- malicious code could spread to every voting machine in polling places and to county election servers," it said.

The report (PDF format), titled "Source Code Review of the Diebold Voting System," was apparently released Thursday, just one day before California Secretary of State Debra Bowen is to decide which machines are certified for use in California's 2008 presidential primary elections.

The source-code review identified four main weaknesses in Diebold's software, including: vulnerabilities that allow an attacker to install malware on the machines, a failure to guarantee the secrecy of ballots, a lack of controls to prevent election workers from tampering with ballots and results, and susceptibility to viruses that could allow attackers to an influence an election.

"A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county's voting machines," the report said. "Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines."

The report warned that a paper trail of votes cast is not sufficient to guarantee the integrity of an election using the machines. "Malicious code might be able to subtly influence close elections, and it could disrupt elections by causing widespread equipment failure on election day," it said.

The source-code review went on to warn that commercial antivirus scanners do not offer adequate protection for the voting machines. "They are not designed to detect virally propagating malicious code that targets voting equipment and voting software," it said.

In conclusion, the report said Diebold's voting machines had not been designed with security as a priority. "For this reason, the safest way to repair the Diebold system is to reengineer it so that it is secure by design," it said.

The Diebold source-code review and several other documents, including a review of source code used in other voting systems, had earlier been withheld from release by the Secretary of State, even as other reports related to the review of voting machines were released on July 27.

An explanation posted on the secretary of State's Web site on July 27 noted that the source-code review and other reports had been submitted on time. "Their reports will be posted as soon as the Secretary of State ensures the reports do not inadvertently disclose security-sensitive information," the Web site said.

The delayed release of the source-code review meant that David Wagner, an associate professor of computer science at the University of California, Berkeley, and an author of the report, was not able to present his findings at a public hearing held on July 30 to discuss the results of the voting system review.