For decade-old flaws in voting machines, no quick fix
LAS VEGAS—Hackers rocked the voting machines this summer.
On July 28, at the first DefCon “village” dedicated to exposing weaknesses in electronic voting machines—and the first coordinated, research-based assault on EVMs in the United States since 2007—it took visitors just 80 minutes to hack the first machine.
The hackers proceeded to find and penetrate multiple security vulnerabilities in each of the village’s 20 machines, representing five voting machine models, calling into question how secure machine-assisted elections are.
Rep. Will Hurd (R-Texas) and Rep. Jim Langevin (D-R.I.), two of Congress’ senior cybersecurity experts, visited the village and later told hackers that they were “surprised” by how easy it was to hack voting machines. Langevin promised during the first on-stage appearance of sitting Congressmen at DefCon that when they return to Washington, D.C., “this is going to be a primary topic of conversation.”
Experts say addressing the types of vulnerabilities hackers uncovered at DefCon—and plugging related holes across the United States’ election systems—would require a far more complex process than patching outdated software. It would also require years of concentrated work.
Most Americans today encounter some form of EVM at the polling station. According to Pew Research Center, districts serving 75 percent of American voters in the 2016 presidential election used either optical-scan ballots or direct-recording electronic touch-screen voting machines.
Matt Blaze wasn’t surprised at how fast the hacking village’s voting machines, models from AVS WinVote, Diebold, AccuVote, ES&S iVotronic, and Sequoia AVC Edge, fell victim to visitors. What did surprise Blaze, a professor at the University of Pennsylvania specializing in cryptography and voting-machines, was how effective basic hacking methods were in penetrating them.
“We knew all of these machines had been studied by experts before, and we knew that they were exploitable. What we didn’t know was how quickly somebody with just general computer security skills and reverse-engineering skills, given access to them, would be able to actually carry out exploitation,” Blaze says.
No single hack worked on all the machines, though a number of machines fell victim because municipalities that had used them didn’t change the default password, which, like some consumer devices, was sometimes hard-coded into the machine itself. Other machines had exposed USB ports through which a hacker with physical proximity could access and alter votes, or load malicious software.
Hackers remotely accessed a WinVote machine and others, thanks to poorly secured Wi-Fi. They also found a memory card with the personal information of more than 650,000 voters from Shelby County, Tenn., in an Express ePollBook machine that DefCon organizers had purchased via eBay for $50.
Some of these vulnerabilities are a decade old, says Harri Hursti, who has been investigating security flaws in voting machines since at least 2005, when he hacked into a Diebold voting machine to demonstrate that he could change votes.
“Almost everything we have discovered or published in the last 10 years is still there,” Hursti says.
One reason for the lack of progress: EVM security research only became legally protected in 2015, when Congress passed an exemption to the Digital Millenium Copyright Act granted specifically for voting machines. That exemption expires next year.
Another reason: To this day, EVM vendors refuse to cooperate with independent, scientific research into their products’ vulnerabilities. They declined to participate in the DefCon village or to comment for this story.
DefCon, for its part, only began planning its hacking village a few months ago, as last year’s presidential election fueled national concerns over voting-machine manipulation and incomplete vote recounts.
“This isn’t going to be an overnight fix,” says Margaret MacAlpine, an election audit specialist and founding partner at Nordic Innovation Labs. But “there’s optimism about fixing these things and, hopefully, doing so in the next decade.”
Following the DefCon hacks, security researchers are looking into comprehensive ways to address vulnerabilities in America’s voting process, including using recounts to verify a lack of tampering. Their proposals thus far involve a complex array of stakeholders, from the legal and political to the technological and even free-market enterprise.
Like efforts to address climate change, the first step in addressing election system vulnerabilities might just be educating—and convincing—those with influence that they exist.
The election industry hasn’t realized that voting machines are vulnerable and hackable, says Jake Braun, CEO of security consulting firm Cambridge Global Advisors and an Obama White House liaison to the Department of Homeland Security. Braun organized the EVM hacking village with former U.S. ambassador and deputy National Security Advisor Douglas Lute.
Some EVM vendors, Braun says, “make ridiculous comments that other industries used to make years ago, but don’t anymore—like that things aren’t hackable, or a database is air-gapped, so therefore, you can’t hack it.”
Lute says states shouldn’t protect these companies.
“If 2016 is replicated in 2018 and 2020, America loses credibility in its whole process. It could result in a suppression of vote turnout,” he says. Given that the Help America Vote Act of 2002 has made billions of dollars available to assist states in replacing voting machines, he’s “not concerned with company A or B.”
Following the results of Hursti’s hack in 2005, and research conducted at the University of California at Berkeley in 2007, California began to move away from EVMs and back toward optically scanned paper ballots. While some states, including Colorado, have followed suit, at least five others use EVMs that don’t even print out an auditable paper record of votes.
“It’s very possible to replace [a current] nonmathematical, nonscientific, and also not really forensically valuable auditing system with risk-limiting audits, which take all that into account, and are fairly low on labor and cost.”—Margaret MacAlpine, election audit specialist and founding partner, Nordic Innovation Labs
In addition to addressing vulnerabilities in EVMs, those intent on securing elections should conduct mathematically verified audits, say six experts we spoke with for this story. They say machine vote tallies need to be backed by post-election risk-limiting audits, a type of hand-counted voting audit that starts with a sample size dependent on the margin of victory.
The smaller the margin, the larger the sample size. If there are few differences between the recorded vote and the audit, the audit stops. If there are big discrepancies, however, the audit is expanded and can even include a full hand recount of the votes cast.
“I’m strongly advocating strong audit laws,” Hursti says. States and municipalities should “audit every race, every time—or at least [conduct] random audits, allowing us to capture anything that was wrong.”
MacAlpine says “risk-limiting audits aren’t that much of a big imposition,” as many states already require audits when an election is decided with less than a 3 percent margin of victory. “It’s very possible to replace [a current] nonmathematical, nonscientific, and also not really forensically valuable auditing system with risk-limiting audits, which take all that into account, and are fairly low on labor and cost.”
The patchwork of election laws across the nation—delegated to the states by the Constitution—will make it hard to implement not only voting-machine fixes, but also the kinds of risk-based audits that experts are clamoring for. They’re not hopeful that changes will be made in any U.S. municipality before the 2018 election, when most of Congress is up for re-election.
Joseph Lorenzo Hall, who worked on the California review of voting machines in 2007, says he’s hoping that by 2018, California will “have at least one county that’s using what I call ballot-level risk-limiting audits,” which would require voting machines to uniquely mark printed votes, to make them easier to track.
“That’s a low bar,” says Hall, now chief technologist for the Center for Democracy and Technology. “It may be forever to get all these things comprehensively adopted, because we don’t have a way of mandating much from the federal level down.”
Updated on August 12 to clarify the number of machines and models present in the EVM hacking village. There were 20 machines across five models.