The worst fears about the cybersecurity of voting machines have come true. Hackers have breached databases for election systems in Illinois and Arizona, according to state election and law enforcement officials. And that could be just the beginning.
With equipment worth less than $100, “an 18 year-old high school student could compromise a crucial county election in a pivotal swing state,” states the recently released study from the Institute for Critical Infrastructure Technology (ICIT), a nonprofit think tank that advises decision makers on technology and cybersecurity trends in critical infrastructure sectors such as government, defense, health care, energy, finance, and manufacturing.
The report is in two parts. Hacking Elections is Easy! Part 1: Tactics, Techniques, and Procedures addresses the critical vulnerabilities found in almost every single component of the voting system used in the U.S.
“We expected to find that the vulnerabilities would be limited to a particular system or manufacturer, and that it would be a matter of updating machines with security patches,” Scott told the Rivard Report. “But what we found was frightening. The cyber components were vulnerable and the vulnerabilities extended from the local to the state levels.”
Election security is regulated state by state, mostly according to technical standards developed by the National Institute of Standards and Technology (NIST) and the Election Assistance Commission (EAC). However, they are only guidelines and as such, voluntary in nature. Policies and procedures on voting are decided on a state and sometimes even county level.
The EAC guidelines recommend that voting systems be tested against security standards. They also warn against connecting voting systems certified by the EAC to the internet because there are countless risks inherent in that connection.
Nine states (Florida, Maine, Montana, Nebraska, New Hampshire, New Jersey, Oklahoma, Oregon, and Vermont) and four territories (American Samoa, Guam, Puerto Rico, and the Virgin Islands) have no federal testing or certification requirements and their statutes and regulations make no reference to standards set by federal agencies, certification programs, or laboratories. Instead, these states rely on state-specific processes to test and approve electronic voting machines.
Findings Detail Multiple Vulnerabilities
What the study's authors found is that many counties lack the cybersecurity knowledge and expertise to follow the guidelines. They also discovered that electronic voting systems are generally in far worse condition than the EAC standards recommend.
Even when voting machine testing is done according to EAC recommendations, it may not detect all types of attacks, especially when some types of malware delete any trace of their presence in a system after a certain amount of time in order to avoid detection.
The ICIT researchers also found that insufficient personnel inadvertently introduced vulnerabilities, as machine testing should ideally be done in observer-tester pairs. Counties who lack in personnel oversight are more vulnerable to inside hackers with access to voting machines.
Once implanted, malware can spread to other voting machines through internal networks. Untrained poll workers may also inadvertently spread malware to other machines through infected removable storage media used on election day.
“Poll workers and election officials are barely, if at all, trained in cybersecurity, and basic cyberhygiene is nonexistent,” Scott said.
Electronic voting machines are usually proprietary (“black-box”) applications and their operating systems run on embedded or stripped down PCs. These computers typically have their security and conventional functionality removed by the manufacturers. They can be attacked with the same exploits used against the PCs and operating systems that they are built upon.
However, the “black-box” nature of the proprietary systems means that often neither the state, nor security researchers know what code is running and how it can be exploited.
“If an attacker targets the operating system, or if they get a hold of the proprietary code and design an exploit, then it is very likely that an attack would both succeed and go unnoticed,” Scott added.
Despite a decade or more of warnings and demonstrations of vulnerabilities by security researchers, most of the electronic voting systems in use still operate without the security they had in the early 2000s. According to ICIT, the voting systems are neither updated nor patched to address new threats or changes in technology. Voting data is transmitted from the machines either over an open channel or is encrypted with weak algorithms that can be broken easily.
A social engineering attack, where an unsuspecting person clicks on an attachment or link in an innocent looking email, could introduce malware into the central tabulator or PC hosting database in a voting system, granting hackers the access they seek.
“The democratic process is technically vulnerable,” Scott stressed. “We’re sending our troops to risk their lives to defend democracy when the fact is we can’t even preserve it here in our own backyard.”
It may sound like hyperbole, but ICIT’s research elucidates just how grave the reality is. Voting systems as they are configured now could be hacked by numerous unknown adversaries approaching from numerous attack routes.
Bottom line: The black boxes used in voting are a serious vulnerability in our election system.
The next vulnerability resides in the people managing the elections locally, as well as at the state election board.
“They need physical security training and cybersecurity training. They need to recognize social engineering and malicious insider (threats) and know how to recognize the signs on election day. They have to know how to preserve the integrity of that voter data as they send the voting tallies from their location to the state,” Scott said.
The third vulnerability is the physical security of voting machines.
“We found machines are typically stored in church basements, school boiler rooms, or in warehouses, all insufficiently secured locations. Background checks on employees such as the people transporting the machines from the storage rooms to the voting places, or poll workers with access to the machines, are nonexistent or minimal, depending on the state. Every researcher agrees that with unrestricted physical access to an electronic voting system, a malicious adversary can infect the machine in any number of ways, to impact an election.”
The implications for security breaches, which could occur at any point in the process of the voting machines being delivered to the voting location, collected after election day, and stored again, are tremendous.
“There are multiple points of critical vulnerability in the system underpinning voting machines and the data they collect,” Scott said. “At every level of the cyber technical and physical process used in elections, every layer is absolutely and completely riddled with mind-boggling vulnerabilities.”
Could San Antonio's Voting be Hacked?
To find out about the voting process used in San Antonio, the Rivard Report spoke with Bexar County Elections Administrator Jacquelyn Callanen to ask about voting system cybersecurity in Bexar County.
“In the recent hack of voter databases (in Illinois and Arizona), that was a different issue,” Callanen pointed out.
“The voter system and the voter registration database system are two separate systems. There are 254 counties across Texas and 39 counties are offline counties, due to the volume of registrations. Bexar County is one of those using our own proprietary software. We use the Texas Election Administrators Management System. The work done (on voter registration) in San Antonio is on our own servers locally. We then export the (voter registration) data to the state. San Antonio is not networked to the state database.
“I take comfort in the layers of safeguards we have with our voter registration database,” Callanen added.
The Rivard Report then asked Callanen about the voting machines themselves.
“The voting system is a touch screen one and we use paper for mail in ballots," she said. "There are 2,843 units in Bexar County and each one is a standalone unit. No machine is networked nor connected to the internet. As you can imagine, it’s a monstrous task to download and upload data for every single voting machine using a 512 megabyte flashcard, but we do this because of the 2002-era machines we’re using."
Connecting black boxes to the internet would be easier and much less labor intensive. But Callanen agrees that connecting a platform from 2002 to the internet would be too risky, hence the more labor intensive safeguard.
As for sending voter data to the state, the data is collected from individual voting machines and compiled in Bexar County’s encrypted, standalone system.
“When we are ready to report our voting data to the state, we use a secured state portal to send our data,” Callanen explained.
Implications of Voting Cyber(in)security
Scott was adamant about the far-reaching impact of an insecure voting system.
“There is no native security on the electronic voting systems. Many of the machines have been this vulnerable for over a decade. If systems in any other sector were operated with such a long-standing lack of concern for national security, the manufacturers and operators would be considered extremely negligent,” Scott explained.
A good first step would be to upgrade the 2002-era voting machines.
“I think we need to do away with the black boxes used in voting from a technology aspect,” Scott said. “That’s because they are so vulnerable to any adversary who would want to hack it. The lack of transparency into the proprietary systems only weakens security because researchers, regulators, and election officials cannot assure that systems protect the confidentiality, availability, or integrity of election data. The antiquated idea of security through obscurity that manufacturers rely upon is negligent and it does not work.”
The ICIT report is being read widely and not just by U.S. readers. Scott pointed out that most democratic governments are paying attention to the report as well, because the technology and processes are similar across the globe.
“Democracy depends on citizens’ voices being heard and their opinions recognized,” Scott said. “An attacker does not need to succeed to undermine American democracy. They just need to disrupt voters’ trust in the system enough to destabilize the election process. The compromise of a single machine spreads doubt in the entire process and a fear that the results are ‘rigged.’”
The concluding second part of the ICIT study will be released the week of Sept. 5 and will detail the various types of voting machines used across the U.S.
Photo Editor's Note: An image has been removed from the body of this article displaying a Bexar County polling location taken in 2014 unknowing of the law prohibiting photography within 100 feet of a polling site.
Top image: Cyber think tank Institute for Critical Infrastructure and Technology study finds voting machines are vulnerable to hacking. Photo courtesy of ThePoliticalInsider.com.