Hack the Vote: Vulnerabilities in Today’s Voting Infrastructure
As November approaches, it’s hard to ignore the constant buzz of stories surrounding the midterm elections. Political parties, media, and celebrities alike are going to great lengths to urge potential voters to get to the polls this year. But woven into those empowering pleas are also warnings that attackers are plotting–or are already deploying–ways to disrupt the voting process and outcomes. With several tight races in swing districts across the U.S., both parties have a vested interest in seeing that this year’s election results are fair and accurate.
We are long past tampered voting systems being an possibility and are firmly planted in that reality. The Voting Village at this year’s DEFCON in Las Vegas, proved that many of the voting machines and voter management systems in use across the U.S. are susceptible to a variety of attacks. Let’s look at the types of vulnerabilities our voting stations are facing this fall and why they are facing these challenges in the first place.
Precincts manage their voter lists via digital systems, which leave this sensitive data open to numerous attacks such as distributed denial-of-service (DDoS). But the potential issues aren’t limited to just network attacks. Many of these systems reside on old desktop computers that no longer receive regular security patches, making them particularly vulnerable. With little effort, hackers can access a list of registered voters and their corresponding personal data. This information can be used to carry out nefarious acts ranging from modification of existing voter data, the creation of fake registrants to submit completed ballots, the interception of inter-agency communication, to the alteration of voter notifications, times, and locations. While large-scale manipulations are likely to raise some red flags, smaller data manipulations are much harder to spot.
When arriving at assigned precincts, voters are often found in a paper poll book, but in an effort to increase efficiency, many precincts are moving to electronic poll books. These are often tablets or laptops connected to local networks which creates another target for hackers who can access these machines with the intent of shutting them down, or at least accessing and manipulating the data.
Outdated Software and Hardware
Most polling locations have moved away from strictly using paper ballots and instead use electronic voting machines. Voters now either complete a paper ballot which is scanned to record their preferences or voters log their choices on digital machines that display the ballot option on screen and directly records their selections. While these digital machines sound like a technological advancement, many districts lack funding and are forced to use antiquated, decades-old hardware and software. A recent survey of election officials indicated some districts are using voting machines running on Windows 2000, which has not received support or updates from Microsoft since July 13, 2010 (!). This leaves them vulnerable to attacks like a denial of service that could knock the voting machines offline and leave voters without a way to cast their votes.
We’ve already noted that the lack of security updates increases a system’s vulnerability to an attack, but regular system updates can also present an issue. When machines are connected to the Internet or other machines to install updates, the machine is potentially vulnerable to code injection and other attacks.
Another concern that’s surfaced is the admission by one of the top voting machine manufacturers that a number of their machines came with remote-access software installed. While this manufacturer has since stopped including the software on machines, as we stated above, districts don’t have the funding to purchase new machines and are making do with less-secure inventory. While this feature is helpful for maintenance, if the remote-access methods are outdated or insecure, it represents an opportunity for attackers to create a backdoor to continually re enter and control the voting machine.
Voting machines often transmit final voting results over the internet to a central tabulating computer where the votes tallied. This presents another prime opportunity for hackers to intercept and modify the votes, or in some cases delete them. Since only certain voting machines still produce paper ballots, if digital voting records are altered, there isn’t a backup for comparison.
Looking to the Past to Secure the Future
It may sound all doom and gloom, but there are some positive measures being put into place. There’s been a growing push for states to conduct audits by pulling a statistically significant, but random sample of paper ballots to compare against digital votes and ensure similar results. This is by no means a perfect solution, but if the worst case occurs and discrepancies are discovered, there are paper records. Best case, voters can rest assured that their votes are making a true impact.
Additionally, Congress has recognized the need to secure the election infrastructure and has allocated $380 to upgrade voting technologies, perform audits on election results and increased training for local and state officials.
Now this is only the beginning of the work that needs to be done to protect our voting system and to ensure that elections reflect the voice of the people. If you are interested in helping to solve this evolving problem, consider earning a cybersecurity certification and joining the organizations working to identify potential exploits and security issues before they become a problem.