It’s still child’s play to pick apart election systems that will be used in the 2020 US presidential election, as ethical hackers did, once again, over the course of two and a half days at the Voting Village corner of the DefCon 27 security conference in August.
The results are sobering. This is the third year they’ve been at it, and security is still abysmal.
On Thursday, Voting Village organizers went to Capitol Hill to release their findings, in an event attended by election security funding boosters Sen. Ron Wyden and Rep. Jackie Speier.
In a nutshell: in August, hackers easily compromised every single one of the more than 100 machines to which they were given access, many with what they called “trivial attacks” that required “no sophistication or special knowledge on the part of the attacker.” They didn’t get their hands on every flavor of voting system in use in the country, but every one of the machines they compromised is currently certified for use in at least one voting jurisdiction, including direct-recording electronic (DRE) voting machines, electronic poll books, Ballot Marking Devices (BMDs), optical scanners and hybrid systems.
From the Voting Village press release:
In too many cases physical ports remain unprotected, passwords remain unset or left in default configurations and security features of the underlying commercial hardware are left unused or even disabled.
Same old, same old
During the three years that Voting Village has tested voting system security, there’s been no shortage of warnings about the potential for tampering with any election systems connected to the internet or to any network. The state of election non-security is serious enough that the Defense Advanced Research Projects Agency (DARPA) is working on it: it’s hoping to create an electronic voting system that it hopes will prevent tampering with voting machines at the polls.
In 2017, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine at Voting Village. In 2018, an 11-year-old changed election results on a replica of Florida’s state website… in under 10 minutes.
And in 2019, Voting Village participants once again found new ways, or replicated already known techniques, to compromise machines so as to alter vote tallies, change ballots displayed to voters, or tinker with the machines’ internal software.
They did it all with precious little, at that. They didn’t have the resources of a professional lab, and many of the participants were testing systems with which they had no familiarity, working with any tools they could find.
As has been noted by Matt Blaze, a co-founder of the election testing project and a Georgetown University cryptography professor, the meager resources of the Voting Village – a tiny room and eBay – are readily available to foreign adversaries or anyone who seeks to subvert elections:
We bought a bunch of surplus voting machines on eBay and put them in a room. I believe many of our foreign adversaries already have eBay capability, so perhaps it would be prudent to use election equipment that can withstand eBay-based threats. https://t.co/SYsVEH2etX— matt blaze (@mattblaze) August 27, 2018
With scant resources, the participants found that in most cases, the vulnerabilities could be exploited surreptitiously, via exposed external interfaces accessible to voters, precinct poll workers or to anybody who has brief physical access to the machines. Many of the machines also have vulnerabilities that leave them persistently open to threats over the long term:
In particular, many vectors for so-called “Advanced Persistent Threat (APT)” attacks continue to be found or replicated. This means that an attack that could compromise an entire jurisdiction could be injected in any of multiple places during the lifetime of the system.
Not surprising, but disappointing
The Voting Village report notes that none of this is surprising, but the results are disappointing, given that we’ve known about many of the specific vulnerabilities for over a decade.
As the Washington Post reports, lawmakers who are pressing legislation to get more funding for election security embraced the results, promising to use them to make it personal for every sitting member of Congress. The newspaper quoted Rep. Speier:
The best way we can make the case is by scaring the living bejesus out of every member of Congress that the system can be fixed against them.
Sen. Wyden, a major backer of boosting election security funding and a lawmaker who chimes in on all things cybersecurity, said the results prove that it’s “basically a piece of cake for a relatively savvy hacker to compromise an election and alter votes.”
What would fix this?
Voting system security experts say the only real fix is paper ballots. Or, to be more precise, there’s an urgent need to ensure that there’s a paper trail for every vote. With solely digital voting machines, there’s no way to audit the results.
But as Blaze has repeatedly emphasized, paper ballots can’t fix this on their own. They have to be backed up with rigorous post-election audits:
Why? Because even the most rigorously voter-verified paper ballots don't help if the process that uses them is compromised. Risk Limiting Audits can confirm that the election outcome is correct, but only if we actually conduct them.— matt blaze (@mattblaze) September 27, 2019
There’s a slew of bills seeking to secure elections, but they’re being blocked by Senate Majority Leader Mitch McConnell. Some of the bills would mandate the fixes recommended by Blaze and other security experts … in exchange for cash.
As the Post reports, McConnell recently endorsed delivering an additional $250 million in federal money to state election officials, but it’s a far cry less than the $600 million Democrats are looking for, and his proposal lacks mandates about how states must spend the money.