IN 2016, I bought two voting machines online for less than $100 apiece. I didn’t even have to search the dark web. I found them on eBay.
Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.
If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.
My aim in purchasing voting machines was not to undermine our democracy. I’m a security researcher at Symantec who started buying the machines as part of an ongoing effort to identify their vulnerabilities and strengthen election security. In 2016, I was conducting preliminary research for our annual CyberWar Games, a company-wide competition where I design simulations for our employees to hack into. Since it was an election year, I decided to create a scenario incorporating the components of a modern election system. But if I were a malicious actor seeking to disrupt an election, this would be akin to a bank selling its old vault to an aspiring burglar.
I reverse-engineered the machines to understand how they could be manipulated. After removing the internal hard drive, I was able to access the file structure and operating system. Since the machines were not wiped after they were used in the 2012 presidential election, I got a great deal of insight into how the machines store the votes that were cast on them. Within hours, I was able to change the candidates’ names to be that of anyone I wanted. When the machine printed out the official record for the votes that were cast, it showed that the candidate’s name I invented had received the most votes on that particular machine.
This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines—those that were used in the 2016 election—are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones. Our voting machines, billed as “next generation,” and still in use today, are worse than they were before—dispersed, disorganized, and susceptible to manipulation.
To be fair, there has been some progress since the last Presidential election, including the development of internal policies for inspecting the machines for evidence of tampering. But while state and local election systems have been conducting risk assessments, we’ve also seen an 11-year-old successfully hacking a simulated voting website at DefCon, for fun.
A recent in-depth report on voting machine vulnerabilities concluded that a perpetrator would need physical access to the voting machine to exploit it. I concur with that assessment. When I reverse-engineered voting machines in 2016, I noticed that they were using a smart card as a means of authenticating a user and allowing them to vote. There are many documented liabilities in certain types of smart cards that are used, from Satellite receiver cards to bank chip cards. By using a $15 palm-sized device, my team was able to exploit a smart chip card, allowing us to vote multiple times.
In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure. Try to imagine a major bank leaving ATMs with known vulnerabilities in service nationwide, or a healthcare provider identifying a problem in how it stores patient data, then leaving it unpatched after public outcry. It just doesn’t fit with our understanding of cyber security in 2018.
Those industries are governed by regulations that outline how sensitive information and equipment must be handled. The same common-sense regulations don’t exist for election systems. PCI and HIPAA are great successes that have gone a long way in protecting personally identifiable information and patient health conditions. Somehow, there is no corollary for the security of voters, their information and, most importantly, the votes they cast.
Since these machines are for sale online, individuals, precincts, or adversaries could buy them, modify them, and put them back online for sale. Envision a scenario in which foreign actors purchased these voting machines. By reverse engineering the machine like I did to exploit its weaknesses, they could compromise a small number of ballot boxes in a particular precinct. That’s the greatest fear of election security researchers: not wholesale flipping of millions of votes, which would be easy to detect, but a small, public breach of security that would sow massive distrust throughout the entire election ecosystem. If anyone can prove that the electoral process can be subverted, even in a small way, repairing the public’s trust will be far costlier than implementing security measures.
I recognize that states are fiercely protective of their rights. But there’s an opportunity here to develop nationwide policies and security protocols that would govern how voting machines are secured. This could be accomplished with input from multiple sectors, in a process similar to the development of the NIST framework—now widely recognized as one of the most comprehensive cybersecurity frameworks in use.
Many of the rules we believe should be put into place are uncomplicated and inexpensive. For starters, we can institute lifecycle management of the components that make up the election system. By simply regulating and monitoring the sale of used voting machines more closely, we would create a huge barrier to bad actors.
The fact that information is stored unencrypted on hard drives simply makes no sense in the current threat environment. That they can be left on devices, unencrypted, that are then sold on the open market is malpractice.
Finally, we must educate our poll workers and voters to be aware of suspicious behavior. One vulnerability we uncovered in voting machines is the chip card used in electronic voting machines. This inexpensive card can be purchased for $15 and programmed with simple code that allows the user to vote multiple times. This is something that we believe could be avoided with well-trained, alert poll workers.
Time and effort are our main obstacles to better policies. When it comes to securing our elections, that’s a low bar. We must do better; the alternative is too scary to consider in our current environment. Through increased training, public policy, and a little common sense, we can greatly enhance the security and integrity of our electoral process.