Skip to main content

Wired, October 2018

In 2016, I bought two voting machines online for less than $100 apiece. I didn't even have to search the dark web. I found them on eBay.

Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.

If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.

My aim in purchasing voting machines was not to undermine our democracy. I'm a security researcher at Symantec who started buying the machines as part of an ongoing effort to identify their vulnerabilities and strengthen election security. In 2016, I was conducting preliminary research for our annual CyberWar Games, a company-wide competition where I design simulations for our employees to hack into. Since it was an election year, I decided to create a scenario incorporating the components of a modern election system. But if I were a malicious actor seeking to disrupt an election, this would be akin to a bank selling its old vault to an aspiring burglar.

I reverse-engineered the machines to understand how they could be manipulated. After removing the internal hard drive, I was able to access the file structure and operating system. Since the machines were not wiped after they were used in the 2012 presidential election, I got a great deal of insight into how the machines store the votes that were cast on them. Within hours, I was able to change the candidates' names to be that of anyone I wanted. When the machine printed out the official record for the votes that were cast, it showed that the candidate's name I invented had received the most votes on that particular machine.

This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines—those that were used in the 2016 election—are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones. Our voting machines, billed as “next generation,” and still in use today, are worse than they were before—dispersed, disorganized, and susceptible to manipulation.

To be fair, there has been some progress since the last Presidential election, including the development of internal policies for inspecting the machines for evidence of tampering. But while state and local election systems have been conducting risk assessments, we’ve also seen an 11-year-old successfully hacking a simulated voting website at DefCon, for fun.

A recent in-depth report on voting machine vulnerabilities concluded that a perpetrator would need physical access to the voting machine to exploit it. I concur with that assessment. When I reverse-engineered voting machines in 2016, I noticed that they were using a smart card as a means of authenticating a user and allowing them to vote. There are many documented liabilities in certain types of smart cards that are used, from Satellite receiver cards to bank chip cards. By using a $15 palm-sized device, my team was able to exploit a smart chip card, allowing us to vote multiple times.

In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure. Try to imagine a major bank leaving ATMs with known vulnerabilities in service nationwide, or a healthcare provider identifying a problem in how it stores patient data, then leaving it unpatched after public outcry. It just doesn’t fit with our understanding of cyber security in 2018.

Those industries are governed by regulations that outline how sensitive information and equipment must be handled. The same common-sense regulations don’t exist for election systems. PCI and HIPAA are great successes that have gone a long way in protecting personally identifiable information and patient health conditions. Somehow, there is no corollary for the security of voters, their information and, most importantly, the votes they cast.

Since these machines are for sale online, individuals, precincts, or adversaries could buy them, modify them, and put them back online for sale. Envision a scenario in which foreign actors purchased these voting machines. By reverse engineering the machine like I did to exploit its weaknesses, they could compromise a small number of ballot boxes in a particular precinct. That's the greatest fear of election security researchers: not wholesale flipping of millions of votes, which would be easy to detect, but a small, public breach of security that would sow massive distrust throughout the entire election ecosystem. If anyone can prove that the electoral process can be subverted, even in a small way, repairing the public's trust will be far costlier than implementing security measures. ...
Read full article at Wired