Voting machine hacks

By: - October 6, 2020 4:03 pm
computer screen with ones and zeros, spelling out word "election"

Election hacking (image by 400tmax | iStock / Getty Images Plus)

This is the third in a series of stories looking at voters’ concerns and voting issues in the 2020 election.

There is no evidence, despite partisan claims to the contrary, that mail-in ballots are rife with voting fraud — but there are parts of the election system that security researchers say are at far greater risk for malicious activity.

National elections like the one in November, when Americans will decide whether Donald Trump or Joe Biden will lead the country for the next four years, are really thousands of smaller elections administered by state and county governments. And each of those governments has its own procedures for ensuring ballot and information security, and for purchasing, maintaining and testing the equipment that it uses to conduct its election.

For instance, even though more than 30 states allow overseas voters to cast their ballots by email, fax or through other electronic means, there are no standards for even basic security measures like encryption.

“Encryption? We don’t do that,” Cochise County Recorder David Stevens told Arizona Mirror about the ballots his office accepts by email. “We probably should.” 

The Cochise County Recorder’s Office accepts only federal ballots — not those with state or local contests — via email, Stevens said, and only in specific circumstances, such as voters who are in the military and stationed overseas. 

Most overseas and military voters use a secure online portal provided by the Secretary of State, though some counties told the Mirror that they still accept ballots via fax or email. 

Lax or nonexistent security on those systems, as well as the physical machines used to cast or count ballots, open the door to election hacking.

Hackers and security researchers at the annual DEFCON conference have in recent years made a point of looking at how secure — or insecure — the nation’s voting infrastructure is, known as the DEFCON Voting Village

This year, instead of the hands-on hacking of election machines that have grabbed headlines in years past, the Voting Village focused on in-depth discussions about the integrity and security of our election infrastructure. Among the topics of discussion were the vulnerabilities to election systems presented by fax machines, email voting and more.

Hack the vote

Earlier this month, a Russian newspaper reported that the personal information of 7.5 million Michiganders was posted on a Russian hacker site. It appeared to show their voter identification number and polling places. The paper claimed the site had been hacked in an attempt to solicit money from the U.S. government, but the Michigan Department of State denied a data breach, saying that “public voter information in Michigan and elsewhere is accessible to anyone through a FOIA [Freedom of Information Act] request.”

Voters in other key battleground states, including North Carolina and Florida, were also targeted in the dark web database, as were those in Arkansas, Connecticut and New York. 

While the public is largely inured to news about data breaches because of how frequently they happen, data security — also known as infosec — can be the first line of defense for an organization or a person trying to make sure their data or personal information remains secure. 

That focus on infosec was a big part of DEFCON talk this year by Forrest Senti, director of government and business affairs for the National Cybersecurity Center, and Caleb Gardner, a fellow with Secure the Vote. 

The talk focused on how certain fax machines that are used to accept ballots can present a vulnerability to election offices, with election officials frequently unaware of the security issues stemming from a fax number that is often posted online.

Without proper security, all a hacker would need is the phone number to take over an election official’s fax machine, allowing them to search other computers that are on the same network or install a malicious program to steal documents. 

“Even if you don’t get any ballots through a fax machine, it still represents a vulnerability,” Senti said to the Mirror.

Thirty-one states and the District of Columbia allow voters to return ballots by email and fax, according to the National Conference of State Legislatures

In the 2016 election, 455 ballots were cast by overseas voters in Cochise County, according to data by the United States Election Assistance Commission. That includes votes cast via the county’s un-encrypted email system, faxed or through an online portal run by the Arizona Secretary of State’s Office.

In 2018, some 29,000 ballots were cast across the country by voters overseas using some form of online portal, email or fax, according to the data. 

While Senti and others say this number is not “statistically significant,” the shortcomings pose an outsized risk.

The greater fear is that the ballots themselves could be compromised.

In the DEFCON Voting Village’s 2019 report, hackers and researchers found that voting machines had a number of vulnerabilities. Some had security features turned off when they were shipped, some had voter data easily accessible, some had no passwords set and one even had an unencrypted hard drive.

Several states across the country use those machines.

The ES&S Automark is used in many states to help voters with disabilities mark their ballots. The machines have been in use for years, and the Voting Village found some concerning vulnerabilities.

“Immediate root access to the device was available simply by hitting the Windows key on the keyboard,” the report states. A user who gains root access on the device can see — and potentially change — any files or other systems.

The ES&S Automark obtained by the Voting Village was using software from 2007 and appeared to have last been used in a 2018 special election. The PIN code to replace the firmware on the entire device was listed as “1111.”

But there are no national guidelines for how election officials conduct these sorts of audits or tests on electronic voting devices; instead, it is up to each jurisdiction to develop its own methods of checking the devices.

For example, in Colorado, election officials roll a series of 10-sided die on a webcast in order to generate a random number that determines which machine-tallied election results will be checked for discrepancies.

“These jurisdictions have a lot of autonomy in what they do,” Mattie Gullixson, program manager for Secure the Vote, said. 

Some of the jurisdictions may also not have the manpower needed to institute the changes required to ensure safe election procedures. 

It’s estimated that a nationwide vote by mail effort could cost up to $1.4 billion, compared to $272 million for in-person voting. Localities could get monies from the Help America Vote Act or the CARES Act to offset costs associated with voting this election cycle, but election hacking and its interplay with COVID-19 will present an acute financial impact, according to Gullixson and Senti.

Wisconsin’s security secret: paper ballots

Wisconsin is less vulnerable to hacking than other states, because every vote is cast on a paper ballot, and thus electronic voting machine totals can be checked against a physical record.

“The beauty of Wisconsin’s system is that every vote is backed up with a paper record. There is not purely electronic voting in Wisconsin,” says Reid Magney, public information officer for the Wisconsin Elections Commission. “That allows us to audit the voting equipment after the election to verify its accuracy. No matter what happens, we have a paper record and we have ways to detect problems.”

On election night, as the polls close all over Wisconsin, local elections officials flip their voting machines into “reporting” mode, print out a long paper tape of the local vote tally and read it  aloud. Voters can witness this process, and then go onto their county’s website to verify the numbers.

After every election, state elections officials randomly select 5% of the polling places across the state to conduct hand-count audits. At about 200 polling places, clerks receive a message directing them to recount all the ballots by hand, twice. “And the numbers they come up with have to match the electronic results exactly,” Magney explains. “Our commission won’t certify any results on Dec. 1 until all those audits are completed.”

As for hacking of the state’s voter registration database — the type of hacking conducted by the Russians in 2016 — Wisconsin election officials work closely with cybersecurity experts and the Department of Homeland Security, Magney says.

Every local election clerk who logs into the statewide system is required to use multi-factor authentication. 

“So even if someone were able to steal a user’s credentials — their user name and password — they still wouldn’t have that physical key that you would need to put into your computer to access the system,” says Magney. 

Furthermore, because of the way the system is designed, a break-in in one locality would only give a hacker access to voting records for that locality. 

“So, for example, if someone managed to break into a small city clerk’s office somewhere and got into the system, they couldn’t affect Milwaukee. They couldn’t affect Madison. They could only affect voters that clerk has control over,” Magney explains. 

The Elections Commission aggressively tracks and audits all movement within the system, he adds: “If we start seeing people being deleted or changed we can flag that and we can roll back all those changes.”

Last year, the Elections Commission instituted a requirement that everyone who uses the system must have a computer that meets certain cybersecurity requirements, an up-to-date operating system, and anti-virus software.

Because of the combination of high-tech and old-school protections, “I feel confident that our equipment is safe from hacking,” says Magney. 

“It would literally take the team from Oceans 11 — it would take people with both burglary and advanced hacking skills to get in get out and make changes and not have anything go wrong that would indicate there was a problem,” Magney adds.

“There are people out there who say we are not doing enough; there are other steps we could take,” he concedes. “But when you look at the system in its totality there are too many different layers of security that go around our voting systems to leave it vulnerable.”

Information warfare

Hacking isn’t limited to computer systems: Disinformation from foreign actors is commonly referred to as “social hacking” for its manipulation of social behavior.

“How do you (fight) against messages that say, because of COVID, this voting center has been shut down?” Gullixson said. “Those levels of mis- or disinformation could be one of the stronger negative drivers in people voting this year.”

Gullilxson’s background is in election administration and shortly after the 2016 election, she said that mis- or disinformation led many voters to call the elections office confused, asking questions that were fueled by disinformation circulating on social media.

The FBI and the Cybersecurity and Infrastructure Security Agency has already issued an alert urging Americans to be on the lookout for new websites or changes to existing websites made by foreign or malicious actors with the intention of spreading such misinformation.

“Information warfare has been around as long as warfare has been around,” Gullixson said. 

In fact, in 1985, the Russians started a disinformation campaign dubbed Operation INFEKTION that aimed to make the world believe the United States had created AIDS, a conspiracy theory that is still active today.

So far in 2020, Russian, Chinese and Iranian hackers have been caught by Microsoft in attempts to target both the campaigns of President Donald Trump and former Vice President Joe Biden.

China has also been caught by Facebook using fake accounts to speak on election matters. And just this month, Facebook and Twitter removed dozens of Russian accounts aimed at dissuading left-leaning voters from voting for Biden.

So how does one combat this type of warfare?

It starts with voters.

“There are growing efforts to try to tackle that but it starts with the voter realizing they could be manipulated in that way,” Gullixson said. 

The FBI has shared similar advice, saying that voters should make sure to get their election information from their state and county officials instead of Facebook pages, as they could very well be hacked or fake pages. 

Despite what may seem like a lot of doom and gloom, Gullixson and her colleagues are hopeful that the attention these issues have been getting will help shape policy around voting for the next 15 years for the better.

We just have to make sure we can get through it unscathed, she said. 

Michigan Advance reporter Laina G. Stebbins, Maine Beacon reporter Evan Popp and Colorado Newsline reporter Chase Woodruff contributed to this report. Ruth Conniff contributed reporting from Wisconsin.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Jerod MacDonald-Evoy
Jerod MacDonald-Evoy

Reporter Jerod MacDonald-Evoy joins the Arizona Mirror from the Arizona Republic, where he spent 4 years covering everything from dark money in politics to Catholic priest sexual abuse scandals. Jerod has also won awards for his documentary films which have covered issues such as religious tolerance and surveillance technology used by police. He brings strong watchdog sensibilities and creative storytelling skills to the Arizona Mirror.