Free elections are a hallmark of a democratic republic such as the United States. But in this digital age, concerns have been raised about the accuracy of vote machines based on how easy they are to hack.
A year ago, at the 2018 DEFCON, the world’s largest convention for hackers, held in Las Vegas, Nevada, Rachel Tobac broadcast a video she recorded showing how she got admin access in less than two minutes on the same type of machine used by 18 states in their elections. The simple procedure required no tools.
One detail overlooked by Tobac was the fact that most vote centers use numbered and color-coded tamper-proof seals that are logged each time they are removed and a new one substituted. It would be impossible to open the voting machine, as demonstrated in the DEFCON video, without breaking multiple security seals.
Still, this detail isn’t all that reassuring. And there are other ways to alter a computer’s programming or change stored data – election results, for example.
Another scary story from DEFCON came from their youth camp-in-a-conference called rootz, for attendees’ children to learn how to pick locks, hack smart TVs, and break into computer systems.
In 2018, an 11-year-old girl compromised a facsimile website hosted by one of 13 battleground states in 10 minutes! – and she was only the first of many capable children to overcome security measures guarding state election websites that rotated every 30 minutes. It took other campers less than 15 minutes to hack into whichever online state election platform was being tested at the time.
One convention participant who wrote about the incident observed:
“At the point I arrived in the room, the website for the state of Colorado was being projected on the wall, declaring that the candidate for the ‘Comnnunism’ party, Kim Jong-un, had won the state’s election with one quadrillion votes. (The runner-up, the rapper Lil Pump, apparently standing for the Democratic party, had just under 46m votes.)”
The year before, at the 2017 DEFCON, 30 computerized ballot boxes used in U.S. elections were set up to simulate a national White House runoff. Within an hour and a half, hacker attendees had broken into a voting machine wirelessly, exploiting a poorly-secured WiFi shared network connection, and exposed “an embarrassing low level of security” in the test.
Jake Braun, a former White House liaison on cybersecurity, and some other volunteer IT professionals have tested the national voting infrastructure for the past two years at DEFCON in their Voting Village. Braun said:
“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how.”
The test machines at DEFCON came from eBay or were purchased at a government auction. Several well-known equipment brands such as Diebold, Sequoia, and Winvote, were assessed by some very sophisticated computer compromisers.
From outdated software to “physical ports open that could be used to install malicious software to tamper with votes,” these vote machines were puny in their ability to ward off intruders of any age, young, old or in-between.
On August 13, 2018, a professor of computer science and engineering at the University of Michigan named J. Alex Halderman gave a live demonstration at the EmTech conference sponsored by MIT Technology Review. The educator’s test subject was an AccuVote TSX machine which he had on stage with him.
Three volunteers operated the machine to conduct a mock election between George Washington and Benedict Arnold. Here’s what happened:
“Cameras pointing at the screen and projected above the stage showed the three voters casting their ballots for Washington. Yet when Halderman printed the returns from the machine, the reported result was a two-to-one victory for Arnold.”
Halderman had altered the ballot programming by tampering with the physical memory card, the holy-of-holies handled only by certain vote center officials in a strict chain of custody. The professor had installed malicious software to change the votes – steal them, in effect – long before the voters showed up.
The AccuVote TSX machine is used in 18 states.
Voter registration databases and the digital devices used to check in voters at vote centers are also big targets for hackers who want to interfere with an election.
Ron Rivest, Institute Professor at MIT, said the solution to safeguarding computerized elections is simple: get rid of the computers and go back to the old-fashioned paper ballots that served Americans so well for so long:
“We need paper verifiable ballots, no internet voting, and we need to ensure we can audit ballots properly. Some kind of paper trail the voter can use to verify their vote is very important.”
National legislation to bolster election security called the Secure Elections Act is under congressional review and would force states to set up election audit processes and accountable paper trails.
In a move forward rather than back, West Virginia used mobile blockchain voting in a midterm election. The results were successful enough that the state plans to use blockchain technology in the 2020 national race.
Given the deplorable state of vote machine and state election website security, it’s clear that all U.S. states and territories need to hire some hackers to reveal the fatal flaws in their election systems. Only then can suitable solutions be put in place to ensure fair and honest voter results.