How Secure Is Your Vote?
While a decentralized voting system can safeguard against massive hacking, a small-scale hack in a swing state could be enough to alter an election.
On Nov. 8, millions of Americans will head to the polls to fulfill their end of the democratic bargain. About 179 million eligible voters—including 99.7 percent in key swing states—will have their votes recorded electronically, on a patchwork of aging machines, some of which were engineered in the 1990s.
Most of the machines in use were purchased with funds from the 2002 Help America Vote Act. HAVA allocated $4 billion over four years to help local jurisdictions upgrade their voting systems. The impetus was the “hanging chads” controversy of the 2000 election—when incompletely punched holes were not counted as votes by the tabulating machines in Florida, revealing the shortcomings of paper punch cards.
HAVA created a boom in the voting machine industry, to the extent that today 51 different models of voting machines and ballot scanners are in use across the country.
These machines—designed to last 10–20 years—are reaching their end of life. Hardware has been wearing out, replacement parts are hard to find, and they run on antiquated technology resulting in gaping security holes, both in terms of physical breakdown and threats from hackers.
The Brennan Center for Justice at New York University School of Law conducted a 10-month study, interviewing over 100 specialists and election officials in all 50 states about the state of these machines, and the diagnosis isn’t good. The report repeatedly notes that the situation is already at the point of crisis.
In one quote, Barbara Simons, past president of the Association for Computing Machinery said: “We know that a lot of machines were breaking in the 2012 election. It’s not that it’s an impending crisis. The crisis is already here.”
Machine breakdowns on election day lead to long lines, lost votes, and loss of confidence in the system.
With the rise of electronic voting machines, the threat of cyberattacks from foreign governments, and the potential for system failure—all of which could alter the outcome of an election—those who see the crisis are advocating for change.
Of course there’s no such thing as a bulletproof solution impervious to breakdown or malicious tampering. But in a system where citizens vote to elect their leaders, public trust in the democratic process is paramount.
Aging touch screens could cast your vote for the wrong person
Inaccurate calibration or misalignment of touch screens on voting machines can cause “vote flipping,” whereby the machine registers a vote for the wrong candidate. The coating on the edge of some touch screen models has been known to degrade after years of use, resulting in the screen moving out of place and registering votes incorrectly.
The issue has become notable in recent years as many of the machines are now over 10 years old. In 2014, the issue affected 26 AccuVote-TSX machines across Virginia Beach’s 94 precincts. The same machine model is used in some capacity in 20 other states.
Aging cards containing voting data can be faulty and are vulnerable to hacking
Perhaps the most crucial—and vulnerable—part of an election machine is the memory card that contains voting records. After votes are cast, election officials use the cards (or cartridges or diskettes) to feed the records into a centralized system.
Cards can fail as they age. They also aren’t encrypted, making them susceptible to manipulation. They can be infected by or replaced with a duplicate card programmed to weigh votes differently in favor of a candidate.
The vulnerability of cards was perhaps best illustrated by the 2000 presidential race, when a card recorded negative 16,022 votes for Al Gore in Volusia County in key swing state Florida.
Election systems that use scanners to count paper ballots also rely on memory cards and have the same vulnerabilities.
Software with security loopholes widely used in voting machines
Many electronic voting machines across the country rely on outdated operating systems such as Windows 2000 and Windows XP (released in 2001). Both have known security vulnerabilities since Microsoft no longer produces patches for the antiquated systems. A hacker could thus easily exploit security holes to gain access.
Those programs were not designed to withstand today’s sophisticated cyberattacks, meaning that an average modern PC, preinstalled with basic security, is safer than most electronic voting machines.
Outdated operating systems also mean critical hardware can’t be replaced, even if it’s failing, since old software won’t run on newer machines.
Hacking Through Wireless
Voting machines can be hacked remotely through Wi-Fi
Wireless technology used in some electronic voting machines is severely outdated. Security tests by the Virginia Information Technologies Agency last year of the WINVote system (now defunct) showed that data could be modified unnoticed on the tested machine via Wi-Fi from a nearby location. Even when the wireless functionality was turned off, the network card on the machine stayed online and kept receiving and sending data.
The Wi-Fi technology in the machines is so outdated that the security protocol (WEP) was already deemed unsafe and susceptible to hacking as far back as 2004.
Also, passwords used on the machines were found to be extremely simple and repetitive across machines. Some election machines also use a wireless system to transfer final voting records.
Spare parts no longer available
Many machine models are no longer manufactured, making it difficult or impossible to find replacement parts or technicians. The Brennan Center estimates that 43 states and the District of Columbia use machines that are kept running using band-aid solutions.
Key voting data not encrypted
Most voting machines use insufficient and outdated encryption protocols. Some manufacturers allow critical data, like voting records, to be stored unencrypted, making them vulnerable to hacks and manipulation.
While different manufacturers use different encryption standards, researchers have found similar problems in them: the use of weak, home-brewed encryption algorithms and hardcoded encryption keys with simple passwords such as “abcde.”
Voting machines can be infected via USB drives
Voting machines equipped with USB ports could be infected with malware that can alter voting data. The USB ports are normally used by election officials to install updates. Malware needed to infect outdated operating systems, such as Windows XP and Windows 2000, can be downloaded or purchased for very little on the darknet (an alternate internet used mainly by criminals that’s only accessible using specialized software).
Despite hacking risk, little done to evaluate integrity of electronic vote
Despite the many risks associated with the electronic voting system, scant checks are conducted after the vote to see if machines were compromised. “When it comes down to it, there is very little that’s being done to check forensically the legitimacy of the vote,” said James Scott, senior fellow at Institute for Critical Infrastructure Technology.
Scott recommends that voting machines should undergo forensic tests following elections to check for data manipulation. However, electronic voting machines are closed systems and security researchers who probe the machines for vulnerabilities can face lawsuits.
Lack of Funding
Despite the urgent need for replacement, funds are hard to find
In 2016, voters in 43 states will vote on machines that are at least 10 years old and in desperate need of replacement. The Brennan Center estimates the price tag to replace all electronic machines is about $1 billion, but it’s unclear who will pay for it.
The federal funding made available in the early 2000s to overhaul the nation’s voting systems was given without planning for end-of-life replacement.
With many state agencies seeing their budgets cuts, officials in 22 states have said they don’t know how they will pay for new machines, and many complain that they can’t convince elected officials of the need.
Electronic voting data can’t always be audited
Despite the fact that electronic voting is used in about 70 percent of the 9,000 voting districts in the United States, only 30 states require post-election audits, according to the Institute for Critical Infrastructure Technology.
For example, in Pennsylvania, a key swing state, 47 out of the state’s 67 counties rely on electronic voting machines but use no paper auditing. This means that in the event of changes to electronic voting data, or if the information is somehow lost, they cannot be checked against paper records.
The Human Factor
Election officials not well aware of threats
Despite far-reaching guidelines by the Election Assistance Commission, most precincts have limited manpower and rely on observers who may not have the expertise to thwart threats posed to electronic voting machines. The guidelines are also voluntary in many states, making proper execution and oversight more difficult. There is also concern about the relative ease with which electronic voting machines can be infected by an insider with physical access. The Institute for Critical Infrastructure Technology estimates it takes 5–7 minutes for an untrained attacker (and 1–2 minutes for an expert) to compromise a machine by removing the security seal, replacing a part with an infected part, then resealing the machine. Finally, programmers aren’t required to have security clearance or background checks to update machine software. One manufacturer was found to be using developers in Serbia.
Is it a good solution?
It’s clear why internet voting is attractive to election officials faced with failing voting machines and to voters who want greater convenience. Yet most security experts—including the National Institute of Standards and Technology, the federal body currently researching internet voting—think it’s a terrible idea given that existing technology can’t even keep the Pentagon, banks, or Google’s Gmail secure. Nonetheless, over 30 states already have online voting for the military and overseas voters. As pressure mounts to find the next-generation solution, it’s possible calls for internet voting will intensify.
Voter lists are at risk
HAVA, passed in 2002, mandated that states create statewide voter registration databases. These databases are vulnerable at several points: Specific files, the entire storage system, or transmission paths can be corrupted due to human error or systematic attack. The FBI said in late September that voter registration sites were breached in more than a dozen states, but no data was altered. The bureau warned states to be extra vigilant with security. Deleting or altering registration lists could create havoc on election day. Ed Alexander of BLACKOPS Partners Corp., a darknet intelligence company, says voter lists are currently for sale on the darknet.
What Needs to Happen?
No time to wait
Funding is the major challenge to resolving the crisis, and no level of government has been willing to take on that responsibility. But there’s no escaping that much of the system needs replacing.
The Brennan Center makes several recommendations to help extend the life of existing machines, at least through this election, to avoid election day chaos.
In terms of replacement solutions, they suggest the federal Election Assistance Commission reduce the cost and time needed to certify new technologies. States could also coordinate purchases to get better deals from vendors.
Cybersecurity experts recommend conducting post-election forensics to check machines for tampering.
While academics and activists have been pointing out security flaws for years, recent high-profile cyberattacks placed the issue in the spotlight. “We should carefully consider whether our election system, our election process, is critical infrastructure like the financial sector, like the power grid,” said Secretary of the Department of Homeland Security Jeh Johnson in August.
While no system will ever be perfect, the integrity of the vote, and the public perception of that integrity, are essential for people to trust that their vote counts.
Optical Scan Paper Ballot Systems: Voters mark paper ballots that are then scanned into a computer to tabulate results, either at the polling station or at a central location.
Direct Recording Electronic (DRE) System: A push-button, touch-screen, or dial interface records a voter’s selection directly into the computer’s memory. Some DREs have voter-verified paper audit trail (VVPAT) printers that print out a confirmation of the vote; the paper record is preserved for use in the event of an audit or recount.
Ballot Marking Devices and Systems: An interface to help disabled voters mark a paper ballot, which is then scanned or counted manually.
Hand-Counted Paper Ballots: Some jurisdictions still count paper ballots, cast in polling places or mailed in, by hand.
All but hand-counted ballots use computer systems and are thus vulnerable to problems of degradation and tampering.
CORRECTION: A previous version of this article incorrectly stated the position of the Department of Homeland Security (DHS) on designating the election system as critical infrastructure. DHS Secretary Jeh Johnson said the option should be considered.