The Invisible Risk in Election Security

Hacking a voting machine makes a good story. If the hacker uses everyday objects, so much the better.

In 2004, Princeton professor Andrew Appel took a screwdriver and a $4 chip to change the vote count in a widely used machine. It took him seven minutes. A 2016 by Brian Varner, security researcher at Symantec, enabled a single voter to enter hundreds of votes with a hacked smart card used in states with electronic-only voting procedures. Varner altered the card with a $15 palm-sized device, tested two current-generation voting machines he bought on eBay for $100 each.

When Def Con 2017 offered the first Voting Village, an area of the conference filled with voting machines to circumvent, hackers had a field day. One voting machine was repurposed as a boombox to play music from 80s pop icon Rick Astley. At last year’s Voting Village, a team reprogrammed an electronic playbook with the video game Doom, while another displayed the adventures of Nyan Cat, a Japanese flying feline.

The vulnerabilities uncovered make for a long, long list. There’s real value in exposing and addressing such flaws.

But they aren’t the big problem in electoral security. The real risk comes after votes are recorded, and it is far less visible.

The Elections Stagecoach

Elections rely on sharing information. It’s the combined data that gives weight to results at a particular polling station, and the data from many polling stations that determine results for counties, states, and the nation. The results must be shared to have meaning.

Many counties bring results to a central location by physically carrying it there: an elections official carries polling data on a USB stick and delivers it by hand. This sort of air gap, or physical separation of voting machines from the networks, is a key part of the proposed cybersecurity bill currently in Congress (‘For the People Act of 2021,’ H.R.1 and S.1), and it recognizes the risk of links to the internet.

But voting machines connect to the internet anyway. Current models are supposed to use their modems only briefly, perhaps a minute to transmit results, but after the 2018 election, many were never disconnected. In 2020, a team of cybersecurity experts found 35 of them still online, unbeknownst to local officials. Of those, a number remained online even after local authorities were alerted to the vulnerability. That vulnerability extends even to machines viewed as air-gapped.

Many machines described as ‘disconnected from the internet’ actually rely on common internet protocols and relay signals through cell towers that can be spoofed.

Others use an external firewall to send data to a central location, so any flaw in the protective software exposes the SFTP server beyond.

A large amount of data is thus at risk. A hack of an electronic poll book can produce invalid results at that device, as can a vulnerability in a ballot-marking-device for the visually impaired (like through this design flaw, well-publicized in 2018).  But if a hacker seizes the flow of data when it is shared, all the votes could be compromised.

Sharing Data, Securely

So why not keep voting machines entirely separate from the internet?

For three reasons. First, many theoretical air gaps turn out to be less than ideal in practice, as seen with current ‘disconnected’ voting machines that actually do have network vulnerabilities. Cybersecurity experts routinely advise planning as if your air gap has been breached. We need to protect our systems even if they are exposed, even when people make mistakes.

Second, connected machines can provide a check of authenticity. Many states already do this, comparing tallies sent via modem to those delivered on flash drives, which have their own set of vulnerabilities. With no remote sharing, the only way to verify data is by the same method used to get it in the first place, with the same flaws.

And finally, certain data needs frequent sharing and updating from central authorities to local ones, like information on voter registration records. That data should be protected at both ends.

It is possible to do so with greatly enhanced security. The ASA Firewalls used to share voting results with Election Management Systems (EMS) should be upgraded with PathGuard, as should communications modules for voting machines. By directing all communication in and out to digital holding area, PathGuard enforces separation between the protected side of a system and the side exposed to the outside world. The protected unit then sends only approved output, and it places input into memory that is hardware-designated for data only, preventing activation of disguised malware.

And that helps secure the most vulnerable, invisible step in election security… even if a hacker does manage to attack a machine with a screwdriver and a $4 chip.