Voting machine hacks: How secure are your votes?

Cybersecurity is a top concern for election officials around the country. (Image by 400tmax | iStock / Getty Images Plus)
Battle for the Ballot, a special project of States Newsroom
This is part of a series of stories looking at voters’ concerns and voting issues in the 2020 election. Also today: “Voter fraud myth persists despite constant failure to prove claims” 

There is no evidence, despite partisan claims to the contrary, that mail-in ballots are rife with voting fraud — but there are parts of the election system that security researchers say are at far greater risk for malicious activity.

National elections like the one in November, when Americans will decide whether Donald Trump or Joe Biden will lead the country for the next four years, are really thousands of smaller elections administered by state and county governments. And each of those governments has its own procedures for ensuring ballot and information security, and for purchasing, maintaining and testing the equipment that it uses to conduct its election.

For instance, even though more than 30 states — including Iowa — allow overseas voters to cast their ballots by email, fax or through other electronic means, there are no standards for even basic security measures like encryption.

Iowa Secretary of State Paul Pate. (Photo courtesy Iowa Secretary of State)

Iowa Secretary of State Paul Pate is the recent past president of the National Association of Secretaries of State and chairman of the association’s cybersecurity committee. He said the system to accept electronic ballots from overseas voters is part of a broader program his office has instituted to test the cybersecurity of Iowa’s elections systems.

“We have included that and on a national level, we’ve been working very aggressively with our military partners, to make sure that we are stepping up, providing the security for those overseas who are voting through electronic means,” Pate said. “And it’s still a work in progress and we have made some serious progress as well. But we’re not done by any means on that front.”

Pate’s office has partnered with a national cybersecurity crowdsourcing program called Bugcrowd to test the integrity of Iowa’s election infrastructure. The Vulnerability Disclosure Program invites private-sector security researchers to test Iowa’s system.

Pate said the program has already uncovered some “small things” that the state has now addressed, although he would not specify what they were.

In other states, however, lax or nonexistent security on those systems, as well as the physical machines used to cast or count ballots, open the door to election hacking.

Hackers and security researchers at the annual DEFCON conference have in recent years made a point of looking at how secure — or insecure — the nation’s voting infrastructure is, known as the DEFCON Voting Village

This year, instead of the hands-on hacking of election machines that have grabbed headlines in years past, the Voting Village focused on in-depth discussions about the integrity and security of our election infrastructure. Among the topics of discussion were the vulnerabilities to election systems presented by fax machines, email voting and more.

Hack the vote

Earlier this month, a Russian newspaper reported that the personal information of 7.5 million Michiganders was posted on a Russian hacker site. It appeared to show the their voter identification number and polling places. The paper claimed the site had been hacked in an attempt to solicit money from the U.S. government.

But Michigan’s Department of State denied that this was a data breach of any sort, as the information being posted is already publicly available.

“Public voter information in Michigan and elsewhere is accessible to anyone through a FOIA [Freedom of Information Act] request. Our system has not been hacked,” SOS spokesperson Jake Rollow told Michigan Advance in an email.

Voters in other key battleground states, including North Carolina and Florida, were also targeted in the dark web database, as were those in Arkansas, Connecticut and New York. 

While the public is largely inured to news about data breaches because of how frequently they happen, data security — also known as infosec — can be the first line of defense for an organization or a person trying to make sure their data or personal information remains secure. 

That focus on infosec was a big part of DEFCON talk this year by Forrest Senti, director of government and business affairs for the National Cybersecurity Center, and Caleb Gardner, a fellow with Secure the Vote. 

The talk focused on how certain fax machines that are used to accept ballots can present a vulnerability to election offices, with election officials frequently unaware of the security issues stemming from a fax number that is often posted online.

Without proper security, all a hacker would need is the phone number to take over an election official’s fax machine, allowing them to search other computers that are on the same network or install a malicious program to steal documents. 

“Even if you don’t get any ballots through a fax machine, it still represents a vulnerability,” Senti said to the Mirror.

Thirty-one states and the District of Columbia allow voters to return ballots by email and fax, according to the National Conference of State Legislatures

In the 2016 election, 344 ballots were cast in Iowa by overseas voters, according to data by the United States Election Assistance Commission

In 2018, some 29,000 ballots were cast across the country by voters overseas using some form of online portal, email or fax, according to the data. 

While Senti and others say this number is not “statistically significant,” the shortcomings pose an outsized risk.

The greater fear is that the ballots themselves could be compromised.

In the DEFCON Voting Village’s 2019 report, hackers and researchers found that voting machines had a number of vulnerabilities. Some had security features turned off when they were shipped, some had voter data easily accessible, some had no passwords set and one even had an unencrypted hard drive.

Several states across the country use those machines.

The ES&S Automark is used in many states to help voters with disabilities mark their ballots. The machines have been in use for years, and the Voting Village found some concerning vulnerabilities.

“Immediate root access to the device was available simply by hitting the Windows key on the keyboard,” the report states. A user who gains root access on the device can see — and potentially change — any files or other systems.

The ES&S Automark obtained by the Voting Village was using software from 2007 and appeared to have last been used in a 2018 special election. The PIN code to replace the firmware on the entire device was listed as “1111.”

But there are no national guidelines for how election officials conduct these sorts of audits or tests on electronic voting devices; instead, it is up to each jurisdiction to develop its own methods of checking the devices.

For example, in Colorado, election officials roll a series of 10-sided die on a webcast in order to generate a random number that determines which machine-tallied election results will be checked for discrepancies.

“These jurisdictions have a lot of autonomy in what they do,” Mattie Gullixson, program manager for Secure the Vote, said. 

Information warfare

Some of the jurisdictions may also not have the manpower needed to institute the changes required to ensure safe election procedures. 

It’s estimated that a nationwide vote by mail effort could cost up to $1.4 billion, compared to $272 million for in-person voting. Localities could get monies from the Help America Vote Act or the CARES Act to offset costs associated with voting this election cycle, but election hacking and its interplay with COVID-19 will present an acute financial impact, according to Gullixson and Senti.

And hacking isn’t limited to computer systems: Disinformation from foreign actors is commonly referred to as “social hacking” for its manipulation of social behavior.

In Iowa, Pate said he is far more concerned about this aspect of cyber disruption than any direct manipulation of votes.

“The biggest challenge we face on the cyber side isn’t the fact that they are going to do a direct hack into our system, or that they are going to manipulate a single vote, because I’m pretty confident none of them are going to get that done not only in Iowa but other places because of safeguards,” Pate said.

Iowa is currently working to ensure that the state and county election information websites are secure from tampering, he said. “They can’t seem to vote, but they sure can’t screw with your head by putting things out there on your public website that are not true or accurate,” Pate said of hackers. “And then the voters have doubts.”

Gullilxson’s background is in election administration and shortly after the 2016 election, she said that mis- or disinformation led many voters to call the elections office confused, asking questions that were fueled by disinformation circulating on social media.

“How do you (fight) against messages that say, because of COVID, this voting center has been shut down?” Gullixson said. “Those levels of mis- or disinformation could be one of the stronger negative drivers in people voting this year.”

The FBI and the Cybersecurity and Infrastructure Security Agency has already issued an alert urging Americans to be on the lookout for new websites or changes to existing websites made by foreign or malicious actors with the intention of spreading such misinformation.

“Information warfare has been around as long as warfare has been around,” Gullixson said. 

In fact, in 1985, the Russians started a disinformation campaign dubbed Operation INFEKTION that aimed to make the world believe the United States had created AIDS, a conspiracy theory that is still active today.

So far in 2020, Russian, Chinese and Iranian hackers have been caught by Microsoft in attempts to target both the campaigns of President Donald Trump and former Vice President Joe Biden.

China has also been caught by Facebook using fake accounts to speak on election matters. And just this month, Facebook and Twitter removed dozens of Russian accounts aimed at dissuading left-leaning voters from voting for Biden.

So how does one combat this type of warfare?

It starts with voters.

“There are growing efforts to try to tackle that but it starts with the voter realizing they could be manipulated in that way,” Gullixson said. 

The FBI has shared similar advice, saying that voters should make sure to get their election information from their state and county officials instead of Facebook pages, as they could very well be hacked or fake pages. 

Despite what may seem like a lot of doom and gloom, Gullixson and her colleagues are hopeful that the attention these issues have been getting will help shape policy around voting for the next 15 years for the better.

We just have to make sure we can get through it unscathed, she said. 

Michigan Advance reporter Laina G. Stebbins, Maine Beacon reporter Evan Popp and Colorado Newsline reporter Chase Woodruff contributed to this report.

Editor’s note: This story has been updated to reflect that Paul Pate is the current chairman of the cybersecurity committee. It also has been updated to clarify that Michigan officials denied a Russian newspaper’s claim of a data breach.