American democracy depends on the sanctity of the vote. In the wake of the 2016 election, that inviolability is increasingly in question, but given that there are 66 weeks until midterm elections, and 14 weeks until local 2017 elections, there’s plenty of time to fix the poor state of voting technology, right? Wrong. To secure voting infrastructure in the US in time for even the next presidential election, government agencies must start now.
At Def Con 2017 in Las Vegas, one of the largest hacker conferences in the world, Carsten Schurmann (coauthor of this article) demonstrated that US election equipment suffers from serious vulnerabilities. It took him only a few minutes to get remote control of a WINVote machine used in several states in elections between 2004 and 2015. Using a well-known exploit from 2003 called MS03-026, he gained access to the vote databases stored on the machine. This kind of attack is not rocket science and can be executed by almost anyone. All you need is basic knowledge of the Metasploit tool.
Carsten Schurmann is an associate professor at the IT University of Copenhagen. He is an election technology expert and is heading the DemTech, a research project that investigates how the use of technology in the election process affects voter trust. Jari Kickbusch is a journalist, author and member of the DemTech team. Schurmann and Kickbusch have observed elections in Egypt, Australia, Norway and Estonia, and the United States during 2016 presidential election.
Had Schurmann hacked the WINVote during an election, he could have changed the vote totals stored on the machine, observed voters while they were voting or simply have turned off the machine during voting day to cause havoc. This is not exactly the kind of news that increases public trust in election results. But the really bad news is that since the WINVote voting machine does not provide a paper trail, the manipulations of database would not have been detectable. The same goes for many of the voting machines still in use, which prevent auditors from checking that the votes reflect voter intent.
All of this proses a threat against the heart of US democracy. The people responsible for maintaining and updating these outdated and vulnerable devices are obliged to take steps to rectify the shortcomings and to minimize the risk of disruption through cyber-attacks. Reiterating that everything is secure and safe enough will not do. Here are five recommendations on how to tackle this challenge:
1. Retire old and outdated voting machines.
A voting machine is outdated when it has known security holes. For example, other hackers at Def Con 2017 demonstrated that the Diebold Express-pollbook is exposed to the openSSL vulnerability CVE-2011-4109. Outdated voting machines should either be updated or dumped.
Furthermore: We know from history that all voting machines can be hacked. Voting machines that do not produce a voter verifiable audit paper trail should be decommissioned. In the end paper gives election officials a way a deliver a correct result, even if the technology fails due to hacking attacks, system malfunction, or power outages. If cost is prohibitive, revert to pencil and paper or older non-electronic equipment.
2. Secure voter registration systems and voter databases against hacking attacks.
To ensure that hackers cannot steal or alter voter registrations requires that the data is encrypted and that the cryptographic keys are carefully curated. Adjust administrative processes to minimize the risk of data leakage and unauthorized access. Harden the security of the database systems, for example, by deploying them only on secured and dedicated servers.
3. Require risk limiting audits for any precinct that uses electronic voting machines.
A risk-limiting audit is a statistical method to verify an election result and to detect vote tempering independent of the voting machine technology. By picking a truly random sample of the paper trail of suitable size and inspecting it, one can gain confidence in the correctness of the election result.
4. Adjust the rules of procurement and maintenance of election voting systems.
Policies and laws should reflect that voting machines are used in an ever-changing environment, which is under the adversary’s control. Hence a continuous delivery and installation of security patches should be mandatory. An up-to-date voting machine decreases the risks of hackers disrupting the voting day activities.
5. Improve training of polling station staff.
Election officials need to be able to handle cryptographic keys and to protect them in the face of social engineering and other hacking attacks. Most people could master this after attending a one-day workshop, which covers the basics of IT security.
In the current geopolitical climate protecting the election technologies against hacker attacks is tantamount to protecting the integrity of the election. Many counties have already made good progress. In Colorado risk-limiting audits are required and in Maryland paper trails are mandatory. Unfortunately, it seems unlikely that every state can be completely secured within the next 66 weeks. However, taking the first steps toward legislating for risk-limiting audits and hardening the security of the systems in use should be achievable everywhere.