RSN Fundraising Banner
Attack on Commonly Used Voting Machine Could Tip an Election, Researchers Find
Written by <a href="index.php?option=com_comprofiler&task=userProfile&user=49204"><span class="small">Tim Starks, Politico</span></a>   
Friday, 28 September 2018 08:32

Starks writes: "A malicious hacker could alter the outcome of a U.S. presidential election by taking advantage of numerous flaws in one model of vote-tabulating machine used in 26 states, cybersecurity experts warned in a report presented Thursday at the Capitol."

Electronic voting machines in Columbus, Ohio, November 3, 2015. (photo: AP)
Electronic voting machines in Columbus, Ohio, November 3, 2015. (photo: AP)

Attack on Commonly Used Voting Machine Could Tip an Election, Researchers Find

By Tim Starks, Politico

28 September 18


malicious hacker could alter the outcome of a U.S. presidential election by taking advantage of numerous flaws in one model of vote-tabulating machine used in 26 states, cybersecurity experts warned in a report presented Thursday at the Capitol.

The report is the latest in a series of alerts by security researchers about weaknesses in U.S. voting infrastructure, amid continuing concern by lawmakers and intelligence officials about alleged Russian attempts to manipulate the upcoming midterm elections.

Voting machine vendors and state election officials have often dismissed such warnings as alarmist, saying they don’t reflect the real-world obstacles to altering vote tallies from tens of thousands of machines on Election Day without being detected.

But the newest findings show that long-ignored vulnerabilities in commonly used voting equipment could allow intruders to at least throw the outcome of a national election into doubt, according to the report from cybersecurity experts including Jake Braun, a University of Chicago professor who served as the White House liaison to the Department of Homeland Security during the Obama administration, and Matt Blaze, a noted University of Pennsylvania cryptographer.

Braun and Blaze were among the organizers of the Voting Village at this year's DEF CON cybersecurity conference, where security researchers had the opportunity to test voting machines still in use across the country. The report is a result of of that work.

"The biggest flaw in the process we found is, even when we identify flaws, they don't get fixed," said Braun today on Capitol Hill.

The report says an attacker could remotely gain access to the Model 650 tabulating machine manufactured by Election Systems and Software, one of the country's largest sellers of voting equipment, by exploiting numerous vulnerabilities in the unit. Researchers also said this model has an unpatched vulnerability that the manufacturer was notified about a decade ago.

In a response to the DEF CON report sent to POLITICO, ES&S said it takes cybersecurity concerns seriously, but the researchers' work isn't a realistic example of current threats.

"The report validates that any type of technology can be exploited under conditions where it is made accessible with zero controls, which is not the case in an election," the company said. "Regarding the M650, ES&S first manufactured the M650 — which is a paper-based system — in 1999 and discontinued manufacture of those units in early 2008."

The company admits the unit's security protections aren't as advanced as those on more current machines, but that it believes "the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment and, therefore, safe and secure to use in an election."

Yet, the problems in that system raise new alarms for the DEF CON organizers. Over several days in August, participants discovered dozens of new vulnerabilities, including one that allowed hackers to gain physical access to a machine used in 18 states in just two minutes — less time than most people take to vote.

The event organizers said the Model 650 vote-tabulation vulnerabilities are especially problematic because states use the machines to processes ballots for entire counties. "[H]acking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election," the report says.

Law enforcement and intelligence officials have repeatedly said they see no evidence that Russian operatives compromised the actual vote count in 2016, despite what they call an extensive Kremlin-backed influence campaign that included cyberattacks on state voter databases and the theft of Democratic Party emails.

Still, election integrity advocates and many cybersecurity experts have long warned about the possibility of digital saboteurs tampering with voting machines.

"For the U.S. election system, the challenges at hand are much larger than just software bugs: There are fundamental design issues to sort out and fix," said Harri Hursti, a cofounder of the village. "The innovation inherent in this kind of exercise can be of immeasurable impact.”

DEF CON did not notify vendors of the flaws they discovered in advance of the report's release, citing legal threats from ES&S. The company has taken issues with the DEF CON organizers about unauthorized access of its machines.

The National Association of Secretaries of State has also taken issues with the DEF CON experiments, saying they don't reflect accurate Election Day scenarios.

But despite the controversial nature of the DEF CON experiments, it has the backing of many lawmakers and state officials.

"It should not be necessary for us to gather here today make this election system secure," Rep. Jackie Speier (D-Calif.) said at a news conference announcing the report. "It should be a given."

With the release of the report, DEF CON is urging Congress to codify minimum standards and send money to states to help them implement them.

It also includes a first-of-its-kind crisis communications plan for states whose vote results-reporting websites are knocked down, identified in the report as the most vulnerable piece of the election infrastructure.

"Given the scope of vulnerabilities inherent in the U.S. election system, it is vital that state and local election officials not only seek to prevent cyber attacks on their systems, but also plan how best to recover from an attack," the report states.

Email This Page your social media marketing partner
Last Updated on Friday, 28 September 2018 09:17


A note of caution regarding our comment sections:

For months a stream of media reports have warned of coordinated propaganda efforts targeting political websites based in the U.S., particularly in the run-up to the 2016 presidential election.

We too were alarmed at the patterns we were, and still are, seeing. It is clear that the provocateurs are far more savvy, disciplined, and purposeful than anything we have ever experienced before.

It is also clear that we still have elements of the same activity in our article discussion forums at this time.

We have hosted and encouraged reader expression since the turn of the century. The comments of our readers are the most vibrant, best-used interactive feature at Reader Supported News. Accordingly, we are strongly resistant to interrupting those services.

It is, however, important to note that in all likelihood hardened operatives are attempting to shape the dialog our community seeks to engage in.

Adapt and overcome.

Marc Ash
Founder, Reader Supported News

+1 # Caliban 2018-09-28 17:27
Is anything more dangerous to democratic governance than election totals that do not accurately represent the ballots cast by the legitimate voters? I do not think so.

Therefore I urge -- even beg -- the Congress to do everything that is both legal and constitutional to safeguard our election process from manipulation and inaccuracy -- from registration rolls to voting machine design and monitoring to the final vote count.

The democratic process depends on this fundamental level of security.
+1 # Kootenay Coyote 2018-09-28 18:16
Paper works: Sabotage-vulner able machines don’t, except for the crooks who endorse & require them.
+1 # FarMor 2018-09-28 18:33
Simple inexpensive solution: PAPER BALLOTS! We don't have to have instantaneous results. And it would give retirees a short-term job counting the ballots.
+1 # hiker 2018-09-29 17:21
This article doesn't say which 26 states these machines are in. I'd venture to guess most are controlled by republican Secretary of States. I'm sure they are happy to keep these machines so THEY can hack them. Forget the Russians.