Will the Georgia Special Election Get Hacked?

By Kim Zetter, Politco

14 June 17

ast August, when the FBI reported that hackers were probing voter registration databases in more than a dozen states, prompting concerns about the integrity of the looming presidential election, Logan Lamb decided he wanted to get his hands on a voting machine.

A 29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee, Lamb, who now works for a private internet security firm in Georgia, wanted to assess the security of the state’s voting systems. When he learned that Kennesaw State University’s Center for Election Systems tests and programs voting machines for the entire state of Georgia, he searched the center’s website.

“I was just looking for PDFs or documents,” he recalls, hoping to find anything that might give him a little more sense of the center’s work. But his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.

“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,” he tells Politico Magazine in his first interview since discovering the massive security breach.

As Georgia prepares for a special runoff election this month in one of the country’s most closely watched congressional races, and as new reports emerge about Russian attempts to breach American election systems, serious questions are being raised about the state’s ability to safeguard the vote. Lamb’s discovery, which he shared out of concern that state officials and the center ignored or brushed off serious problems highlighted by his breach, is at the heart of voting activists’ fears that there’s no way to be sure the upcoming race—which pits Democratic neophyte Jon Ossoff against Republican former Secretary of State Karen Handel—will be secure. The special election has already become the most expensive House race in U.S. history and has drawn the attention of President Donald Trump, who has tweeted his support of Handel and ridiculed Ossoff, whose campaign is seen as a litmus test for the Trump resistance movement.

Marilyn Marks, executive director of the Rocky Mountain Foundation, which sued the state last month to prevent it from using the voting machines in the upcoming runoff, says Americans have reason to be concerned about the integrity of Georgia’s election system—and the state’s puzzling lack of interest in addressing its vulnerabilities. “The security weaknesses recently exposed would be a welcome mat for bad actors.”

Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.

The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.

And there was another problem: The site was also using a years-old version of Drupal — content management software — that had a critical software vulnerability long known to security researchers. “Drupageddon,” as researchers dubbed the vulnerability, got a lot of attention when it was first revealed in 2014. It would let attackers easily seize control of any site that used the software. A patch to fix the hole had been available for two years, but the center hadn’t bothered to update the software, even though it was widely known in the security community that hackers had created automated scripts to attack the vulnerability back in 2014.

Lamb was concerned that hackers might already have penetrated the center’s site, a scenario that wasn’t improbable given news reports of intruders probing voter registration systems and election websites; if they had breached the center’s network, they could potentially have planted malware on the server to infect the computers of county election workers who accessed it, thereby giving attackers a backdoor into election offices throughout the state; or they could possibly have altered software files the center distributed to Georgia counties prior to the presidential election, depending on where those files were kept.

The center has played a critical role in the state’s elections for more than a decade, not only by testing the touch-screen voting machines used throughout the state and maintaining the software that’s used in the machines, but also by providing support for the GEMS servers that tabulate votes and creating and distributing the electronic ballot definition files that go into each voting machine before elections. These files tell the machines which candidate should receive a vote based on where a voter touches the screen. If someone were to alter the files, machines could be made to record votes for the wrong candidate. And since Georgia’s machines lack a proper paper trail — which would allow voters to verify their choices before ballots are cast and could also be used to compare against electronic tallies during an audit — officials might never know the machines recorded votes inaccurately. There have been no public reports indicating that this has ever happened in Georgia, but computer security experts say it’s not clear officials would be able to uncover this even if they tried.

The center also distributes the voter registration list to counties for use on their ExpressPoll pollbooks; if attackers were to delete voter names from the database stored on the center’s server or alter the precinct where voters are assigned, they could create chaos on Election Day and possibly prevent voters from casting ballots. This is not an idle concern: During the presidential election last year, some voters in Georgia’s Fulton County complained that they arrived to polls and were told they were at the wrong precinct. When they went to the precinct where they were redirected, they were told to return to the original precinct. The problem was apparently a glitch in the ExpressPoll software.

Last month, Marks and other plaintiffs filed a motion seeking an injunction to prevent the three counties casting ballots in the 6th Congressional District race—Fulton, DeKalb and Cobb—from using their touch-screen machines and use paper ballots instead. In court filings and a hearing last week, they cited Lamb’s breach of the center’s server as one reason the machines, and the center’s oversight of them, cannot be trusted. They sought the injunction without knowing the full extent of Lamb’s breach.

Their concerns were validated last week with the publication of a classified National Security Agency report, which stated that hackers associated with Russian military intelligence had been behind the previously reported targeting of voter registration systems as well as an extensive phishing scheme to hack election officials. A second story, published this week by Bloomberg, indicated that the hackers targeted voter registration systems in 39 states and had actually tried to delete or alter voter data in at least one state. They had also accessed the software used by poll workers to verify voters at the polls—the same kind of software that Lamb found on Georgia’s website.

The reports didn’t indicate whether Georgia was among the 39 targeted states, but several factors make Georgia an especially good candidate for hacking. Unlike other states, which use a patchwork of voting machine brands and models throughout their election districts—making it more difficult to affect a national election outcome—Georgia uses a uniform system statewide: touch-screen voting machines made by Premier Election Solutions (the company, formerly Diebold Election Systems, is now defunct). More than 27,000 of these years-old machines are used in the state, as are more than 6,000 ExpressPoll pollbooks, also made by Premier/Diebold. And unlike most other states that have a decentralized structure for managing elections—machines and ballots are prepared and managed by individual counties—Georgia’s reliance on the center to manage those responsibilities for counties makes it a bull’s-eye for someone wanting to disrupt elections in the state.

Despite these concerns, Fulton County Superior Court Judge Kimberly Esmond Adams ruled on Friday against the activists seeking an injunction, but she did so on a legal technicality—the activists brought the action against Georgia Secretary of State Brian Kemp and other election officials, but Georgia’s doctrine of sovereign immunity prevents such legal action against them. She also cited the lateness with which they brought the case—early voting for the June 20 runoff was already underway when the hearing began.

It’s unclear whether the secretary of state’s office was aware of the full extent of the breach before Politico contacted it this week, or whether it believed Lamb accessed only the voter registration database. The office declined to answer questions about the breach.

The security issues with the center came to light only in March—seven months after the initial intrusion—when news reports indicated, incorrectly, that a hacker had breached a server belonging to the center and “made off with millions of voter records.” It was Lamb—not a hacker. But he has never been identified until now, nor has the full extent of his breach been revealed.

After Lamb discovered the initial problems last August, he notified Merle King, executive director at the center, who thanked Lamb and said he would get the server fixed. It was months before the presidential election, and King pressed Lamb not to talk about the issue with anyone, especially the media.

“He said, It would be best if you were to drop this now,” Lamb recalls. King also said that if Lamb did talk, “the people downtown, the politicians … would crush” Lamb.

King did not respond to messages Politico left for him at the center or to email queries. The center kept the incident under wraps and never notified the secretary of state’s office, which oversees elections in the state and pays the center’s $750,000 annual budget.

Lamb thought the issue was fixed. But months later, in March 2017, a security colleague named Chris Grayson discovered that although the center had addressed the Drupal vulnerability for the encrypted https version of its website, the unencrypted http version was still vulnerable. Grayson could still access all the same files Lamb had downloaded months earlier. “It looks like it was just very poor administration,” says Grayson.

Grayson contacted a friend who teaches information security at Kennesaw State’s information systems department, who in turn contacted the campus’ chief information security officer at the University Information Technology Services (UITS) office at Kennesaw State, which oversees the university’s networks. News of the breach reached the secretary of state’s office, the governor’s office and the media. The FBI was called in to investigate to determine whether Lamb and Grayson—still unidentified in media reports—had committed a crime. The FBI determined they had not but told Lamb he should “probably just delete” the files he’d collected from the site, which he says he did.

But the incident exposed the fact that the center had been operating its networks outside the scope of both the university system and the secretary of state’s office for years, according to a March 1 preliminary analysis produced by UITS and obtained by Politico.

“Essentially, what that report is saying is that there was this rogue operation,” says someone familiar with the UITS analysis. “The Election Center was operating outside of [the university’s] processes, and they weren’t aligned with any larger security strategy.”

The UITS staff also discovered that although the center had separate public and private networks, there was a live network jack (going out to the public network) in the closet where the private network systems are kept, raising the possibility that workers could have, at some point, connected the private network systems to the internet. Workers had also installed their own wireless access point in the office—a possible point of entry into networks for attackers. Given all of these findings and the center’s lack of oversight before the breach, critics say it’s not clear that the center’s small staff, some of whom are non-technical students at the university, could be trusted to maintain the integrity of those separate networks.

“They’re asking us to take their word for it that they have very carefully isolated and carefully managed the private network, but where their practices are visible to us, they have not been careful,” says someone knowledgeable about the center and Georgia’s voting systems who asked not to be identified. He pointed to the GEMS database files that Lamb found on the unprotected server, which appear to be associated with specific primary and other elections last year in various counties. “[I]t’s hard to square the presence of these GEMS files on an internet-connected server with the claim that GEMS machines are never connected to the internet.”

King asserted in court documents submitted in the injunction case that the compromised web server was “not connected in any way to the internal private network or to any of the GEMS workstations” that are used to create ballot definition files for counties. He also wrote that the versions of GEMS and voting machine software used in counties were not on the server and were “never at risk during the unauthorized access.”

Georgia’s secretary of state’s office said in an email to Politico that the ballot definition files get distributed to counties on encrypted CDs via UPS, not via the center’s website. But even if the center creates these sensitive files only on computers not connected to the public internet, the center’s insecure website raises questions about whether staff have maintained proper separation between those networks since 2002, when the center was first established.

According to emails obtained by Politico, after the March breach, the center was forced to bring in outside security experts to assess its networks and advise it on secure firewall installation and network configuration. The report and emails don’t indicate, however, whether any in-depth forensic analysis was done to determine whether other intruders, aside from Lamb and Grayson, had breached the center’s network. It’s also unclear whether the center even had sufficient network logs to attempt a forensic investigation. In King’s court testimony, he said the web server that Lamb breached was taken out of service after the second breach and has not been used since.

The security lapses at the center are important not only for what they mean for the upcoming special election but also because the center is held up by the federal Election Assistance Commission as a model for election management and implementation of touch-screen voting systems. King and his staff train county election workers in Georgia and are often asked to speak to officials in other states and other countries.

King and other election officials in the state have staunchly defended their security practices for years, as well as the security of the Premier/Diebold machines, despite numerous reports from computer security experts citing significant security problems with the machines. In 2007, after noted computer security expert and Princeton University professor Ed Felten published a video showing how someone with physical access to the machines could introduce a virus into them, King dismissed Felten and other computer security experts as “theoretical scientists” in an interview with the Chronicle of Higher Education. Another worker at the center, Chris Ambrose, described as “one of Mr. King’s protégés,” called Felten, who more recently served as deputy U.S. chief technology office in the Obama administration, an “idiot.”

That aversion to security experts has extended to the secretary of state’s office. Last year, as concern about Russia disrupting the election rose, the Department of Homeland Security offered to help states lock down their election systems. Georgia was one of only two states that rejected the offer. “[B]ecause of the DNC getting hacked—they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Secretary of State Brian Kemp told Politico at the time. “And that’s just not—I mean, anything is possible, but it is not probable at all, the way our systems are set up.”

King has long insisted that the machines are secure because they and the GEMS tabulation computers are never connected to the internet and because officials perform tests before, during and after elections to ensure that they perform properly and that only certified software is installed on them.

But critics say the tests Georgia performs are inadequate and that the center has shown a pattern of security failures that can’t be dismissed. In addition to failing to install the 2-year-old patch on its server software, Georgia, testimony in the injunction hearing last week revealed, is still using a version of software on its touch-screen machines that was last certified in 2005. That voting software is running on the machines on top of a Windows operating system that is even older than this.

“They’re standing pat with whatever they were using 10 years ago even though the evidence that this is not a secure setup is continuing to pile up,” says the person knowledgeable about Georgia’s voting technology.

Someone who should be particularly concerned about the center's security lapses and the use of the touch-screen machines in the upcoming election is Handel, the Republican vying for the 6th Congressional District seat. In 2006, when Handel ran for secretary of state of Georgia, she made the security of the state's voting systems one of her campaign issues. After her win, she ordered a security review of the systems and the procedures for using them.

Experts at Georgia Tech conducted the review and found a number of security concerns, which they discussed in a report submitted to Handel. But, oddly, they were prohibited from examining the center’s network or reviewing its security procedures. Richard DeMillo, who was dean of computing at Georgia Tech at the time and led the review, told Politico he and his team argued with officials from the center in Handel’s office, but they were adamant that its procedures and networks would not be included in the review.

“I thought it was very strange,” says DeMillo. “It was kind of a contentious meeting. The Kennesaw people just stamped their foot and said ‘Over our dead body.’”

Although Handel could have insisted that the center’s network be included in the security review, she didn’t. But when DeMillo’s team submitted a draft of their report, he says she sent it back instructing them to add a caveat about the center’s absence from the review. It reads: “The Election Center at Kennesaw State University fills a key role in Georgia’s statewide election procedures, which makes it a potential target of a systematic attack. We did not have sufficient information to evaluate the security safeguards protecting against a centralized compromise at the state level.”

But once they delivered the finished report to Handel, DeMillo says, “We never heard anything more about it.” It’s not clear whether Handel’s office acted on recommendations made in the report. (Handel’s campaign office did not respond to a call for comment.)

The activists who sought the injunction for the runoff aren’t giving up, and they say there are signs that the judge was sympathetic to their case despite the legal constraints that forced her to rule against them.

“We were not able to overcome some of the technicalities to be able to put all our evidence in front of the court,” says Marks. “We want the chance to demonstrate to the court that the system is exposed to the internet through numerous components, and must be presumed to be unsafe.”