Attack on Commonly Used Voting Machine Could Tip an Election, Researchers Find

By Tim Starks, Politico

28 September 18

malicious hacker could alter the outcome of a U.S. presidential election by taking advantage of numerous flaws in one model of vote-tabulating machine used in 26 states, cybersecurity experts warned in a report presented Thursday at the Capitol.

The report is the latest in a series of alerts by security researchers about weaknesses in U.S. voting infrastructure, amid continuing concern by lawmakers and intelligence officials about alleged Russian attempts to manipulate the upcoming midterm elections.

Voting machine vendors and state election officials have often dismissed such warnings as alarmist, saying they don’t reflect the real-world obstacles to altering vote tallies from tens of thousands of machines on Election Day without being detected.

But the newest findings show that long-ignored vulnerabilities in commonly used voting equipment could allow intruders to at least throw the outcome of a national election into doubt, according to the report from cybersecurity experts including Jake Braun, a University of Chicago professor who served as the White House liaison to the Department of Homeland Security during the Obama administration, and Matt Blaze, a noted University of Pennsylvania cryptographer.

Braun and Blaze were among the organizers of the Voting Village at this year's DEF CON cybersecurity conference, where security researchers had the opportunity to test voting machines still in use across the country. The report is a result of of that work.

"The biggest flaw in the process we found is, even when we identify flaws, they don't get fixed," said Braun today on Capitol Hill.

The report says an attacker could remotely gain access to the Model 650 tabulating machine manufactured by Election Systems and Software, one of the country's largest sellers of voting equipment, by exploiting numerous vulnerabilities in the unit. Researchers also said this model has an unpatched vulnerability that the manufacturer was notified about a decade ago.

In a response to the DEF CON report sent to POLITICO, ES&S said it takes cybersecurity concerns seriously, but the researchers' work isn't a realistic example of current threats.

"The report validates that any type of technology can be exploited under conditions where it is made accessible with zero controls, which is not the case in an election," the company said. "Regarding the M650, ES&S first manufactured the M650 — which is a paper-based system — in 1999 and discontinued manufacture of those units in early 2008."

The company admits the unit's security protections aren't as advanced as those on more current machines, but that it believes "the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment and, therefore, safe and secure to use in an election."

Yet, the problems in that system raise new alarms for the DEF CON organizers. Over several days in August, participants discovered dozens of new vulnerabilities, including one that allowed hackers to gain physical access to a machine used in 18 states in just two minutes — less time than most people take to vote.

The event organizers said the Model 650 vote-tabulation vulnerabilities are especially problematic because states use the machines to processes ballots for entire counties. "[H]acking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election," the report says.

Law enforcement and intelligence officials have repeatedly said they see no evidence that Russian operatives compromised the actual vote count in 2016, despite what they call an extensive Kremlin-backed influence campaign that included cyberattacks on state voter databases and the theft of Democratic Party emails.

Still, election integrity advocates and many cybersecurity experts have long warned about the possibility of digital saboteurs tampering with voting machines.

"For the U.S. election system, the challenges at hand are much larger than just software bugs: There are fundamental design issues to sort out and fix," said Harri Hursti, a cofounder of the village. "The innovation inherent in this kind of exercise can be of immeasurable impact.”

DEF CON did not notify vendors of the flaws they discovered in advance of the report's release, citing legal threats from ES&S. The company has taken issues with the DEF CON organizers about unauthorized access of its machines.

The National Association of Secretaries of State has also taken issues with the DEF CON experiments, saying they don't reflect accurate Election Day scenarios.

But despite the controversial nature of the DEF CON experiments, it has the backing of many lawmakers and state officials.

"It should not be necessary for us to gather here today make this election system secure," Rep. Jackie Speier (D-Calif.) said at a news conference announcing the report. "It should be a given."

With the release of the report, DEF CON is urging Congress to codify minimum standards and send money to states to help them implement them.

It also includes a first-of-its-kind crisis communications plan for states whose vote results-reporting websites are knocked down, identified in the report as the most vulnerable piece of the election infrastructure.

"Given the scope of vulnerabilities inherent in the U.S. election system, it is vital that state and local election officials not only seek to prevent cyber attacks on their systems, but also plan how best to recover from an attack," the report states.