Air gapping voting machines isn’t enough, says one election security expert
The safeguards that election officials say protect voting machines from being hacked are not as effective as advertised, a leading election security expert says.
U.S. elections, including national ones, are run by state and local offices. While that decentralization could serve an argument that elections are difficult to hack, University of Michigan Professor J. Alex Halderman says that it’s more like a double-edged sword.
Speaking to an audience of students and faculty at the University of Maryland’s engineering school on Monday, Halderman said that the U.S. is unique in how elections are localized. States and counties choose the technology used to run federal elections.
“Each state state running its own independent election system in many cases does provide a kind of defense. And that defense is that there is no single point nationally that you can try to attack or hack into in order to change the national results,” Halderman said.
But since national elections often hinge on swing states like, Virginia, Ohio or Pennsylvania, attackers can look for vulnerabilities where they would count.
“An adversary could probe the election systems in all the close states, look for the ones that have the biggest weaknesses and strike there, and thereby flip a few of those swing states,” Halderman said.
In 2017, the Department of Homeland Security notified 21 states that Russian hackers had probed some aspect of their election infrastructure — in most cases the voter registration systems — for vulnerabilities. In a handful of states, hackers actually penetrated the systems. But officials say that there’s no evidence any data was changed or that voting machines were targeted.
Voting machines are not supposed to be connected to the internet, providing an air gap between the machines and hackers. Halderman said that that practice is good, but explained that there are other ways machines can be hacked.
“This is something that election officials really, really, really like to tell you,” Halderman said. “And thank goodness that’s true. It would be really dumb if we plugged our voting machines directly into the internet and gave them public IP addresses.”
But voting machines do need to be programmed with new ballots for each new election. In many cases that process is done using external memory cards processed on a separate computer, sometimes by an outsourced third party. A determined attacker could spearphish the individuals responsible for programming the ballots and infect their devices with malware that could change vote counts, thus leaping across the air gap, Halderman explained.
Halderman said there’s little visibility into how officials or third parties manage the ballot programming process and whether they use cybersecurity best practices, such as air gapping.
“I should certainly hope that they do, but there’s no way to confirm that,” he said.
As part of his talk, Halderman planned to demonstrate how a voting machine could be compromised, but the machine he planned to use was damaged in transit and inoperable. The machine he planned to use is the AccuVote TSx, which was made by Premier Election Solutions and sold by Dominion Voting Systems.
In a recent New York Times video, Halderman hacked the same model to rig a mock election at the University of Michigan, in which students voted to decide whether their school was better than their rival, Ohio State University.
In the 2016 presidential election, the TSx and similar model, the TS, were used by counties and jurisdictions in 21 states, according to Verified Voting, a nonprofit that advocates for voting accuracy and transparency. Halderman said he and other researchers have have found security vulnerabilities in numerous other machines made by different manufacturers.
Versions of the AccuVote exist that do not produce a paper ballot for the voter to see and for officials to store. Experts and election security advocates, including Halderman, say that without a paper record for each vote, there’s no way to recover if vote totals are tampered with.
Amid the national alarm over the threat of election hacking, officials in several states have taken steps toward replacing paperless machines.
In a fiscal 2018 spending bill passed last month, Congress authorized $380 million in federal funding for states to improve the administration of elections and enhance election security. The Election Assistance Commission is starting to dole out the funds using a population-based formula, which Halderman says spreads the money too thin. The EAC also does not attach requirement for how the funding should be used.
“States could theoretically use this money to buy bad stuff or waste most of the money,” Halderman said.
A bipartisan group on the Senate Intelligence Committee is pushing the Secure Elections Act, which would provide additional funding that is conditional upon states using it to replace paperless machines and conduct risk-limiting audits, whereby a certain fraction of ballots is counted by hand to achieve a statistical degree of certainty that vote counts are accurate.
“This is a really strong bill and would go a long way toward fixing the problem,” Halderman said.