While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation’s vulnerable election infrastructure. New research, though, shows they haven’t done nearly enough, particularly when it comes to voting machines.
The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference’s Voting Village event. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections, including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades.
“We didn’t discover a lot of new vulnerabilities,” says Matt Blaze, a computer science professor at the University of Pennsylvania and one of the organizers of the Voting Village, who has been analyzing voting machine security for more than 10 years. “What we discovered was vulnerabilities that we know about are easy to find, easy to reengineer, and have not been fixed over the course of more than a decade of knowing about them. And to me that is both the unsurprising and terribly disturbing lesson that came out of the Voting Village.”
Many of the weaknesses Voting Village participants found were frustratingly basic, underscoring the need for a reckoning with manufacturers. One device, the “ExpressPoll-5000,” has root password of “password.” The administrator password is “pasta.”
Like many of the vulnerabilities detailed in the report, that knowledge could only be used in an attack if perpetrators had physical access to the machines. And even the remotely exploitable bugs would be difficult—though certainly not impossible—to leverage in practice. Additionally, election security researchers emphasize that the efforts of countries like Russia are more likely to focus on disinformation and weaponized leaks than on actively changing votes. Those turn out to be more efficient ways to rattle a democracy.
But nation states actors aren’t the only people who might be tempted to hack the vote. And a detailed accounting of just how bad voting machine security also underpins a number of broader election security discussions. Namely, state and local election officials need funding to replace outdated equipment and employ specialized IT staff that can update and maintain devices. Voting machines also need stronger security to protect against criminal activities. And election officials need failsafes for voting machines in general, so that a glitch or technical failure doesn’t derail an election in itself.
“For those of us who have followed the state of our nation’s election infrastructure, none of this is new information,” Representatives Robert Brady of Pennsylvania, and Bennie Thompson of Mississippi, co-chairs of the Congressional Task Force on Election Security, said in a statement on Thursday. “We have known for years that our nation’s voting systems are vulnerable.”
Analyzing voting machines for flaws raises another important controversy about the role of vendors in improving device security. Many of the machines participants analyzed during the Voting Village run software written in the early 2000s, or even the 1990s. Some vulnerabilities detailed in the report were disclosed years ago and still haven’t been resolved. In particular, one ballot counter made by Election Systems & Software, the Model 650, has a flaw in its update architecture first documented in 2007 that persists. Voting Village participants also found a network vulnerability in the same device—which 26 states and the District of Columbia all currently use. ES&S stopped manufacturing the Model 650 in 2008, and notes that “the base-level security protections on the M650 are not as advanced as the security protections that exist on the voting machines ES&S manufactures today.” The company still sells the decade-old device, though.
“At its core, a voting machine is a computer which can be compromised by skilled hackers who have full access and unlimited time,” the company said in a statement. “While there’s no evidence that any vote in a US election has ever been compromised by a cybersecurity breach, ES&S agrees the cybersecurity of the nation’s voting systems can and should be improved.”
Congress has worked recently to investigate voting machine vendor accountability, but progress has been slow. In July, for example, only one of the three top vendors sent a representative to a Senate Rules Committee election security hearing, prompting an outcry from lawmakers.
“This report underscores that when you’re using technology there can be a variety of problems, and with something as important as election results you want to get it right,” says David Becker, executive director of the Center for Election Innovation and Research. “The question I hear from the states and counties, though, is just ‘how are we going to pay for it?’ They would love to have skilled IT staff, they would love to hold trainings for their workers, they would love to replace their old equipment. But you can’t just wave a magic wand and do that, you need significant funding.”
Elections officials have made significant progress on improving election infrastructure defenses and establishing channels for information-sharing, but as the midterm elections loom, replacing vulnerable voting machines—and finding the funding to do it—remain troublingly unfinished business.