Hackers Break Into Our Voting Machines

The Daily Escape:

London, England

Nobody knows whether the Russians hacked the 2016 presidential election. One thing on which there seems to be broad agreement is that no foreign power was able to change the actual vote totals, since we have 192,480 precincts in the US. And we use so many different vote collection and vote processing technologies throughout the country, hacking would be very difficult.

Over the weekend at Def Con, a convention of hackers held in Las Vegas, hackers managed to break into many different US electronic voting systems, taking control of some of them in less than 90 minutes. The hackers successfully broke in through the voting system hardware, or through wireless communication. From The Hill:

…[the hackers] at the annual DEF CON in Las Vegas were given physical voting machines and remote access…[and] within minutes, hackers exposed glaring physical and software vulnerabilities across multiple US voting machine companies’ products. Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.

By the end of the weekend, every one of the 30 machines, including those used to tabulate votes and to check voters in when they go to the polls, had been hacked. The Telegraph reported that:

They purchased 30 different election machines from a US Government auction…

Who knew you can buy these voting machines at a US government auction? Is there a legitimate purpose for them after they’ve been decommissioned? Isn’t this a way for hackers to study the weaknesses in these machines, and maybe figure out a way to hack ones that are currently in use? This is where penetration testing becomes so important. Ethical hackers (penetration testers) carry out scans to filter out potentially exploitable vulnerabilities. They attempt to exploit the vulnerabilities in a system to determine whether it is possible to hack in to get unauthorized access. Find out more at https://www.synack.com/blog/penetration-testing-vs-vulnerability-scanning/. This could have been used with these decommissioned voting machines, although perhaps just not selling them would have been easier.

The idea that electronic voting machines could be hacked has been around for a while. Computer programmer Harri Hursti, hacked into Diebold voting machines in 2005. That hack is now known as the “Hursti Hack“. Electronic voting machines require regular software security updates. Updates lead to a re-do of each state’s voter machine certification process, which can cost over $1 million to complete.

Gizmodo reports that even though the most recent election security standards were released in 2015, most state’s machines are only compliant with standards from 2002 because of the costs of updates. That cost breaks down to about $30-$40 per voter, and most states just don’t have the money.

OTOH, a hack of the last presidential election would have only needed to change the votes in three states (Wisconsin, Michigan, and Pennsylvania) to be successful in changing the result. And the absolute margin of victory in each of those states was small enough that it could have been accomplished without accessing all polling places. Still, no credible group is saying hacking on that scale occurred in 2016.

It is glib to suggest that the answer is to use paper ballots. With upwards of 150 million votes to count, that would require a huge number of volunteers. It begs the question of what method of “auditing” the count will be used, and who will perform it.

If we persist in electronic voting, those states would need to adopt a comprehensive sampling methodology for the machines before results can be certified. This would mean that we simply can’t accept using machines that don’t provide a paper trail, or a way to audit their vote tally.

We need to remember that we call the winners based on initial uncertified vote tallies. Before we know it, someone has conceded while we’re still counting votes. Hillary Clinton’s popular vote margin grew for about a month after the 2016 election as more and more votes were counted, even though it had no bearing on the Electoral College.

For the presidency, the federal government could specify that states that can’t certify their results up to a pre-set federal standard of accuracy, using a pre-set methodology, wouldn’t be allowed to cast votes in the Electoral College. This would pressure the states to put in better protections against hacking.

Finally, the federal government should pay for any required upgrades.

Continuing Wrongo’s tour of music by old guys, here is “Why Worry” from a 1986 PBS recording by Chet Atkins, the Everly Brothers, Mark Knopfler, and Michael McDonald. This song was written by Mark Knopfler for The Everly Brothers, and it beautifully demonstrates their unique harmony:

https://www.youtube.com/watch?v=CkFcQRiFL68

Those who read the Wrongologist in email can view the video here.

Facebooklinkedinrss