- Author: Lily Hay Newman
Voting Machines Are Still Absurdly Vulnerable to Attacks
- Author: Lily Hay Newman
Voting Machines Are Still Absurdly Vulnerable to Attacks
While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation's vulnerable election infrastructure. New research, though, shows they haven't done nearly enough, particularly when it comes to voting machines.
The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference's Voting Village event. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections, including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades.
"We didn't discover a lot of new vulnerabilities," says Matt Blaze, a computer science professor at the University of Pennsylvania and one of the organizers of the Voting Village, who has been analyzing voting machine security for more than 10 years. "What we discovered was vulnerabilities that we know about are easy to find, easy to reengineer, and have not been fixed over the course of more than a decade of knowing about them. And to me that is both the unsurprising and terribly disturbing lesson that came out of the Voting Village."
Many of the weaknesses Voting Village participants found were frustratingly basic, underscoring the need for a reckoning with manufacturers. One device, the "ExpressPoll-5000," has root password of "password." The administrator password is "pasta."
Like many of the vulnerabilities detailed in the report, that knowledge could only be used in an attack if perpetrators had physical access to the machines. And even the remotely exploitable bugs would be difficult—though certainly not impossible—to leverage in practice. Additionally, election security researchers emphasize that the efforts of countries like Russia are more likely to focus on disinformation and weaponized leaks than on actively changing votes. Those turn out to be more efficient ways to rattle a democracy.
But nation states actors aren't the only people who might be tempted to hack the vote. And a detailed accounting of just how bad voting machine security also underpins a number of broader election security discussions. Namely, state and local election officials need funding to replace outdated equipment and employ specialized IT staff that can update and maintain devices. Voting machines also need stronger security to protect against criminal activities. And election officials need failsafes for voting machines in general, so that a glitch or technical failure doesn't derail an election in itself.
"For those of us who have followed the state of our nation’s election infrastructure, none of this is new information," Representatives Robert Brady of Pennsylvania, and Bennie Thompson of Mississippi, co-chairs of the Congressional Task Force on Election Security, said in a statement on Thursday. "We have known for years that our nation’s voting systems are vulnerable."
"When you’re using technology there can be a variety of problems, and with something as important as election results you want to get it right."
David Becker, CEIR
Analyzing voting machines for flaws raises another important controversy about the role of vendors in improving device security. Many of the machines participants analyzed during the Voting Village run software written in the early 2000s, or even the 1990s. Some vulnerabilities detailed in the report were disclosed years ago and still haven't been resolved. In particular, one ballot counter made by Election Systems & Software, the Model 650, has a flaw in its update architecture first documented in 2007 that persists. Voting Village participants also found a network vulnerability in the same device—which 26 states and the District of Columbia all currently use. ES&S stopped manufacturing the Model 650 in 2008, and notes that "the base-level security protections on the M650 are not as advanced as the security protections that exist on the voting machines ES&S manufactures today." The company still sells the decade-old device, though.
"At its core, a voting machine is a computer which can be compromised by skilled hackers who have full access and unlimited time," the company said in a statement. "While there’s no evidence that any vote in a US election has ever been compromised by a cybersecurity breach, ES&S agrees the cybersecurity of the nation’s voting systems can and should be improved."
Congress has worked recently to investigate voting machine vendor accountability, but progress has been slow. In July, for example, only one of the three top vendors sent a representative to a Senate Rules Committee election security hearing, prompting an outcry from lawmakers.
"This report underscores that when you’re using technology there can be a variety of problems, and with something as important as election results you want to get it right," says David Becker, executive director of the Center for Election Innovation and Research. "The question I hear from the states and counties, though, is just 'how are we going to pay for it?' They would love to have skilled IT staff, they would love to hold trainings for their workers, they would love to replace their old equipment. But you can’t just wave a magic wand and do that, you need significant funding."
Elections officials have made significant progress on improving election infrastructure defenses and establishing channels for information-sharing, but as the midterm elections loom, replacing vulnerable voting machines—and finding the funding to do it—remain troublingly unfinished business.
More Great WIRED Stories
- Sites can tap into your phone's sensors without asking
- How the best jumpers in the world fly so damn high
- 25 years of predictions and why the future never arrives
- The case for expensive antibiotics
- Inside the all-female trek to the North Pole
- Looking for more? Sign up for our daily newsletter and never miss our latest and greatest stories
Related Video
Hacking Police Body Cameras
Security researcher Josh Mitchell has found numerous law enforcement body cameras are vulnerable to a wide range of attacks including live streaming from the device, wirelessly tampering with and even deleting video files. Read the full story at WIRED.com https://www.wired.com/story/police-body-camera-vulnerabilities/
Sponsored Stories
- Lily Hay Newman
The Collateral Damage of Trump's Extreme Declassifications
- Garrett M. Graff
The Mirai Botnet Architects Are Now Fighting Crime With the FBI
- Edward Snowden
Edward Snowden on Protecting Activists Against Surveillance
- Nicholas Thompson
Palmer Luckey Is Just Getting Started
- Lily Hay Newman
Facebook Broadens Its Bug Bounty to Help Fix Third-Party Apps
More security
- hacks
Russian Hackers Have a Clever New Trick That’s Hard to Fix
Author: Brian Barrett
- scripts
Mobile Sites Can Access Your Phone's Sensors Without Asking
Author: Lily Hay Newman
- firearms
Cody Wilson Resigns, But the DIY Gun Machine Rolls On
Author: Andy Greenberg
- national affairs
The Mueller Investigation Status Quo Won't Last Much Longer
Author: Garrett M. Graff
- privacy
A Seemingly Small Change to Chrome Stirs Big Controversy
Author: Lily Hay Newman
- authentication
The New YubiKey Will Help Kill the Password
Author: Lily Hay Newman
We Recommend
- Brian Barrett
Security News This Week: Twitter Sent User DMs to Developers by Mistake
- Lily Hay Newman
Clouldflare and Google Will Help Sync the Internet's Clocks—and Make You Safer
- Brian Barrett
The HTC Exodus Blockchain Phone Comes Into Focus
- Emily Dreyfuss
DIY Gun Activist Cody Wilson Accused of Child Sexual Assault
- Kyle Wiens
John Deere Just Swindled Farmers Out of Their Right to Repair