This is a multi-part investigation into the security of American elections. Readers should know my voting registration is “no party preference.” I do not and have not voted for Democrats or Republicans at any level of local, state, or federal government. I vote only for Green Party and independent candidates.
My interest in promoting election security should not be mistaken for an argument Trump lost the 2020 election due to a rigged vote. I do not know whether the 2020 election result was fraudulent or not. I do know, however, that U.S. elections are not as secure as they should be, as this investigation will show.
See Part 1: History of the election services market.
Unbeknownst to many voters, cybersecurity experts have dedicated decades of their careers to legally exposing vulnerabilities in voting machines. Their track record of successfully hacking voting machines to flip votes in hypothetical elections makes clear the academic and technical basis for concerns over voting machines is well founded. The following is a summary of some of the expert opinion evidencing many kinds of voting machines were unfit for purpose, despite being widely used in real U.S. elections.
University of Michigan’s Professor J. Alex Halderman
Internet Voting Systems
Professor of Computer Science and Engineering at the University of Michigan J. Alex Halderman is one of the foremost cybersecurity expert in the United States on electronic voting machines and internet voting systems. In his 2010 testimony to the D.C. Board of Elections and Ethics, Halderman describes how he and his students hacked an internet voting system to alter votes. The hacking served as an authorized penetration test of a pilot system whereby voters cast their ballots through the internet. The issue is whether “electronic return” of ballots through the internet is secure.
Within 36 hours of the system going live, my team had found and exploited a vulnerability that gave us essentially total control of the voting system software. This included the ability to change votes and to reveal voters’ secret ballots. This problem, known technically as a shell injection vulnerability, has to do with the ballot upload procedure in the system. In effect, it allowed us to remotely log into the server as a privileged user. BOEE [the D.C. Board of Elections and Ethics] launched the test bed on Tuesday 28th and, on Wednesday afternoon, we began to exploit this vulnerability to perform a number of demonstration attacks. We did several things. We collected data stored on the server including crucial secrets, such as the database username and password, as well as the key the system used to encrypt ballots for privacy. We modified all the ballots stored on the system that had already been cast by voters. And we changed the votes so that the votes would be counted for candidates we selected. Mostly they were evil science fiction robots. We also rigged the system to replace any future ballots that were cast in just the same way. We installed a backdoor that let us view how voters voted, together with their names, violating the secrecy of the ballot. And to show that we had control of the server, we left a calling card, if you will — this was on the confirmation screen that voters get to see after they vote — after 15 seconds that screen would start playing music: the University of Michigan fight song. This was my students’ idea.
[ ]
We were looking at this exercise as a healthy kind of back and forth between us and the BOEE’s administrators because this is the kind of — this kind of intrusion is something they would face in a real attack if the system went live, and we wanted to give them experience with it. Clearly, stealthiness was not our main objective, otherwise we wouldn’t have played the fight song. Nevertheless, we didn’t immediately announce what we had done. We wanted them to have a chance to exercise — the administrators — to have a chance to exercise their attack detection and recovery procedures, which are an essential part any online voting system. But, still, the attack remained active for two business days on the site, from overnight on Wednesday until Friday afternoon, when BOEE elections took down the test bed server after several testers pointed out the fight song was playing. [A] real attack might be completely invisible and could have gone on undetected much, much longer. In fact, other attacks did go undetected. I know this because my team conducted one of them. Since the beginning of the test, my team has been monitoring and controlling routers and switches that are connected to the BOEE pilot network. These are critical pieces of the network infrastructure. We gained access to this equipment because the network administrators who set it up left a default master password unchanged. This password we were able to look up in the owner’s manual for the piece of equipment. And once we did, we found that it was only a four-letter password. [O]nce we gained control of this equipment, we could watch in real-time on my desktop in Michigan as the network operators configured and tested the equipment. We could also watch them on camera because we found a pair of security centers that were in the data center were in the same network as the pilot system and were publicly accessible with no password at all.
Halderman’s testimony continues.
One of the files [ ] was a 937-page .pdf document. It appears to be the 937 invitation letters BOEE sent to registered voters. Each page contains the name and voter ID number of a real voter, along with the 16-character PIN that is the only password a voter needs in order to use the system in a real election. We examined the file metadata. The author is [name of BOEE official]. It appears that this may be the real thing. We found the document on the test bed server, a system that BOE invited the world to break into, and that we showed could be broken into very easily. We have no way of knowing who else has access to this. The PINs in this document are the most critical secret to protect in the whole voting system. If digital ballot return were still in use, a criminal could use them to vote in the name of every, single voter and keep the real voters from voting. [M]y question is: why was this file on the testbed system? This isn’t the sort of thing you would actually need to use to test this feature[.] I’m just deeply concerned that BOEE does not take security seriously and that it fails to appreciate the security challenges that are faced by any internet voting system.
Councilmember Mary Cheh then asks, “You’re saying that, right now [in 2010], we do not have the capacity — under any circumstances — to have secure internet voting.” Halderman responds, “This is a technical problem we do not yet know how to solve[.]” Halderman goes on to explain the government’s most sensitive secrets are kept on computers not connected to the internet.
Thanks to Halderman’s and his colleagues’ presentation to the BBOE, D.C. decided not to use an internet voting system.
Keeping with the topic of internet voting, Halderman gave a talk at USENIX (The Advanced Computing Systems Association) in 2016. As Halderman observes, “Protecting [ballot secrecy] from the operators of the system is really important in voting because we also have this situation where we really don’t have any trusted parties. In an election for a high stakes public office, try to find me a person or an organization that doesn’t have a strong interest in the outcome.” (At 1m32s, below.)
We’ve seen over the past 15 years or so many instances where security researchers have gotten their hands on voting machines used in practice and found some problems. And those problems stem from the fact that an electronic voting machine you might see in a polling place [ ] under the surface is really a lot like [a normal computer]. E-voting security, from a systems perspective, imports almost all of the problems of systems security more broadly.
[ ]
[We can] exploit the power of computing to make a new kind of attack, something that wasn’t possible in traditional elections, which is that we could make a vote-stealing virus that would spread from machine to machine in the course of a normal election cycle and let us compromise the outcome in an entire state, just from one infected machine.
[ ]
Today, new attacks against polling place electronic voting machines are practically assumed by anyone with a computer security background, so it’s really not interesting as research to show yet another one of these is broken.
[ ]
You have to think about server-side threats to internet voting because your server must be online to let people vote. So if it’s subject to denial of service [attacks] during the limited election period, to people hacking in or insiders manipulating it, or even, thinking about the stakes of a major election, the incentive for state-sponsored attackers to compromise the election, change the results of a rival country’s election for national leadership, are so high, that we really need to think about internet voting systems as a critical infrastructure that needs to be protected from state level attackers.
And then on the client-side of internet voting, things look pretty grim there too, because you’re thinking about voters casting votes from their untrusted devices. And they are going to fall for all the same attacks as users do today: phishing, to decoy websites that claim the real election, to malware on their clients, and we know that an enormous fraction of clients already have malware.
Halderman then goes on to explain his and his students’ hack of the 2010 D.C. internet voting system in more detail. (At 9m0s.)
Electronic Voting Machines
Direct-Recording Electronic (“DRE”) Voting Machines
The first video on YouTube of Professor Halderman is a 2010 clip of him playing Pac-Man on a Sequoia AVC Edge DRE voting machine, which was used in the 2008 election in jurisdictions covering 9 million American voters. The video is on Halderman’s YouTube channel, suggesting he wrote or approved the written description of the video. The video description claims, “Alex Halderman and Ari Feldman replaced the voting software with Pac-Man. They did this in three afternoons, without breaking tamper-evident seals. It would be easy to modify the software to steal votes, but that’s been done before, and Pac-Man is more fun.”
Halderman spoke again about security problems with internet voting and electronic voting machines in 2012. He notes, “[In 2006], we acquired the [voting] machine under very interesting circumstances because Diebold has a long history of secrecy, trying to avoid public scrutiny of their technology.” (At 2m25s, below.) (Recall from Part I that a convicted hacker, Jeffrey Dean, designed Diebold’s General Election Management System.) Halderman claims, “[W]e were given a machine by an anonymous source.” Halderman recounts the story of going to pick up the voting machine in an alley behind Times Square from a man in a black trench coat. Halderman’s analysis of the Diebold AccuVote-TS machine, which, at the time, was the most widely used machine in U.S. elections, showed a solitary machine could be hacked within a minute to install software capable of altering the results of an election across an entire state.
We took it apart and reverse engineered it and found out how it worked and how the software worked. And after we had done that it was pretty clear it had some undesirable security properties. [W]hat we did at the end of the day was we produced a demonstration of what an attacker could do. [W]e had a mock election: George Washington v. Benedict Arnold. And in our mock election we have, say, five votes for George Washington, because who would vote for Benedict Arnold. But then we pressed the total button at the end of the day, had the machine print out the results, and here is what it would print: “Benedict Arnold wins by one vote.” And that’s because we figured out it was very easy for malicious software, if installed on the machine, to affect the outcome of the election. And this is the software we produced; you can just use the touchscreen to choose the election outcome. All the records of the election are stored in the machine’s memory and tamperable by software. It would take less than a minute of access to the machine or its memory card to install software like this — just put a memory card in the slot and you’re done. And, furthermore, we found that we could create a voting machine virus that would spread from machine to machine during normal election activities and change votes in all the machines in an entire state. This is scary stuff.
But it’s not just one vendor’s machine. In later studies, like the California top-to-bottom review, where academics were invited to examine the source code to all of the voting machines used in California, we found that every single one of the touchscreen voting machines had similar kinds of problems to this, that the votes could be tampered with, that the election outcome could potentially be changed by malicious software.
According to Halderman, in response to criticism of the AccuVote-TS machine’s source code from Professor of Computer Science at Johns Hopkins University, Aviel Rubin, Diebold evaded and suppressed the issue of vulnerabilities in their system. (At 2ms45s, below.) (As we will see in Part III, which will examine evidence of fraud and vulnerabilities in foreign elections, suppression of independent penetration testing and blanket denials, that the machines are perfectly secure, are standard responses when experts seek to examine, and in fact find, vulnerabilities in election systems.)
Avi’s paper came out pointing out that the source code had lots and lots of vulnerabilities. The Diebold company responded largely by saying that, ‘Oh, this is not current source code. The problems have been fixed. The real machines do not have these vulnerabilities. You don’t have a real machine so you can’t speak authoritatively about it.’ At the same time, the company tried extremely hard to prevent anyone who was going to do an independent study, that wasn’t either going to be under non-disclosure agreement or otherwise withheld from the public, from gaining access to one of these machines to study.
Halderman continues by explaining how his team hacked the Diebold machine in more detail. (7m49s, below.)
[The software we installed on the machine] modifies all the records of the vote. There are two copies that are stored, one on internal flash memory, one on the compact flash card, and then there is an audit log. We can alter all of these seamlessly while the election is running.
[ ]
Avi mentioned in his talk the possibility of vote-stealing viruses. Well, in our work with the Diebold machine, we demonstrated the world’s first, that we know of, vote-stealing virus. And these machines are not networked, so if you’re going to engineer a virus, you have to have some other mechanism for it to spread. What we came up with was piggy-backing on these memory cards. So we found a way that a memory card, inserted into the machine when the machine was turned on, could use a backdoor that was already present for software update purposes, to change the voting machine software. So our virus, once a machine is infected, will put that kind of update package onto the memory card. And if that memory card is then loaded into the next machine, in order to copy out the votes from there after the election, it will infect that next machine in the process. In this way, in the course of an election cycle or two, we can go from one infected machine, to having infected every voting machine in the whole county or even the whole state, depending on how they are interoperating. By the way, these are the same machines you are using in Maryland right now [in 2013], with essentially the same software, with very, very minor alterations since that time but . . . alright . . . .
[T]here’s one more thing: so Diebold wasn’t completely without any protections on the machine. And one thing they argued after Avi’s work on the source code, was that, ‘Well, you don’t know about the physical protections.’ Since we had a machine, we wanted to look at the physical protections too. And there was one physical protection that might make a difference, which is, to get to that memory card, you had to open this lock door on the side of the machine. [T]he locked door has a few problems with its design. The first problem is that all the voting machines, the Diebold AccuVote-TS machines in the world, use the same key, including all the machines in Maryland, all the machines in Georgia. Okay, so you steal one [key], you can break into any of those machines.
Problem number two is that it’s really easy to pick. It takes me maybe 10 seconds with a set of picks. I’ve taught many, many students how to do it in about 30 seconds with paperclips. [T]his is not a high-security lock. But there was another problem, a more severe problem than that. [T]his machine, if you look at the normal key that comes with the machine, you’ll see there is a number printed on it. [W]e googled that number just out of curiosity. And what we found was that the very same key that opens the Diebold’s machines is widely available for sale online, not for voting machines, but for things like jukeboxes and hotel mini-bars. This is a standard key for applications like that. [W]e bought one. I have one on my keychain to this day[.]
But it gets worse. If you go to Diebold’s website, they have this online catalogue, where you can buy parts for the voting machine, and one of the parts listed is the key. But wait, wait, wait, wait, I have to give them a little bit of credit: they wouldn’t sell you the key, unless you were already a voting machine customer, and they were only selling [the machines] to municipalities. But they had this nice, high-resolution picture in the catalogue. I had to add those black bars [obscuring the grooves on the key in the photo] myself. Someone who was reading our blog where we were talking about voting machine issues and went out to a hardware store and bought a similar shaped, blank key, and filed it down until the shape of the key matched the high-resolution image of the cut that is on this picture[.] He sent us those keys and they opened the real voting machine. The picture of the key contained the only secret necessary to open any of the voting machines, and Diebold was giving that out on their own website.
[W]hat do we learn from this? We know in security that we want defense in depth whenever possible; we want the attacker to have to breach multiple layers of defense before he can accomplish his goals. The Diebold machine, we see failure in depth: many, many independent routes to break the system, any of which would have been sufficient. And I think this key is a great metaphor for the whole design and implementation of the platform. Almost everywhere you might have looked and asked, ‘Did they get something wrong here?’ Unfortunately, we found a big hole.
As Halderman observed in 2017, “Unfortunately, there is so much political noise surrounding the question of election security.” (At 2m45s, below.) Halderman says the politicization of the issue is “really unfortunate because there are some absolutely dire problems that we need to address looking into the future to make sure our elections really are things that people can confidence in and that they are free from any kind of computer-based attacks and interference.”
I and colleagues in the computer security area have been able to get ahold of many of the different kinds of voting machines used throughout the country. And in every case where a U.S. voting machine has been brought into security laboratory and tested in a realistic way by experts, what we’ve found is just that the machines are vulnerable to all different kinds — many different kinds — of exploits; that it would be possible for someone to introduce malicious computer software into election machines and change the results.
[ ]
As a result of that, essentially, national embarrassment [of the 2000 hanging chad debacle], Congress allocated a large amount of money [about $1 billion] to the states to upgrade their technologies. Unfortunately, there weren’t good standards in place, so many states bought into computer voting machines that had gaping security holes, couldn’t possibly be made secure, and the states since that time, most states, have not upgraded their technology substantially. The main change has been that, in the early 2000s, most votes were recorded on purely paperless touch-screen machines. But over the last 10 years, because of research into the vulnerabilities of those systems, today [in 2017] we’ve gotten up to about 70 percent of votes are recorded in some way on a paper record that is going to be out of reach of computer hackers. And that is just an essential kind of security failsafe, having some kind of mechanism that can’t be changed by malware on a voting machine. Those records, as long as we check them to make sure the computers are being honest, should provide a good defense against all different modes of hacking.
Just to think about the ways that voting machines are used in a typical election, the good thing is, the advantage is, that a machine is not going to be directly connected to a network during voting. That provides a nice amount of isolation. But when you think the way an attacker would actually target U.S. elections, they don’t necessarily need to hack the machine during the time the votes are being accounted. There are actually ways to introduce malicious software into machines prior to an election. [O]ne way would be to attack the machines while they are being manufactured, while they are being stored; we can imagine ways that insiders in the election process with special access could do that.
But we have to worry too about remote attackers, including powerful attackers like state-level attackers from adversarial countries that might want to do us harm and cause political interference. So those remote attackers have a very plausible way to penetrate large numbers of voting machines because our machines are programmed before each election with the unique ballot design of that election. How does that ballot get programmed in? Well, that typically happens using a removable memory card, almost like a USB memory stick, that is going to be put into the machine by election workers; that card, we found in research, can spread malware to the machine. [I]f the computers that are used to program the ballot designs onto those cards, to transfer the ballots to the voting machines, are not well protected, someone could hack into those computers and spread vote-stealing malware to the machines.
Now, how well protected are these systems that are programming the memory cards? Well, let me give you an example: in Michigan, more than 75 percent of counties have their voting machines programmed by just two small businesses; they just outsource that function. And these aren’t businesses that have the profile of high-security companies. They sell all kinds of voting equipment to the counties and they are 10-20 person shops. So, typically, counties will email the ballot design to these companies. They’ll take the design from the email, move it onto a computer, and then program it onto memory cards [and] send it out into the field on Election Day. That provides a surprisingly centralized and potentially vulnerable route that really has been under the radar for most people. Even in the election business, people haven’t been paying attention.
So, if you think about the ways we’ve seen state-level malware, nation-state malware, spread in sophisticated attacks before — something like Stuxnet, which is reportedly an example of a sabotage campaign that, according to news reports, the U.S. and Israel conducted against the Iranian nuclear enrichment program — that spread in a similar way, in that it was designed to spread from certain places that were connected to the internet, through removable media, to special purpose computers that were isolated from the network. It is entirely possible that a similar attack could spread vote-stealing malware to the voting machines used on Election Day.
[ ]
[It is true machines are left unprotected before an election] in many parts of the country. The machines [in] some places are sent home the night before with poll workers who might potentially leave them unguarded. In other places, the voting machines are delivered to the voting location a day or so in advance, and that might be a local school or a church or another place [ ] open to the public. [I]n research we found that even temporary physical access to a voting machine for just a minute or so could be enough to introduce malicious software into the machine. [W]hen you are talking about especially attacks that can propagate from the local level, where just physically tampering with a few machines would be enough, that might be a way an intrusion would start.
[ ]
Typically, if you think about the training that election workers receive, there is nothing to do with the cybersecurity aspects. Maybe some state election offices have state security people available to them. But when you are thinking about the local level at which the machines are actually administered, there’s just not enough election security expertise to go around. This country has many people who are well-trained in election security, but it’s still going to be in the [ ] dozens of people, not anywhere close to the thousands and thousands of individual jurisdictions [that] need that specialization to have any hope of detecting an advanced attack.
[ ]
You can think about state-level adversaries and advanced cybercriminals being able to potentially attack elections today. We’ve worried the longest about cybercriminals, people who aren’t working for a nation state. And I think that attacking voting machines, as their security level is today, is well within reach of the kinds of criminals who, for financially motivated reasons, are doing things like botnets at scale, denial of service attacks, or financial fraud. It’s not particularly sophisticated, the kind of security intrusion you need to do, to compromise typical machines. Especially if you have the cooperation of an insider or if you have physical access. Remote attacks are certainly plausible too, perhaps a little bit more advanced, because you need to locate the systems that are going to be used to program the machines before Election Day and you have to spread the attack through them. But there are any number of nation states that have developed by now sophisticated cyber offensive capabilities — thinking about China, Iran, Russia as just some examples. And it’s a growing number of potential adversaries.
[ ]
[W]hen you think about how close some elections can be, an attacker wouldn’t have to target — there’s not a central place in our elections where an attacker could target to change the results across all of the states — but in a contest for, say, the Presidency or control of the Congress, where races in several different states together might make the difference, an attacker could choose to target a subset of those states and pick from all of them, the [jurisdictions] that have the weakest security. [The] distributed nature of American elections in an election that is not close sounds like an advantage, but in an election that is close and hinges on a few states, it really becomes an advantage for the attacker. They get to pick and choose their targets.
Halderman notes “there is no solid evidence that any past election has been attacked by cyber means. But, in my professional opinion, it’s only a matter of time until one is, unless we put defenses in place. This is a major vulnerability in our national infrastructure.” At the time, Halderman opined, “If we’re are looking at the rate at which the pace of threats are evolving, I think that by 2018, 2020, our election system will be on the radar of a lot of very sophisticated attackers, including nation state adversaries.”
Despite Halderman’s successful hack of the Diebold AccuVote TS machine in 2006, 18 states were still widely using the same machine, or an iteration thereof, in 2018. Those states included the most critical states in the Electoral College: California, Texas, Florida, Illinois, Ohio, Pennsylvania, Arizona, and Georgia, which state used the machines in all of the state’s jurisdictions. (At 3m19s, below.) Once again, Halderman demonstrated how to hack an AccuVote machine in front of a live audience at the 26th DEF CON (the world’s largest hacking conference). (At 6m05s.) Halderman points out that, as of 2016, 41 states used voting machines that were at least 10 years old. (At 14m25s.) Some machines dated backed to the 1980s and many did not receive software updates. “The only safe assumption is all of them have exploitable vulnerabilities,” Halderman says.
Halderman points out, “Some of [the machines] do connect to the internet briefly to send back the results over 4G networks after an election,” which might create an avenue for results to be intercepted and altered. (At 17m0s, above.) In states where there is no paper trail tied to votes cast on machines, intercepting and altering unofficial results would be particularly hard to detect. In the 2016 election, the most vulnerable states were Georgia, South Carolina, New Jersey, Delaware, and Louisiana, which states had no paper trail at all. Wisconsin, Tennessee, Indiana, Kentucky, Virginia, West Virginia, North Carolina, Pennsylvania, Arkansas, Kansas, and Texas did not have a paper trail for all votes cast on machines.
By 2018, 14 states, including Pennsylvania, Florida, Georgia, South Carolina, and Texas, were still using paperless machines.
Although a paper trail does not guarantee security, by matching the paper trail to the votes stores in the machines’ computer memory, “[I]t’s going to be really, really difficult to tamper with both of those sets of records in a way that wouldn’t raise red flags.” (At 20m30s, above.) The problem is “most states do not look at the paper, unless a candidate demands a recount or there are other exceptional circumstances.”
Many swing states do not have the dual-defense of paper trails as well as routine risk-limiting audits. Halderman concludes, “Unfortunately, hijacking an election and influencing a close national contest might be a lot easier than we thought.”
Turning to the 2016 Presidential election, Halderman argues manipulating a “very, very small number of votes” in two of Michigan (5,352 votes), Pennsylvania (22,146), and Florida (56,455) would have changed the result from President Trump to Secretary Clinton. (3m19s, below.) Further, manipulating the results in any three of Michigan, Pennsylvania, Florida, Wisconsin (11,374), Arizona (45,617), or North Carolina (86,657) would have changed the result of the election.
Halderman worked with Green Party Presidential candidate Jill Stein, who had standing in court to challenge the results, to initiate a recount. (At 5m20s.) However, President Trump and Republican forces fought the recount. In the end, only Wisconsin completed a full recount, which found no evidence of fraud. In those states where there was no paper trail, courts denied the Stein Campaign access to voting machines, thus preventing an audit of the results.
Halderman makes clear, “There is no evidence that hacking of voting machines — hacking of actual vote counts — changed the outcome of the 2016 election. But there is abundant evidence that cyberattacks of other forms had a major influence on the election [and] certainly could have a huge influence on future elections.” A report from the U.S. Senate Intelligence Committee claimed (without presenting evidence for public scrutiny) that Russia was in a position to alter or delete voter data, although the Kremlin did not exercise this option.
In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.
With regards to similar confidence assessments by the intelligence community about Russian interference in 2016, Halderman says, “I think it’s very difficult to independently comment and establish whether these allegations are true . . . because it’s just a small set of large internet companies that have the raw data we need to analyze.” (At 7m23.)
As for 2020, Halderman observes there was an “amazing amount of misinformation about the election.” (At 5m09s, below.) Halderman points to Trump’s tweet claiming (without evidence), “Dominion deleted 2.7 million Trump votes nationwide,” as well as the Department of Homeland Security’s unsubstantiated claim 2020 was “America’s most secure election in history.” Halderman says Trump’s claim has “zero credible evidence.” Halderman argues it is a “preposterous claim that an American company deliberately changed the election in a way that, if discovered, would completely end its business.” (Dominion is a Canadian company, not an American company. The company has headquarters in Toronto, Canada, where the company was founded, as well as Denver, Colorado. John Polous, one of Dominion’s two co-founders, is Greek. The nationality of the other co-founder, James Hoover, remains unknown.) Similarly, Halderman also describes Homeland Security’s claim as “preposterous in its own way,” labelling it “not even close” to the truth. “Although we’ve been making important strides in the last several years in improving election security, the fact is that elections still rely intensely on computer technology that is not as secure as it needs to be.” Halderman implies elections were more secure before the introduction of computer systems into the market because they were susceptible to “low-tech attacks” only.
Halderman addresses the “conspiracy theory” that “the Obama administration commandeered a powerful supercomputer system known as ‘THE HAMMER’ [that] includes an exploit application known as ‘SCORECARD’” to hack the 2020 election and steal the vote. Halderman argues the source of the allegation, purported “CIA-contractor-turned-whistleblower” and professional fraudster, Dennis Montgomery, “has a long history of very publicly making highly dubious claims.” Halderman points out a supercomputer is not necessary to hack an election. Halderman further argues that, if the election was in fact stolen, “you would think there might be some evidence that someone, in all this time, would have dug up” to prove election fraud. (In the author’s opinion, too few independent, non-partisan researchers have made a serious effort to objectively examine allegations of fraud in the 2020 election or any other, which lack of rigorous review could be a substantial contributing factor as to why there is an absence of compelling evidence available. A lack of serious, unbiased effort to investigate will inevitably result in a lack of compelling evidence; this is especially true when subject matter experts wait for others to bring forward claims of evidence, instead of actively investigating the issue themselves; and it is even more true when visceral political bias is combined with pervasive stigmatization of people who do investigate the issue, e.g., framing people who questioned the election results as crazed conspiracy theorists.)
Halderman next addresses two “conspiracy theories” advanced by attorney Sidney Powell. “Basically, the [first] theory is something about an international communist plot. That relates to Venezuela . . . George Soros, the Clinton Foundation, and Antifa.” After repeating the tired straw man that Chavez died in 2013, Haldmeran says, “when you get into the details of these theories, basically nothing seems to line up.” (As I proved beyond all doubt in Part I, Dominion’s systems architect, Ronald Morales, worked for Smartmatic during Venezuela’s 2004 recall election of former President Hugo Chavez. As will be discussed in more detail in Part III, two statistical analyses by independent researchers reached the conclusion the result in the 2004 Venezuela election was fraudulent, which implicates the Smartmatic machines that were used to cast and count votes in the election. For evidence of fraud in the 2004 Venezuela election, see Maria M. Febres Cordero, Bernardo Márquez (2006) and "Special Section: Revisiting the 2004 Venezuelan Referendum," Statistical Science, 26(4), November 2011. Moreover, Smartmatic’s takeover of Sequoia attracted criticism from Democratic Congresswoman Maloney and an intervention by the Department of Justice, precisely because of Sequoia and Smartmatic’s connection to Venezuela’s fraudulent election, as reported by The New York Times. Remember, Dominion bought all of Sequoia’s software and systems in 2010, in addition to hiring Morales as their systems architect. Further, Smartmatic does in fact have connections to George Soros, through Lord Marc Malloch-Brown, Chairman of the Board of Smartmatic’s holding company, SGO Corporation, and to the Clinton Foundation, through board member David Giampaolo. In the author’s opinion, instead of dismissing established facts as conspiracy theory and using logical fallacies to evade the real issue — that someone involved in the suspected fraud in Venezuela’s 2004 election designed Dominion’s software — it is important to recognize the actual basis on which allegations of election fraud and antisemitic conspiracy theories are based, so that such allegations and theories can be countered persuasively.)
Halderman next addresses Powell’s unsubstantiated claim that Dominion “can set and run an algorithm that probably ran all over the country to take a certain percentage of votes from President Trump and flip them to President Biden.” Halderman argues, “A lot of the purported evidence is things like videos of election night returns; that suddenly a number in one state changes in an unexpected way, well, election night returns are unofficial. They are being corrected all the time as new results are coming in and things are being entered.” Halderman says “sometimes results are taken down because there was initially some [mistake in] data entry or other thing.” (In the author’s opinion, Halderman’s argument is speculative, not persuasive. If we are going to speculate, it is equally reasonable to interpret changes to unofficial election results as circumstantial evidence of fraud rather than mistaken data entry.)
“There’s nothing that rises to the level of what a truth-seeking observer would consider [to be] strong and credible evidence that there is anything at all that was amiss,” Halderman continues.
[Y]ou can see from the nature of these claims how there is maybe a little bit of fact: well Dominion Voting Systems really is the maker of a lot of election equipment; well, there really are some known problems in election systems with security. And that little bit of fact is being woven with these long and outlandish stories about long-standing conspiracy topics[.]
(In the author’s opinion, Halderman mischaracterized concerns voters had about the 2020 election results, seemingly because he is unaware of the direct connection between the architect of Dominion’s systems in 2020 and the probably fraudulent 2004 Venezuela election: Ronald Morales. Halderman did not respond to repeated requests for comment on and criticism of this article, which were sent to his university email address last week during summer break.)
Halderman identifies several improvements to election security since 2016. (At 38m52s.) He notes there is “vastly greater awareness of election cybersecurity threats” a significant progress. “We’ve also seen much better cooperation between the states and federal government on intelligence and security matters,” as well as upgrades to registration and polling systems, intrusion detection, penetration testing, and several states piloting risk-limiting audits as signs of progress. “But challenges remain.”
One of those challenges is that, although we have gone from about only 75 percent ballots cast on paper four years ago, to 85 percent in 2020, there still remain almost 15 percent of votes across the country that are recorded with a paper ballot at all, where everything is potentially subject to cyberattack. [W]e need more work to make sure that every jurisdiction has a redundant and physical record that can’t be changed.
The second challenge is, even as states have been moving towards more use of paper records, many of the states that have made that transition over the last four years have bought voting systems that use ballot marking devices, not only for people who need it for accessibility reasons, but instead have all voters vote on one of these touch screen devices. Now, the problem with that is that we are putting a computer interface between the voter and the paper ballot, between the voter and the record of their vote. And we have to ask whether it would be possible for an attacker to somehow manipulate the piece of paper that comes out in a way the voter does not notice.
Last year, my students and I published a study [ ] where we went to test this theory. We wanted to know, if we hacked a ballot voting device, so that the ballots that were printed out didn’t match the selections the voter made on screen, would voters notice and would they tell a poll worker. We set up a mock polling place [ ] and brought in some ballot marking devices that we hacked, and just asked people who visited the library to vote using the previous mid-term ballot for Ann Arbor. What we found was pretty surprising that, of voters in our experiment, only about 7 percent noticed when we changed the ballot. And that, in a close election, might be equivalent to just a small number of reports of any kind of problem in a polling place, even if an attack affected enough ballot voting devices to change votes across a wide area. Now, it turns out these problems are much worse when all voters are using ballot marking devices then they are when only a relatively small fraction do for accessibility purposes. It just becomes a much more promising attack to carry out.
Optical Scan (“Optech”) Voting Machines
Halderman and his students, namely Matthew Bernhard, Kartikeya Kandula, and Jeremy Wink, wrote a paper detailing how they were able to defeat human-review of post-election results using an algorithm that changed the appearance of digital images of ballots scanned using Optech.
As paper ballots and post-election audits gain increased adoption in the United States, election technology vendors are offering products that allow jurisdictions to review ballot images—digital scans produced by optical-scan voting machines—in their post-election audit procedures. Jurisdictions including the state of Maryland rely on such image audits as an alternative to inspecting the physical paper ballots. We show that image audits can be reliably defeated by an attacker who can run malicious code on the voting machines or election management system. Using computer vision techniques, we develop an algorithm that automatically and seamlessly manipulates ballot images, moving voters’ marks so that they appear to be votes for the attacker’s preferred candidate. Our implementation is compatible with many widely used ballot styles, and we show that it is effective using a large corpus of ballot images from a real election. We also show that the attack can be delivered in the form of a malicious Windows scanner driver, which we test with a scanner that has been certified for use in vote tabulation by the U.S. Election Assistance Commission. These results demonstrate that post-election audits must inspect physical ballots, not merely ballot images, if they are to strongly defend against computer-based attacks on widely used voting systems.
Halderman and his team’s discovery is just one of a number of peer-reviewed demonstrations of vulnerabilities in optical scan voting machines.1 2 3 4
California’s 2007 Top-to-Bottom Review
In 2007, California Secretary of State Debra Bowen initiated a top-to-bottom review of the security of voting machines used in the state. The review examined voting machines produced by Hart Intercivic, Sequoia, and Diebold. All three manufacturers failed to pass the review. Secretary Bowen decertified the companies’ machines, halting their use in elections in California. Halderman observes, “The implication of all the major products failing [to meet the security criteria in California’s top-to-bottom review] indicates, both, there is something wrong with the way voting machines are being produced and certified in the U.S., or, that it is a fundamentally hard problem and that this isn’t something the marketplace is ready to solve today.” (“2013 MACCDC: Speaker Symposium: Dr. Alex Halderman” at 15m30s.)
Principal Investigator David Wagner, Associate Chair of the Department of Electrical Engineering and Computer Sciences at the University of California, Berkeley, concluded the source code used on the voting machines was vulnerable to attack. The vulnerabilities were so bad, in fact, Wagner’s team chose not to publicly identify the weaknesses in the machines.
Instead, in preparing our public reports, we deliberately chose to err on the side of caution. We carefully screened all of the information that we included in our public reports. Our objective was to avoid reducing the amount of access an attacker would require to attack elections. We attempted to accomplish this by omitting details that would have the effect of converting an attack that would require reverse engineering or access to the source code into one that would not. These details were relegated to a confidential appendix provided to the Secretary of State. In some cases we deviated from this guideline when an attack scenario was already readily obvious from the interfaces presented to the user or from the previously published literature.
A common, widely accepted practice in the security literature is to describe attacks in sufficient detail to allow others to independently reproduce and evaluate the threat and, ultimately, build systems that better resist attack. Because of the severity of the attacks we found, and because we wanted to avoid making it easy for would-be attackers to subvert elections, we did not follow that practice here.
The University of California at Santa Barbara and Davis’s Red Team, responsible for testing the machines, warned their results were the “lower bound” of what should be expected from potential attacks, due to time constraints the testers worked within and obstruction for voting machine vendors.
The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a “lower bound”; all team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities. In particular, Abbott’s team reported that it believed it was close to finding several other problems, but stopped in order to prepare and deliver the required reports on time. These unexplored avenues are presented in the reports, so that others may pursue them. Vigna’s and Kemmerer’s team also reported that they were confident further testing would reveal additional security issues.
The second problem was a lack of information. In particular, various documents did not become available until July 13, too late to be of any value to the red teams, and the red teams did not have several security-related documents.4 Further, some software that would have materially helped the study was never made available. As a specific example, when installing the system initially, the Hart personnel used a program to upgrade firmware on their system. The red and source code team members present asked for a copy of that program, because it would enable the testers to determine whether anyone could upgrade the firmware. Otherwise, the teams would have to discover the protocol used for upgrading the firmware and write programs to do it themselves. The person doing the installation stated that the program was proprietary and would not be released to the Secretary of State and the teams. The teams asked the Secretary of State to obtain the program from Hart. The request was repeated in a phone call with Hart engineers on July 16, and Hart said they would have to discuss it among themselves. The software was never supplied.
(Emphasis original.)
The Red Team demonstrated vulnerabilities that could change the vote even in both DRE voting machines with Voter Verified Paper Audit Trails (VVPATs) and optical scan machines.
As an example, the ability to execute arbitrary programs on one of these systems can cause votes to be misrecorded even when there is a VVPAT. The specific attack relies on the belief that many voters will not check the VVPAT. An attacker creates a new version of the firmware that will misrecord a vote. The incorrect vote will be printed on the VVPAT. If the voter notices and declines to cast the vote by returning to an earlier screen, the malicious firmware will then record the vote correctly. Thus, there will be no discrepancy between the votes as recorded on the VVPAT and on the electronic media.
Even if there is a discrepancy between the VVPAT and the electronically recorded votes, that discrepancy must be discovered. Typically, this would occur during the 1% audit or a recount. For our purposes, we considered such a discrepancy a valid attack, because the way in which such a discrepancy is to be handled is unclear, especially when the VVPAT is damaged or hard to read.
The election management system consists of software running on a commercial platform. Typically this platform is some form of Microsoft® Windows. The application software consists of a database program and other software. A client program, the database application, or both control access to the election data. This platform may also be used to initialize memory cards or other media to transfer information to the voting machines. The platform may also contain other programs not supplied by the voting system vendor.
For example, all three vendors’ election management software runs on platforms with the Windows operating system. The configuration of the Windows system provides a layer of protection against an attacker compromising the software. The strength of this layer depends directly on the security of the underlying operating system. As Windows is known to be vulnerable to many forms of attack, vendors should ensure that the underlying Windows system is locked down sufficiently6 to counter these threats.
If an attacker can gain privileged access to the underlying operating system, they can control the election management system. This is why election management systems should be locked down tightly and be kept in a physically secure area: so that attackers have limited to no access to the system. As noted above, physical access is simply one layer of security defense. Minimizing privileges and taking other basic precautions in configuring the underlying operating system provide additional layers.
Premier Election Solutions (Diebold)
The review of the Diebold/Premier Election Solution’s machines found vulnerabilities in the source code, including failure to protect ballot secrecy and susceptibility to malicious software, viruses, and insiders.
The Red Team’s review found the General Election Management System (“GEMS”) designed by convicted a federal hacker, Jeffrey Dean, as well as the audit logs produced by GEMS, to be vulnerable.
There were stark discrepancies between the GEMS server as Diebold technicians delivered it and the GEMS server configuration as described in the Diebold documentation. The Diebold technicians assured us that the configuration we were given at the outset of the study was identical to the configuration Diebold technicians would supply to their customers (i.e. county officials).
[ ]
The GEMS server is on a local area network (LAN) with other Diebold components, and this LAN is supposed to be isolated. However, even Diebold documentation reports that this requirement is not always met. Therefore, attacks via Ethernet against the GEMS server could reasonably be executed by personnel with physical access to the networking components (hubs/switches) in the isolated LAN or— if the Diebold LAN were intentionally or unintentionally connected to a public internet connection—by remote attackers.
[ ]
The Red Team used Windows Administrator access on the GEMS server to manipulate and corrupt GEMS databases. These actions could result in manipulated vote totals or in the inability to read previously-generated ballot definitions if no valid database backups were available (whether because the backups were not made or because the backups had also been corrupted).
[ ]
The Red Team found methods for executing actions from within the GEMS server that could not be tracked by the GEMS audit logs, allowing malicious GEMS users to conceal actions they had taken while logged in. Additionally, the Red Team noted that one of the standard functions offered by GEMS is the ability for a GEMS administrative user to change the username of her account. This is a non-standard computing practice, and it could potentially be used by a rogue administrator to implicate another GEMS user (i.e. other elections personnel).
[ ]
The Red Team identified format string vulnerabilities that, when exploited, caused an election to run smoothly on a TSx unit until a voter from a particular precinct attempted to cast a ballot. When a voter from the affected precinct tried to cast a ballot on a TSx, the printer would generate an error, and the voter’s ballot would be canceled. The voter is notified about the error via a series of error messages that would be incomprehensible to the average voter, followed by this notification: “Your ballot has been canceled.”
[ ]
Using information gained from access obtained as the Windows Administrator user, the Red Team was able to guess the authentication credentials for the networking hardware supplied by Diebold, and gain root access on these devices. These root accesses would provide sufficient access for an attacker to manipulate every setting on the networking devices and on the server. Additionally, the Red Team was able to use this access on the GEMS server to install the drivers for a USB wireless dongle. This small device was then planted on the back of the server, ensuring remote access to the GEMS server even if it were disconnected from the Ethernet connection previously used to exploit the server.
In total, the Red Team succeeded in proving four different attack scenarios and raised concerns for two more potential attack vectors.
Additionally, the team reviewing the (in)adequacy of Diebold’s documentation was intentionally thwarted by the voting machine vendor.
The Diebold documentation review team never received all of the expected TTBR documentation, despite this team’s follow-up with detailed lists of omissions. A significant part of the technical documentation comprising this vendor’s TDP that is mandated by the federal VS standards was never submitted to the Documentation Review team and could not form a part of this review. No TDP documents were supplied to this review team until July 13th, very close to the end of our review.
Hart InterCivic
The review of the Hart InterCivic’s machines found vulnerabilities in the source code, including unsecured network interface, susceptibility to malicious inputs, insecure use of cryptography, and failure to protect ballot secrecy.
The Red Team found three potential attack scenarios. A review of the documentation concluded it “fails to anticipate or document some common problems and exceptional events, although it was relatively well organized and other wise “adequate to establish and run an ordinary election in which few or no problems occur.”
Sequoia
The review of the Sequoia’s machines found vulnerabilities in the source code, including a lack of data integrity, weak cryptography that was “easily circumvented,” “ineffective” access control to prevent “unauthorized use of central vote counting computers,” and “numerous programming errors” in the engineering of the software.
The Red Team proved seven attack scenarios and detailed one more. The vulnerabilities included overwriting files, executing modified firmware, automatic execution of code, lack of sever security, and forging update cartridges and voter cards. The review of the machine’s documentation found “qualification testing reports do not provide enough information to determine independently whether the testing laboratories evaluated the voting system under all applicable voting system standards.” Further, the “typical duties of election officials and poll workers are not well explained,” and “do not provide sufficient guidance about the operational details of voting system security.”
Conclusion
As demonstrated by the evidence presented in this article, concerns about election security are not only well-founded, they are irrefutable. The evidence is conclusive: voting machines are not adequately designed to prevent election fraud. Attackers have multiple avenues to hack election machines and can in fact alter the results of elections. Moreover, according to Halderman, advances in technology will lead to new attack vectors (e.g., return-oriented programming), making old technology vulnerable. (“2013 MACCDC: Speaker Symposium: Dr. Alex Halderman” at 19m11s.) Halderman recommends several safeguards: redundant paper records, statistical risk-limiting audits, and end-to-end voter-verifiability. (Id. at 1h0m0s.) Additional policy proposals and changes to state and federal law will be advanced in the final part of this series.
Part III will investigate evidence of voter fraud in foreign elections.
This is Law and Politics. Until next time . . . .
Hursti, H.: Critical Security Issues with Diebold Optical Scan Design, The Black Box Report (2005)
Kiayias, A., Michel, L., Russell, A., Shvartsman, A.: Security assessment of the Diebold optical scan voting terminal (2006). https://voter.engr.uconn.edu/voter/ wp-content/uploads/uconnreport-os.pdf
Kiayias, A., Michel, L., Russell, A., Shashidhar, N., See, A., Shvartsman, A.: An authentication and ballot layout attack against an optical scan voting terminal. In: USENIX/ACCURATE Electronic Voting Technology Workshop (EVT) (2007)
McDaniel, P., Blaze, M., Vigna, G.: EVEREST: evaluation and validation of election-related equipment, standards and testing. Technical report (2007). http:// siis.cse.psu.edu/everest.html. Ohio Secretary of State