How secure are America’s voting machines?

Science Friday
Diebold Elections System AccuVote-TSx DRE

A Diebold Elections System AccuVote-TSx DRE voting machine with a voter-verified paper audit trail (VVPAT) attachment (at right).

Wikimedia Commons/CC 2.5

At a recent DefCon security conference, organizers wanted to test how voting machines could be hacked. The result? It took just 90 minutes for the hackers to get into the machines.

Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, in Washington, DC, says the hack took that long only because the individual had to leave the facility to go buy a USB keyboard.

“When he came back, there were two open USB ports on the back of this machine, which was a decertified AVS WINVote,” Hall explains. “He did the ‘three-fingered salute’— the Windows control-alt-delete — and it dropped to Task Manager. Then he could load whatever he wanted. They installed Winamp and played the now-famous Rick Astley song, ‘Never Gonna Give You Up.’”

Some of the machines the hackers “attacked” are still in use, but for the most part, they were purchased on eBay or GovDeals (the government version of eBay), Hall says. Most were two or three years old and not running the most current software. Nevertheless, the experiment exposed serious flaws in virtually every type of machine.

Ed Felten, a professor of computer science and public affairs and director of the Center for Information Technology Policy at Princeton University, successfully installed a virus on one of the machines. This surprised even him.

“We didn’t realize, when we first started studying these machines about 12 years ago, how vulnerable they would turn out to be,” Felten says. “But over the years, a lot of research [has been done] on the electronic voting machines and in every case, we have found troubles and vulnerabilities.”

Most voting machines are basically computers with a voting interface, so “all of the usual ways of installing software on computers will work,” Felten notes.

“If you’re in a polling place, people might look at you strangely if you were to stick a USB keyboard into a voting machine or something like that, but there are ways to get physical access — hands-on — to voting machines in other settings,” he points out. “And in every case we’ve seen, if you can get your hands on a machine, then you can change what it does. I have a machine in a lounge area outside my office at Princeton that some students reprogrammed into a Pac-Man machine.”

Attacking a voting machine on Election Day, in the voting booth, would be more difficult because there are people keeping an eye on that room. But voting machines are stored in warehouses every other day of the year, and “just like with other computers, there are indirect ways of getting to them, by creating viruses or other sorts of malware that will spread onto the voting machines. That’s probably a bigger threat, in practice,” Felten says.

Because so many US voting machines are 10, 15 or even 20 years old, asking them to perform modern security operations, even something as simple as two-factor authorization, is a stretch, adds Lorenzo Hall.

“Often, we have to look to other things — processes, chains of custody. Human types of things that election officials actually spend a lot of time thinking about,” Hall says. “But you can imagine, there’s so much variation that it just depends on where you are, what the machine is, and how vigilant that particular operation is.”

Much of the software in voting machines is proprietary to the company that makes and distributes them, so some are calling for open-source software to run the machines. Felten believes this could have certain advantages, but wouldn’t be enough to secure them.

“Open-source software would eliminate one of the barriers to improving the system. It would allow independent experts or members of the public to look at the software and analyze it for potential vulnerabilities,” he explains. “It lets you find problems, but doesn’t necessarily fix them for you. … It’s not a solution in itself.”

The best way to address the larger security issue is to build a system that is resilient, so that even if someone does compromise a voting machine, experts can detect the problem and recover, Felten says. This involves using a voter-verified paper record — that is, “something that is written on paper, that the voter saw, that is kept in a ballot box,” he explains.

“When you have the combination of a paper record and an electronic record and then you do a good post-election audit to compare the paper and electronic records, that gives you the best and most resilient result,” he says. “That way, you’re safe, even if the machines are compromised.”

Hall notes that in some areas, election officials are starting to commission construction of their own machines. Travis County, Texas, and Los Angeles County, California, are “starting to build tanks of voting machines — extremely secure, wonderful, cryptographic, glorious, paper record-based, audit-able machines,” Hall says.

This article is based on an interview that aired on PRI’s Science Friday with Ira Flatow.