After the surprising outcome of the 2016 U.S. presidential election, many have feared that the country’s voting system is vulnerable to external attacks. In response, loosely affiliated groups of “ethical hackers” have been pooling their resources to research the issues and sound the alarm.
The groups aim to raise awareness among companies that make digital election systems — including electronic voting machines — and the local and state governments that oversee voting. But these efforts have met resistance from both voting machine companies and lawmakers pushing for new rules to limit this kind of work.
Ethical hackers argue that they can play a vital role in maintaining election security. As election systems are increasingly digitized, these security researchers caution that the vast number of networks, hardware, and software being deployed needs all the scrutiny it can get.
“All software is vulnerable,” Bugcrowd CTO Casey Ellis said. “It just depends on how long you’re taking to look to find those vulnerabilities. Humans write code, and humans make mistakes.”
An election security posse
While all eyes are on the upcoming presidential election and the patchwork of voting systems used in the U.S., the concept of ethical hacking extends far beyond that. Many of the companies and associations involved help corporations probe their IT systems for weaknesses.
For many of these groups, voting machines and systems have become a kind of passion project amid broader concerns about ongoing vulnerabilities. Last year, the U.S. Senate Intelligence Committee found that Russia had targeted election systems in all 50 states during the 2016 election. While the committee didn’t necessarily find that any votes had been changed or outcomes shifted, it warned that Russia did manage to access some systems and that those extensive vulnerabilities still existed.
While public fears are often focused on electronic voting machines, the Department of Homeland Security took a broader view. Its report defined the voting system as: “storage facilities, polling places, and centralized vote tabulation locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
Brian DeMuth is CEO of cybersecurity research and testing firm Grimm and one of the ethical hackers focused on election security. He shares the government’s broad view of the scope of election systems and possible vulnerabilities. DeMuth cofounded the nonprofit Cyber Bytes Foundation to foster research and education around cybersecurity issues. In recent years, the foundation’s work has included election security.
“There’s a lot of us that have been working on election security as a hobby, or as professional research projects, or professionally for clients,” DeMuth said.
One of the foundation’s first projects, in loose collaboration with others, has been to buy up old and current model voting machines to research and disclose security flaws.
“Some of the latest updates that we’ve seen to some of this equipment are still flawed in a number of scary ways,” DeMuth said. “So we’ve all been continuing this research and continuing to buy these things in our spare time — sometimes with our own money — just to keep looking into the problem.”
DeMuth continues to be shocked at how easy it is to acquire electronic voting machines. He and his colleagues have bought the machines on eBay, Craigslist, Facebook’s Marketplace, and even government auction sites. This widespread availability means it’s easy for hackers with ill intent to buy and study machines, including many models still in use, he said.
Once they have the machines, the researchers conduct what DeMuth describes as a “typical vulnerability research or security assessment project.” They follow a methodology that includes studying the embedded systems, looking at all the input-output ports and the chipsets on the motherboard.
In some cases, evoting machines allow someone to insert a flash memory card that could include malware that changes recorded votes. Fortunately, DeMuth said machines with such easy external access are no longer in widespread use. And even where they exist, sneaking around and inserting flashcards into the machines is a pretty labor-intensive process.
A bigger concern is wireless connectivity. In many cases, the problem is local election officials’ limited understanding of the security issues this can create.
When asked, many election officials will say there is nothing to worry about because their voting machines are not connected to the internet. But DeMuth said that’s often not true, as there may be an indirect pathway to the internet. He said many of the evoting machines are connected to a local laptop that serves as a central server for storing and counting votes. Often those laptops will be connected to the internet to transmit results, either via a hardline or a local Wi-Fi network.
DeMuth recalled visiting a local school for a meeting last year and idly looking at his phone to see what Wi-Fi networks were available. Among the choices was one called “voting machine network.” It turned out this network was connected to the school’s other networks that had internet access.
“If your local network is compromised from the internet, then these voting machines are on the internet,” DeMuth said. “And there are countless examples of that.”
In September, a group of security researchers wrote a letter warning that the wireless modems on many of the evoting machines used in Florida had left the machines vulnerable to attack. While many states have replaced wireless voting machines since 2016, Florida had not. The state continues to use machines produced by Nebraska-based Election Systems & Software.
In the letter, the researchers warned that the machines put the integrity of Florida’s elections at risk: “Our elections remain under attack by the opponents of a free and fair democracy, who wish to compromise our election infrastructure to sow chaos, distrust, or even manipulate the election outcome.”
DeMuth acknowledged that there are a lot of “ifs” surrounding potential attacks. Someone would have to access the networks of a lot of municipalities and attack the machines or the node collecting results. But that is effectively what the Senate Committee found Russia was trying to do in 2016. Just this week, the U.S. Director of National Intelligence disclosed that Russia and Iran had used “holes” in state and local election websites to obtain voter registration data and send disinformation emails to voters.
“Depending on what evil foreign nation you’re worried about, there are some that do have the resources,” he said. “So it’s conceivable. I think the point of all this awareness is to get more people looking at the problem and fixing it so it doesn’t persist.”
Since 2016, the U.S. federal government has been trying to step up election security. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its programs around voting. This includes supporting VotingWorks, a nonprofit organization that created an open source auditing tool called Arlo. Available on GitHub, Arlo allows local election officials to audit their results by randomly choosing ballots that have been cast and automatically comparing them to the tabulated votes.
In addition, the Election Integrity Foundation established the Voting Village project, a forum for letting third parties examine electronic voting machines and other election equipment in order to raise awareness about voting security issues.
With the ongoing impact of the pandemic and the massive increase in mail-in ballots, efforts to bring more transparency to voting systems are going to be even more critical, according to Bugcrowd’s Ellis.
“That sort of thing is going to play a bigger role this year because we’re going to have this hang time with everyone changing the way they do almost everything because of COVID-19,” he said. “And I think it’s reasonable to expect that the counts are going to take longer than normal this year. So there’s more opportunity for there to be uncertainty or concern around the integrity of the result.”
Bugcrowd created a crowdsourced platform to help companies find security vulnerabilities by using outside “hackers” and is part of an open source effort called Disclose.io. The project is developing contractual and terms of service language any company can use to establish clear guidelines for bug bounty programs and allow ethical hackers to probe their services and report issues.
This effort to establish ground rules extends to voting systems.
“There’s this crowd of ethical hackers that are wanting to try to help and make sure that the entire voting process is secure,” Ellis said. “But up to this point, they haven’t really been invited to do that. So how do we make it possible?”
Though he can’t disclose names, Ellis said there’s been some progress working with voting machine manufacturers and election departments. The researchers involved want it understood that they are trying to help and are hoping to be invited to pursue their work.
“For the better part of 30 years, policies around the usage of IT have been designed to keep the hackers away from things, assuming that if you’re trying to do something unusual that you’re probably a bad person,” Ellis said. “We’re in a position now where there are researchers and there are people in the community as hackers that are acting in good faith. And the reason they’re doing that is to work out how to make them safer and to identify where the weaknesses are to get that information to people that can fix those problems to make the user safer.”
But Ellis and DeMuth said roadblocks remain. Part of the problem is the fundamental organization of U.S. elections. With 50 states creating 50 different systems, there’s bound to be a wide range of equipment and rules and security measures. Cutting through that chaotic approach takes time.
According to a 2016 DHS intelligence assessment: “Voting precincts in more than 3,100 counties across the United States use nearly 50 different types of voting machines produced by 14 different manufacturers. In addition, state and local jurisdictions may have different requirements for securing their election systems, such as configuration settings, audit logging, intrusion detection capability, and patch management. The diversity in voting systems and voting software provides significant challenges to cybersecurity.”
There’s also the question of how to talk about this issue to the public. Researchers don’t want to scare voters or create a perception that voting is a waste of time because the system could be manipulated. And discussing the finer details of auditing and whether paper ballots are needed can create confusion.
“We should do voting security better without scaring your non-technical grandpa and some part of America that doesn’t intuitively grab this stuff,” Ellis said. “You want people to vote. If there’s any kind of interference, if there’s any kind of issue, foreign or domestic, to manipulate the vote, then the most effective way and the most resilient way to combat that is to just have more people turn up. At that point, you’ve diluted the problem.”
One step back
But just as ethical hackers have gained a little traction, new legal and political roadblocks are being thrown at them.
The first is the Defending the Integrity of Voting Systems Act U.S. President Trump signed into law this month. The legislation had broad bipartisan support in the House and Senate and makes it clear that hacking voting systems under any circumstances is illegal. The U.S. Department of Justice can now charge anyone who tries to hack into any part of the voting system under the Computer Fraud and Abuse Act.
Ellis said a couple of years ago the House Rules Committee had asked for his input and that of other ethical hackers. But he fears the legislation in its final form could criminalize the type of ethical hacking many security researchers are conducting.
“The U.S. government might seek to deter adversaries from meddling with the voting process. But instead, the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process,” Ellis said. “If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers — who are ignoring these laws to begin with — have an open field to exploit undiscovered vulnerabilities within voting systems.”
Ethical hackers are also closely watching a case scheduled to go before the U.S. Supreme Court. Van Buren v. the United States involves a Georgia police officer who was convicted of taking money to look up a driver’s license in a state database and was charged with violating the Computer Fraud and Abuse Act. Many privacy groups, including EPIC and the Electronic Frontier Foundation, have protested the ruling, saying it amounts to a dangerous expansion of the CFAA.
In an unexpected twist, online voting vendor Voatz filed an amicus brief supporting the broader interpretation of the CFAA, in part to dissuade the work of ethical hackers.
“Necessary research and testing can be performed by authorized parties,” Voatz states in the brief. “Voatz’s own security experience provides a helpful illustration of the benefits of authorized security research and also shows how unauthorized research and public dissemination of unvalidated or theoretical security vulnerabilities can actually cause harmful effects.”
Responding to Voatz’s argument, Disclose.io members wrote a letter criticizing the company for a 2019 incident. After a student security researcher responded to a Voatz bug bounty program by reporting a vulnerability, the company allegedly reported the student to state authorities. Disclose.io criticized the shifting terms of Voatz’s bug bounty program and its swift retribution.
“Voatz’s insinuation that the researchers broke the law despite having taken all precautions to act in good faith and respect legal boundaries shows why authorization for this research should not hinge on companies themselves acting in good faith,” the Disclose.io letter says. “To companies like Voatz, coordinated vulnerability disclosure is a mechanism that shields the company from public scrutiny by allowing it to control the process of security research.”
The Van Buren v. the United States case is scheduled for oral arguments on November 30.
Amid wrangling over how best to secure elections, DeMuth thinks the short-term answer may be to take a step back and return to paper ballots. The problem is that counting them takes time. And in an era when people demand instant results, that’s bound to cause some frustration.
“I would rather us go back to paper, but that’s not forever, right?” DeMuth said. “I want to see these things progress. But I think there does need to be a continual call to action to research these things and improve them. What I’m concerned about is making sure that you keep moving in the direction of better security.”
You can’t solo security
COVID-19 game security report: Learn the latest attack trends in gaming. Access here