Hacking Elections: Georgia's Midterm Electronic Voting in the Dock
22.8.18 securityweek BigBrothers
The security of electronic voting and the direct-recording election (DRE) voting machines used has been questioned for years. The upcoming U.S. midterm elections in November, coupled with the attempted Russian meddling in the 2016 presidential election, have made this a current and major concern for many in the security industry and beyond. Now it has gone to court.
Earlier this month (Aug. 3), the Coalition for Good Governance filed a Motion for Preliminary Injunction against the Secretary of State for Georgia (Brian Kemp, who is also the Republican candidate for governor in the midterms) seeking to force the state to abandon DREs and revert to a paper ballot.
The Secretary of State has responded to the Motion, claiming, “Such recklessness, if given the power of a federal decree, would compromise the public interest.”
Security concerns
Concern over the security of electronic voting was heightened following the 2016 presidential election. The incumbent Obama administration accused Russia of interfering and being behind a breach of the DNC and subsequent leak of sensitive data.
For the most part it is believed that Russia attempted to influence rather than control the vote. However, an NSA document acquired and discussed by The Intercept in June 2017 “raises the possibility that Russian hacking may have breached at least some elements of the voting system, with disconcertingly uncertain results.”
There is no claim that Russia affected the outcome of the election. The primary concern is that nobody knows the extent of what was done, nor what could have been done – and, more disconcertingly, what might be done next time.
The vulnerability of the DRE systems themselves is hardly doubted. At the end of 2016, both Cylance and Symantec separately demonstrated hacks against DREs. This month DEF CON ran its second annual Vote Hacking Village, where attendees were invited to hack the voting infrastructure, including DREs – and numerous vulnerabilities were found and exploited.
DRE manufacturers, and officials using them, are quick to point out most exploits require physical access to the machines, and that any individual hack would only affect the votes made on that system. The overall vote itself will remain statistically valid.
Last week (Aug. 13), a new survey from Venafi found that 93% of more than 400 IT security professionals from the U.S., UK and Australia found that “are concerned about cyber-attacks targeting election infrastructure and data.” Furthermore, “81% believe cyber criminals will target election data as it is transmitted between machines, software and hardware applications, and moved from local polling stations to central aggregation points.”
The voting infrastructure is much wider than vulnerable DREs alone.
Court case in Georgia
The Coalition for Good Governance is attempting to gain a court order to force Georgia to abandon electronic voting and go back to a paper-based ballot because it does not believe a full and fair vote can be guaranteed. It has asked for a Preliminary Injunction.
Georgia stands out from the majority of states. Although not one of the perennial swing votes, these midterms are likely to be different, and a relatively few votes could swing the result one way or the other.
Georgia uses approximately 27,000 Diebold AccuVote DRE touchscreen voting units running a modified version of Windows CE. It does not and cannot produce a paper audit trail of votes. Georgia is one of just a few states – and the largest – that does not produce a paper backup.
The Coalition’s argument hinges on three elements: that DREs are inherently insecure; that Georgia’s voting system has already been breached; and that Georgia voting officials destroyed all evidence of who might have benefited from the breach.
The breach was discovered by security researcher Logan Lamb. The court document states, “In late August 2016, cybersecurity researcher Logan Lamb accessed files hosted on the elections.kennesaw.edu server on the public internet, including the voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.”
This database, including registration details for 6.7 million Georgia voters, was unprotected and could be accessed by anybody with an internet connection.
Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, told SecurityWeek, “If I were a hacker trying to affect an election in this state, that's where I would start. Because once you have access to those databases, you can, for example, on election day send people to the wrong polling stations. I actually think that this is a line of attack that people haven't looked at which has to do with simply changing contact information for voters.”
DeMillo is a professor at Georgia Tech, has worked in cybersecurity for more than 40 years, and, he says, is “a longtime observer of election security in the state of Georgia.” He is not an official advisor to the Coalition, but as an employee of a public university is available to offer advice to anyone who seeks it.
The concern for the Coalition is that firstly, Georgia did little to secure the database – it remained online and available to everyone for at least six months before it was removed; secondly, that Georgia did not undertake a forensic examination to determine whether the database had been altered or manipulated; and thirdly, three days after the Coalition’s lawsuit was filed, election officials “destroyed all data on the hard drives of the KSU elections.kennesaw.edu server.”
There is consequently now no way of knowing who may have accessed that database nor whether any unauthorized changes were made to it.
Marilyn R. Marks, VP and executive director of the Coalition for Good Governance, described another potential attack against the Georgia midterms that would be relatively easy if the pollbooks stored at KSU had been downloaded or amended by attackers.
“One of [Demillo’s] colleagues went to vote, and he was issued the wrong ballot (his affidavit is in the Exhibits of the Motion),” Marks told SecurityWeek. “Name is Kadel. He was given the wrong electronic ballot. If you look at his voter registration record, name address, everything's just fine. We do not know what happened.” His ballot paper seemed to be in order, but was for Congressional District 5 instead of Congressional District 6. Had he not noticed this discrepancy his vote would have been nullified.
“But here's another theoretical attack,” continued Marks. “You can leave all that stuff there. But change the ballot combination code that's in the electronic pollbook and the voter gets issued the wrong ballot. Nobody knows what their ballot combination is. It's not given out to voters.”
Rob Kadel is assistant director for research in education innovation, Center for 21st Century Universities at Georgia Tech.
The Secretary of State’s response to the Coalition’s motion is to concentrate on the physical problems of changing to paper at this stage. The response does not attempt to prove that DRE machines are secure, but states that the Coalition has not proven them to be insecure. It describes the motion as ‘Plaintiff’s paranoia’, and says, “Luddite prejudices against software technology are insufficient justification to override a statutory regime promulgated by duly-elected legislators, sustained against prior constitutional challenges, and overseen by state officials acting pursuant to their respective duties within that legislative framework.”
Both sides vehemently disagree. The Coalition was set to file its own reply to Kemp’s response on Monday (SecurityWeek will post the URLs to this and to Secretary Kemp’s initial response as soon as they become available). The reply is likely to assert that a switch to paper is feasible within the time constraints.
Industry views on the midterms in Georgia
The outcome of the Motion for Preliminary Injunction will be decided by the court, and probably very quickly. In the meantime, SecurityWeek talked to several security experts for their view on the current situation.
“The key to any voting system is the integrity of the data, and given the proven attacks against the DRE systems, this can no longer be guaranteed,” commented Joseph Kucic, CSO at Cavirin. “Without evidence of having the appropriate controls there is a good chance that the plaintiffs could win their case. With regard to the actual motion, any difficulties with paper ballot deployment – and there should not be many – are more than made up for by the potential risks of a compromised system.”
Not everyone agrees. Sanjay Kalra, co-founder and chief product officer at Lacework, told SecurityWeek, “Moving backwards to paper-based systems is not only inefficient, it’s also not materially any more secure. Hackers want to disrupt and steal, which they will do aggressively, irrespective of medium or platform. For those running digital election systems, the vision should be to use a best practices approach along with tools that support awareness and remediation to provide the best protection against bad actors. Those responsible for data protection must always seek to balance efficiency, user experience and security.”
“There’s a compelling case to be made on both sides,” says Abhishek Iyer, technical marketing manager at Demisto. Reverting to paper is supported by the general lack of confidence in the security of DREs and the known voter data leaks. “However,” he adds, “with impending midterm elections, there’s not enough time to execute an end-to-end change and go back to paper-based voting; improper transition could result in voter confusion, error, and inadvertent suppression (since electronic systems are also used to verify voter registration).”
Marilyn Marks disagrees. “There’s no new voting system needed, and no new equipment,” she told SecurityWeek. “They already use paper ballots (for example, for postal votes). They just need to dispense with the touchscreen machines, put paper votes into ballot boxes to be transported to the election office and use the scanners they already have to scan the votes in quantity. All that is needed is more of the same paper ballots – and the printers still have many weeks to do that.”
Ryan Jones, managing principal at Coalfire Labs, didn’t want to comment on any legal aspects between the Coalition for Good Governance and the secretary of state for Georgia. But he did say, “We have assessed not only voting machines, but also the Voluntary Voting System Guidelines standard – by which most voting machines are gauged – as well as the end-to-end gaps in pre-election, election, and post-election processes. We can say with some assurance,” he confirmed, “that machines in their current state, despite having met the VVSG standard, have many technical aspects that can be compromised by a diligent hacker that looks at the hacking challenge across the entire system and process. We have compromised multiple voting systems in a lab setting in as little as two minutes; and as news reports attest, an 11-year-old also recently hacked a voting environment at a security conference.” [DEF CON’s Vote Hacking Village.]
Last word goes to Professor Rich Demillo. “Georgia is the largest state that does not use auditable elections equipment; so, if I were in the attackers' shoes and was looking for a return on investment, this is the kind of state that I would look at -- a state where the races are likely to be tight and where the chance of me being discovered is going to be slim because by design it is impossible to verify after the election that there was a breach.”
It is now up to the court to decide whether well-documented flaws in the existing electronic voting infrastructure combined with the lack of any auditing capability are sufficiently serious to force a last-minute switch back to paper-based voting in the Georgia state midterm elections in November.