When you hear people talking about security around elections, they’re usually talking about voter fraud – which does happen but is vanishingly rare.
But what relatively few people are talking about is the truly astonishing vulnerability of voting machines.
Until DEF CON, the annual white hat hacker conference, rolled around. Now, everyone’s talking about it.
Designed to be hacked
A voting machine is pretty much the same inside as a self-service checkout, a router or a ‘smart’ toaster: it’s a Turing-complete computer, able to run any program that any other computer can run.
Which means it can be told to do one task with lots of attention to detail well.
And which means it can be hacked.
The central problem with computers is that they’re designed to be told what to do. Hackers simply give the machine orders the same way a legitimate user does. Computers – all computers, from wristwatches to supercomputers – are, in a way, designed to be hacked.
When it comes to running an advanced democracy’s election process, you’d hope that some notice had been taken of this. Probably if we use voting machines, they’re impenetrable Fort Knoxes of countermeasures, digital Sherman tanks against which hacking attempts simply rebound like bullets of Superman’s chest.
But what they actually are, you’ll be pleased to hear, is as cheap as possible.Source
Voting machines: easy pickings
Most voting machines in the USA are supplied by a company that used to be called Diebold before it changed its name to Premier in 2006 for strategic reasons. It’s still a major ATM manufacturer, though it’s currently seeking a sale, a state of affairs perhaps not entirely unrelated to investigations into the crappiness of its voting machines. Or perhaps they’re trying to get out ahead of this…
It’s not the first time someone’s suggested that electronic voting machines (EVMs) might not be the best way to run a vote. There have been several accusations that India’s EVMs are rigged to favor the ruling BJP.
But the USA’s voting machines are no more secure.
Back in 2012, a US voting machine was taken out of service after it was caught on video changing a vote for Barack Obama to one for Mitt Romney.
In 2016, American security experts announced that fifteen US states were using voting machines that were seriously insecure and vulnerable to foreign attack. Edward Snowden demo’d a potential attack on a Sequoia AVC Edge voting machine, using a standard memory card to alter both the machine’s memory and the paper trail backup.
They’ve already been attacked
By 2017 it became clear that there had been a foreign attack- Russian efforts to hack voting machines affected 39 states, and in one case there was clear evidence that voting information had been changed.
But we did kind of assume that it was skilled pros doing it., Not, you know, 10-year-olds.
We figured hackers would look like… well, like this:Or at a pinch, like this:
At LA’s DEF CON this week, though, it became clear that your dog could probably hack most voting machines with an electronic typewriter duct-taped to a Tamagochi.
39 kids ranging in ages from 6 to 17 years old were given the task of hacking replica US election results websites. All but four pulled it off within three hours. Granted, these were facsimiles, and granted, the whole exercise has been critiqued as unrealistic. (And granted, if 12 billion votes were cast for ‘Richard Nixon’s Head’ in 2020, we’d probably figure out that something was rotten in Denmark without expert assistance.) And these were election results sites, not voting machines.
We don’t know that’s what the hacker threat looks like. But we don’t know it’s not.
So much for kids and government websites. What about voting machines themselves? Can they be hacked?
Voting machines can be hacked in minutes
In about two minutes, says Rachel Tobac.
No tools, just a couple of minutes.
Hackers at DEF CON got into voting machines, typically in around 90 minutes, and in at least one case wirelessly.
But then, we knew that was possible – they did it last year too.
If you’d like to see it done live, a hacker who was able to get into a voting machine at DEF CON is touring and demonstrating it.
Carsten Shuermann got into a voting machine in just minutes, using the Remote Desktop Protocol for Windows XP – a solid, stable OS, but one that hasn’t been patched since 2014. Once in, he was able to access and change real voting data from the last time the machine had been used in an election.
There’s no way we should be using these things to decide who runs an egg-and-spoon race, let alone a country.
So what should we use? Blockchain has some potential, but the best choice might be the oldest: paper, plus oversight.
(In the short term, they could always try running a decent VPN?)
"A speedy VPN that's very easy to use and covers basic privacy needs well enough"
- Excellent available variety of servers
- Servers are fast and secure
- Offers six connections
- Safe Wi-Fi Protection
- Loads Websites 3 To 5 Times Faster
- No Logging