It’s election season! In less than a month we’ll all have an opportunity to cast our ballots in the national election. As we continue shifting the election system to electronic polling booths, malicious actors have stepped up their attacks. These attacks range from nation-state sponsored hackers to hackers whose mission is socially or politically motivated, i.e. “hacktivists.”

There are two types of electronic polling booths:

  1. Direct Recording Electronic (DRE) voting machines, which are poll booths that record and report votes electronically.
  2. Ballot Marking Devices (BMD), which are systems that process votes electronically and mark them on physical ballots. It’s important to note that BMDs neither maintain or tabulate polls.

Tinkering with a Polling Booth

You may think it’s impossible to legally hack a voting machine. However, the hacking conference DEF CON has hosted a group that allows people to do just that. Since 2017, the Voting Village has allowed security researchers and hobbyists alike an opportunity to tinker with different types of polling booths. The Voting Village summarizes all noteworthy findings in an end-of-conference report publicly available on DEF CON’s media server.

Expensive Machines Are Not Necessarily Secure

The Defense Advanced Research Projects Agency (DARPA) recently established a ten-million-dollar contract with Galois to develop an ‘unhackable’ DRE. For context, the ES&S AutoMARK, a commonly used DRE that is riddled with vulnerabilities, averages around $5,700.

Unfortunately, attackers have not yet been given a full opportunity to attempt to hack into the system due to bugs that rendered Galois’ device inoperable. Although Galois’ 10-million-dollar grant is unheard of, election commissioners can pay tens of thousands of dollars per device for typical DRE and BMD hardware alone. Some of these devices are running decades old operating systems. Commissioners must therefore add on thousands of dollars for software and firmware maintenance. So far, machine costs and maintenance fees have not had a strong correlation to system security.

Not All Vulnerabilities Require a Technical Exploit

Exploiting a polling machine can be much less technical than one might expect. In 2018, DEF CON Voting Village attendees discovered that the administrator password “pasta” used by ES&S AutoMARK DREs was stored in plaintext within the system’s configuration file. Using the administrator password, attendees were able to access system binaries and make changes to the graphics displayed to voters. The ability to change polling graphics could trick voters into casting their ballot for an unintended party.

Additionally, Social Engineer Rachel Tobac demonstrated in 2018 that physically removing the smart card reader unit of a Diebold AccuVote TSx allows a user gain administrative access to the device. This compromise can be obtained without tools in under five steps.

This is just a small sample of successful attacks on voting machines. Some others include:

  • Voting Village attendees discovering the physical lock guarding an ES&S AutoMARK BMD’s drive can be manually lock-picked. This gives the attacker full access to the device’s data storage.
  • Tamper-evident stickers used by voting machines can easily be removed with Teflon knives, plastic razors, or adhesive remover.

Common Vulnerabilities

Researchers have also found voting machines share the same common vulnerabilities as a typical computer. As of June 2019, over 10,000 election districts had polling machines running end-of-life (EOL) operating systems. These operating systems range from Windows XP to Windows 7. When operating systems reach EOL they no longer receive security patches, making them vulnerable to a multitude of exploitations. These publicly available exploits are easily accessible to a malicious actor.

Additional common vulnerabilities include:

  • Denial of Service (DoS) – an attack that renders resources unusable. DoS attacks usually occur through overloading resources.
  • Buffer Overflows – an attack where more data is processed than storage has been allocated for to overwrite adjacent memory. This could allow an attacker to edit parts of a system by overwriting their contents.
  • RAMBleed – an attack that allows malicious actors to read physical memory that belongs to other processes. This could potentially allow an attacker to read cast polls or other critical information stored by the machine.
  • Improper Storage of Sensitive Information – Several polling devices do not store data securely. Discovered issues include storage of plaintext administrative passwords and plaintext encryption keys.
  • Improper Physical Security Controls – Many DREs and BMDs inadequately protect physical hardware. This includes using weak locks that allow easy access to USB ports and storage media on the devices.

It is also important to note that voting machines are disallowed from connecting to the internet. However, ES&S admitted in 2018 that remote access software had been preinstalled on a multitude of poll booths. ES&S also disclosed in 2019 that dozens of systems in at least ten states had internet connectivity ranging for extended periods of time.

Vulnerable Machines Are in Use Today

In the 2020 election:

  • 26 states will offer both BMDs and DRE voting machines (including Washington DC)
  • 21 states will not allow DRE voting machines
  • Only 5 states will solely offer DREs

The high cost of DREs and BMDs have caused some states to utilize known vulnerable machines.

  • The ES&S AutoMARK runs the 2004 operating system Windows CE 5.0 and contains several vulnerabilities. This machine was used in 28 states in the 2018 election.
  • The ES&S ExpressPoll Tablet Electronic Pollbook stores its encryption keys in plain text. This allows an attacker to easily decrypt or spoof the stored voting data. This machine was used in at least four states in 2018.
  • The Diebold AccuVote-TSx is vulnerable to privilege escalation (an attack that allows users to gain unauthorized elevated access) through removal of the card reader. The AccuVote-TSx was used in 18 states in 2018.

One caveat to these discussed vulnerabilities is that currently known attacks are only achievable in person. An attacker must have physical access to the machine to conduct the attack within a very short period as to not arouse suspicion. This greatly increases the difficulty of a successful exploit, especially at polling locations where personnel have been trained to observe voters for suspicious behavior while inside the voting station.

To minimize the chance that your vote is affected if a machine is compromised, observe the electronic polling booth you’ve been assigned for any obvious signs of misuse or wear (for example, Teflon knives may remove the adhesive from tamper seals). If a polling station displays an error or appears to respond erratically, be sure to notify election personnel. Election officials may choose to redirect voters to other voting booths or escalate the issue to someone better equipped to determine the root cause of an incident.

These concerns on the security of our polling machines are just one of many cybersecurity concerns in the world today. Whether you’re looking to strengthen your entire network security program or update your awareness training, our team at LBMC Information Security can help. Feel free to check out our library of resources and podcasts, which provide specific insights you can use to enhance every area of cybersecurity. Connect with our team today to learn more about how we can help develop a security program plan or training framework.