“It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia.
My response to this is: well, duh.
These security conferences held in Las Vegas typically feature a mix of “black hat” and “white hat” hackers, meeting semi-anonymously in a temporary truce in order to compare notes on the latest vulnerabilities in our electronically-enhanced world. This is one of those places where you’d be a fool to bring in a smartphone with WiFi enabled–it would be remotely hacked within minutes.
Electronic voting machines were designed with older technology, for a specific purpose. They display a ballot, record a vote, and tabulate. Slot machines are far more advanced than voting machines (and far more difficult to hack).
The machine that Richards learned how to hack used beneath-the-surface software, known as firmware, designed in 2007. But a number of well-known vulnerabilities in that firmware have developed over the past decade.
Any of these hackers would quickly be able to identify and exploit the vulnerabilities in individual voting machines. But the best protection these machines have is their lack of connectivity. Machines such as the ones Georgia uses print individual tapes and do not connect to a larger network.
That makes it harder for hackers to access the machines. But not impossible.
Taking care to properly “store machines, set them up, [and] always have someone keeping an eye on machines,” [CyberScout consultant Eric Hodge] said, can mitigate a wide array of security problems.
Merely following suggestions such as Hodge’s (he consults with Kentucky’s Board of Elections) might protect the machines for the short run, but in the long run a determined hacker (or state-sponsored effort) will eventually beat security (many election workers tend to be older, retired and not so technology-savvy).
Once a vulnerability is found and an exploit is crafted, it could be packaged into the memory cards given to voters, or introduced by specific “voters” to infect the machines. Hackers are very ingenious about these things. Even if only 5 or 10 percent of voting machines in key districts are infected, that can swing an entire election.
Imagine how easy it would be for hackers to defeat an Internet-based election system?
The answer is found in that old saw: a good offense is the best defense. We can’t just dust off election machines a few times a year, use them and pack them away. We must be at least as vigilant as Las Vegas casinos are with their slot machines.
I’m not shocked in the least.