By Dan Patterson CBS News September 19, 2018, 11:52 AM Why voting machines in the U.S. are easy targets for hackers
Campaign 2018: Election Hacking is a weekly series from CBS News & CNET about the cyber-threats and vulnerabilities of the 2018 midterm election. Part 1: Phishing attacks. Part 2: Influence campaigns. Next week: The dark web.
Tens of thousands of voting machines in the United States are vulnerable to hacking.
They have been successfully dismantled and attacked by security researchers for years to demonstrate their flaws. In 2017, at the annual Defcon hackers conference, one tech professor from the University of Copenhagenwas able to penetrate an Advanced Voting Solutions machine in about 90 minutes. The attackers were able to access the administrator mode, allowing them to potentially alter voting data.
At this year's conference, a group of hackers was able to crack one in 15 minutes.
One hacker told CNET: "Should you be trusting your vote with these? I don't think so."
"They're running Windows. They have USB ports. They're actual computers and are very susceptible to attacks," says Cris Thomas, the global strategy lead for IBM's X-Force cybersecurity team.
READ: Homeland Security's tall order: A hacker-free election
Despite the risk of hacking, states continue to rely on digital voting machines. Just this week, a judge ruled that Georgia can continue to use its 16-year-old system this November, though she acknowledged security concerns. "Some of the testimony and evidence presented indicated that the defendants and state election officials had buried their heads in the sand," she wrote.
Georgia's Secretary of State Brian Kemp said in a statement, "As I have said many times over, our state needs a verifiable paper trail, but we cannot make such a dramatic change this election cycle."
According to Cornell University, there are approximately 174,000 precincts and 113,000 polling places in the U.S.
Christopher Famighetti of the Brennan Center for Justice explained that voting systems and computers must comply with state and federal government standards, but due to a lack of funding most run antiquated software and hardware. In a 2016 interview, Famighetti told CBS News, "We found that more than 40 states are using voting machines there that are at least 10 years [old]."
Most U.S. polling places use either optical scan ballots, which read the markings on paper ballot forms, or direct-recording electronic voting machines, that use a touchscreen button. Optical scan ballot machines are vulnerable to hacking — all electronic devices are — but most cybersecurity experts are more concerned with electronic machines.
Voting results are stored on the machine's internal storage. If the voting data is not encrypted or improperly configured, with little effort a bad actor could access the memory and alter the voting results.
The other primary vulnerability is data transmission. In 2016 Symantec Security Response director Kevin Haley told CBS News, "The results go from [the voting machine] into a piece of electronics that takes it to the central counting place. That data is not encrypted and that's vulnerable for manipulation."
READ: New bill would require paper ballots to secure election results
Although individual voting computers are vulnerable, Thomas isn't terribly worried about hacks targeting individual machines, or even an entire district.
"One of the benefits of our system [is] the fact that it's so distributed, it has a very large attack surface. That makes it a little more resilient than if it were one system everywhere," he said.
According to Thomas, a professional hacker, here's what it would take to attack a voting machine: "Someone would get a hold of [an election machine] before election day — buy it on eBay, steal it, buy it legitimately from the manufacturer."
The attacker would have to deconstruct the machine, research both the hardware and software, then figure out where the vulnerabilities are and what attacks might be effective. On or before Election Day, the attacker would need physical access to each machine in order to carry out that attack. If you're lucky, he said, maybe "you could change a few votes."
READ: U.S. officials hope hackers at Defcon find more voting machine problems
At Thomas' local district, where he volunteers, "We have a thousand voters. Maybe 500 show up and [use] two machines …. so if I can attack one machine, at best I can influence 250 votes. And usually there are checks and balances in place, and [the hack attempt] would be caught before it was counted."
The large number of voting devices and jurisdictions "forces an attacker to study and learn the vulnerabilities in each [district] — not only the hardware, but the policies and procedures in that area." That collection "makes it very difficult for an attacker to conduct a widespread attack against a voting [machine]."
It's important to remember, says Thomas, that one of the goals of cyber-attackers targeting voting machines is to cause "fear and doubt and uncertainty" — undermining the American public's trust in the electoral system. The remedy to that, he says, is to remember that "the institutions or organizations that actually run the elections … are your friends or neighbors that work as poll workers. The system itself is already pretty resilient."