Skip to main content

Analysis | The Cybersecurity 202: Voting machines touted as secure option are actually vulnerable to hacking, study finds

By Joseph Marks

The ImageCast X ballot marking device is displayed at the Sacramento County Department of Voter Registration and Elections on March 5, 2018 in Sacramento, California. (Photo by Justin Sullivan/Getty Images)
New voting machines that hundreds of districts will use for the first time in 2020 don’t have enough safeguards against hacking by Russia and other U.S. adversaries, according to a study out this morning from researchers at the University of Michigan. 
The study marks the first major independent review of the machines called ballot-marking devices, or BMDs, which at least 18 percent of the country's districts will use as their default voting machines in November. The results are a major blow for voting machine companies and election officials, who have touted BMDs as a secure option in the wake of Russia’s 2016 efforts to compromise U.S. election infrastructure.
“The implication of our study is that it’s extremely unsafe [to use BMDs], especially in close elections,” Alex Halderman, a University of Michigan computer science professor and one of seven authors of the study, said in an interview.
People who use BMDs cast their votes using a computer touch screen, but the machine spits out a paper record of those votes. That is usually used to tally the results and can be saved for audits that ensure votes were tallied correctly.
The machines were touted by election officials as a compromise between paperless voting machines, which experts uniformly agree are far too vulnerable to hacking, and hand-marked paper ballots, which serious cybersecurity hawks favor but which can be tougher to tally and are inaccessible for many people with disabilities.
But only a handful of people who vote on BMDs are likely to check that their votes were recorded accurately, the researchers found – meaning that if hackers succeed in altering even a small percentage of electronic votes, they might be able to change the outcome of a close election without being detected. 
“There's been a lot of discussion in the election security community about whether BMD verification works as a defense against hacking, but nobody really had any hard numbers,” Halderman told me. “Now, for the first time, we have an experimental data point and, unfortunately, the results confirm some of our worst fears.”
The findings come as election security groups in Pennsylvania are already suing to block some counties from using a specific brand of BMDs, the ExpressVote XL machines designed by Election Systems & Software, over hacking fears. The same machines also went haywire and called the wrong winner in a Pennsylvania county judge's race in November.
ES&S did not respond to a request for comment about the study.
The researchers list several recommendations for how election officials can use BMDs as safely as possible, but the clear lesson is that voting jurisdictions should switch to hand-marked paper ballots if at all possible, Halderman told me. 
“There is a strong security reasons to prefer hand-marked paper ballots,” he said.
The researchers watched 241 people vote on a BMD machine in a simulated election — all of whom had at least one of their votes changed on the printed-out ballot. They found only 40 percent of voters reviewed their ballots at all and only about 7 percent told a poll worker something was wrong. At those rates, it's highly likely that if hackers changed just 1 or 2 percent of votes in a close election, they wouldn't be discovered, they said.
The researchers also tried several methods to get voters to check their ballots for errors, including postings signs and having poll workers urge them to review the ballots — but none of them improved error detection “to the point that BMDs can be used safely in close or small elections,” the researchers found.
Congress, however, has steered clear of mandating that states use specific voting equipment, such as machines with paper ballots, or to conduct post-election security audits. Lawmakers have appropriated about $900 million for election security since 2016, including $425 million in December, but none of it has come with any of those specific cybersecurity mandates favored by Democrats.
Yet even most Democrats don’t insist that voters should use use hand-marked paper ballots rather than BMDs. Only one major bill, sponsored by Sen. Ron Wyden (D-Ore.), would mandate that hand-marked ballots are the default for voters. That bill also includes $250 million to develop secure BMDs for people with disabilities who cannot use hand-marked paper ballots.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?


Tik Tok logos. (Dado Ruvic/Reuters)

PINGED: Vulnerabilities in Chinese social media app TikTok could have allowed hackers to access user account information, such as phone numbers, and to spread videos without users' knowledge or consent, researchers at the cybersecurity firm CheckPoint revealed in a report out this morning.
The findings come as TikTok deals with growing concerns in Washington that its Chinese ownership poses a threat to the safety of American users' data.
“As long as TikTok remains a Chinese company, and therefore subject to compulsory [Chinese Communist Party] data collection requirements, there will be no end to concerns regarding the safety of the sensitive data it is vacuuming up from millions of Americans,” Sen. Tom Cotton (R-Ark.) said in reaction to the findings.
Several branches of the U.S. military recently banned members from using the app, citing security concerns. And its acquisition by parent company ByteDance faces an ongoing investigation by the Treasury Department.
“There has been lots of speculation as to how safe or unsafe is TikTok,” said Checkpoint's lead researcher, Oded Vanunu. “We proved that there were, indeed, serious security issues.”
TikTok patched the vulnerability after researchers notified the company in November. The company didn’t find any evidence that hackers had actually exploited the vulnerability, TikTok Security Team researcher Luke Deshotels said in a statement.

 Sen. Angus King (I-Maine), right. (Drew Angerer/Getty Images)
PATCHED: Congressional leaders of a commission focused on improving national cybersecurity previewed a bevy of possible recommendations yesterday, including beefing up Pentagon cybersecurity audits and creating a special congressional committee focused on cybersecurity, CyberScoop's Shannon Vavra reports. 
The report, set to be released this spring, will also likely include ideas to boost cybersecurity in the private sector, such as pushing insurance companies to offer better rates for companies that follow stricter cybersecurity reporting guidelines, commission co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) said at an event hosted by the Council on Foreign Relations. 
The bipartisan commission also will probably push for the return of the White House cybersecurity coordinator position, which then-national security adviser John Bolton axed in 2018.
“There is near unanimity on the need to get a focal point in the White House to do oversight of the cyber community,” Gallagher said.

The Apple logo is shown atop an Apple store at a shopping mall in California. (Mike Blake/Reuters)
PWNED: The FBI has asked Apple to help it unlock two encrypted iPhones belonging to a gunman who killed three people at a Florida military base last month, Jack Nicas and Katie Benner at the New York Times report. The case could become a new flash point in the years-long dispute between the FBI and the tech industry over special law enforcement access to encrypted data. 
The FBI asked Apple to help it access the devices only after checking with government agencies for another way into them, sources familiar with the investigation told the Times. Apple, meanwhile, said that it had turned over all data in its possession. 
Apple previously refused to help the FBI crack into an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook in 2015, sparking a lengthy legal battle. The new request comes as law enforcement officials are pushing lawmakers to reconsider mandating police access to encryption -- and making Apple a prime target
Apple’s top global privacy official Jane Horvath defended Apple's position during a panel discussion at the Consumer Electronics Show in Las Vegas yesterday, saying granting police special access to encryption would not make Americans safer, CNBC reported.


— The nonprofit group MITRE, which runs numerous federal research programs, released a game plan yesterday for how energy plants, transportation hubs and other critical infrastructure can protect themselves against cyberattacks. Check it out here
— The Aspen Tech Policy Hub is partnering with another nonprofit, the Cybercrime Support Network, to develop an online tool that will make it easier for victims to report online fraud to state, local and federal law enforcement. CSN, which has received $1 million in funding from the Department of Homeland Security, will build off a prototype reporting tool developed by Aspen Tech Policy fellows this summer. They say the tool will be easier to use for elderly people who are often victims of online scams.
— More cybersecurity news from the public sector:

Senators on the Homeland Security and Governmental Affairs Committee were set to receive a classified briefing Tuesday on threats from Iran, including the possibility of a retaliatory cyberattack in response to the killing of I
The Hill

In emails and WhatsApp messages, Iranian telecom official tried to recruit US researcher.
Ars Technica

Defacements are typically the work of low-level hackers, but the messages come at a time of intense tension between the U.S. and Iran.

A major veterans group says the Trump administration of has been ignoring Russian disinformation campaigns that have been targeting U.S. troops and veterans for nearly two years.


— Cybersecurity news from the private sector:

Privacy experts from Facebook and Apple defended the security and use of consumer data on their platforms, though they said greater protections and public education are needed as technology and regulations evolve.
The Wall Street Journal

Vendors to have 90 days to get patches right, under changes to Google Project Zero's disclosure policy.

Tech giants such as Google and are deploying artificial intelligence to ferret out fraud on their platforms, but some cybercriminals are outfoxing Silicon Valley with software that is getting better at mimicking human behavior.
The Wall Street Journal


— Cybersecurity news from abroad:

Travelex said on Tuesday a ransomware attack led to its systems being taken offline last week and the foreign exchange company does not expect any material financial impact for its United Arab Emirates-based parent company Finablr Plc.


Popular posts from this blog

Analysis | The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent

By Joseph Marks 13-17 minutes THE KEY President Trump delivers an address about border security amid a partial government shutdown on Jan. 8. (Carolyn Kaster/AP) The partial government shutdown that's now in its 18th day is putting key cyber policy priorities on hold and leaving vital operations to a bare bones staff. But the far greater long-term danger may be the blow to government cyber defenders' morale, former officials warn. With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent. About 20 percent of staffers are furloughed at the De

Democrats call for investigation into Trump’s iPhone use after a report that China is listening:Analysis | The Daily 202 I The Washington Post. By James Hohmann _________________________________________________________________________________ President Trump and Chinese President Xi Jinping visit the Great Hall of the People in Beijing last November. (Andrew Harnik/AP) With Breanne Deppisch and Joanie Greve THE BIG IDEA: If Democrats win the House in two weeks, it’s a safe bet that one of the oversight hearings they schedule for early next year would focus on President Trump’s use of unsecured cellphones. The matter would not likely be pursued with anywhere near the gusto that congressional Republicans investigated Hillary Clinton’s use of a private email server during her time as secretary of state. Leaders of the minority party have higher priorities . But Democratic lawmakers made clear Thursday morning that they will not ignore a New York Times report that Trump has refused to stop using iPhones in the White House, despite repeated warnings from U.S. intelligence offici

RTTNews: Morning Market Briefing.-Weekly Jobless Claims Edge Down To 444,000. May 13th 2010

Morning Market Briefing Thu May 13 09:01 2010   Commentary May 13, 2010 Stocks Poised For Lackluster Open Amid Mixed Market Sentiment - U.S. Commentary Stocks are on pace for a mixed start to Thursday's session, as a mostly upbeat jobs report continued to relieve the markets while some consternation regarding the European debt crisis remained on traders' minds. The major index futures are little changed, with the Dow futures down by 4 points. Full Article Economic News May 13, 2010 Weekly Jobless Claims Edge Down To 444,000 First-time claims for unemployment benefits showed another modest decrease in the week ended May 8th, according to a report released by the Labor Department on Thursday, although the number of claims exceeded estimates due to an upward revision to the previous week's data. Full Article May 13, 2010 Malaysia's Decade High Growth Triggers Policy Tightening Malaysia's economy grew at the fastest pace in a decade in