Analysis | The Cybersecurity 202: Voting machines touted as secure option are actually vulnerable to hacking, study finds
By Joseph Marks
The ImageCast X ballot marking device is displayed at the Sacramento County Department of Voter Registration and Elections on March 5, 2018 in Sacramento, California. (Photo by Justin Sullivan/Getty Images)
New voting machines that hundreds of districts will use for the first time in 2020 don’t have enough safeguards against hacking by Russia and other U.S. adversaries, according to a study out this morning from researchers at the University of Michigan.
The study marks the first major independent review of the machines called ballot-marking devices, or BMDs, which at least 18 percent of the country's districts will use as their default voting machines in November. The results are a major blow for voting machine companies and election officials, who have touted BMDs as a secure option in the wake of Russia’s 2016 efforts to compromise U.S. election infrastructure.
“The implication of our study is that it’s extremely unsafe [to use BMDs], especially in close elections,” Alex Halderman, a University of Michigan computer science professor and one of seven authors of the study, said in an interview.
People who use BMDs cast their votes using a computer touch screen, but the machine spits out a paper record of those votes. That is usually used to tally the results and can be saved for audits that ensure votes were tallied correctly.
The machines were touted by election officials as a compromise between paperless voting machines, which experts uniformly agree are far too vulnerable to hacking, and hand-marked paper ballots, which serious cybersecurity hawks favor but which can be tougher to tally and are inaccessible for many people with disabilities.
But only a handful of people who vote on BMDs are likely to check that their votes were recorded accurately, the researchers found – meaning that if hackers succeed in altering even a small percentage of electronic votes, they might be able to change the outcome of a close election without being detected.
“There's been a lot of discussion in the election security community about whether BMD verification works as a defense against hacking, but nobody really had any hard numbers,” Halderman told me. “Now, for the first time, we have an experimental data point and, unfortunately, the results confirm some of our worst fears.”
The findings come as election security groups in Pennsylvania are already suing to block some counties from using a specific brand of BMDs, the ExpressVote XL machines designed by Election Systems & Software, over hacking fears. The same machines also went haywire and called the wrong winner in a Pennsylvania county judge's race in November.
ES&S did not respond to a request for comment about the study.
The researchers list several recommendations for how election officials can use BMDs as safely as possible, but the clear lesson is that voting jurisdictions should switch to hand-marked paper ballots if at all possible, Halderman told me.
“There is a strong security reasons to prefer hand-marked paper ballots,” he said.
The researchers watched 241 people vote on a BMD machine in a simulated election — all of whom had at least one of their votes changed on the printed-out ballot. They found only 40 percent of voters reviewed their ballots at all and only about 7 percent told a poll worker something was wrong. At those rates, it's highly likely that if hackers changed just 1 or 2 percent of votes in a close election, they wouldn't be discovered, they said.
The researchers also tried several methods to get voters to check their ballots for errors, including postings signs and having poll workers urge them to review the ballots — but none of them improved error detection “to the point that BMDs can be used safely in close or small elections,” the researchers found.
Congress, however, has steered clear of mandating that states use specific voting equipment, such as machines with paper ballots, or to conduct post-election security audits. Lawmakers have appropriated about $900 million for election security since 2016, including $425 million in December, but none of it has come with any of those specific cybersecurity mandates favored by Democrats.
Yet even most Democrats don’t insist that voters should use use hand-marked paper ballots rather than BMDs. Only one major bill, sponsored by Sen. Ron Wyden (D-Ore.), would mandate that hand-marked ballots are the default for voters. That bill also includes $250 million to develop secure BMDs for people with disabilities who cannot use hand-marked paper ballots.
PINGED, PATCHED, PWNED
Tik Tok logos. (Dado Ruvic/Reuters)
The findings come as TikTok deals with growing concerns in Washington that its Chinese ownership poses a threat to the safety of American users' data.
“As long as TikTok remains a Chinese company, and therefore subject to compulsory [Chinese Communist Party] data collection requirements, there will be no end to concerns regarding the safety of the sensitive data it is vacuuming up from millions of Americans,” Sen. Tom Cotton (R-Ark.) said in reaction to the findings.
Several branches of the U.S. military recently banned members from using the app, citing security concerns. And its acquisition by parent company ByteDance faces an ongoing investigation by the Treasury Department.
“There has been lots of speculation as to how safe or unsafe is TikTok,” said Checkpoint's lead researcher, Oded Vanunu. “We proved that there were, indeed, serious security issues.”
TikTok patched the vulnerability after researchers notified the company in November. The company didn’t find any evidence that hackers had actually exploited the vulnerability, TikTok Security Team researcher Luke Deshotels said in a statement.
Sen. Angus King (I-Maine), right. (Drew Angerer/Getty Images)
The report, set to be released this spring, will also likely include ideas to boost cybersecurity in the private sector, such as pushing insurance companies to offer better rates for companies that follow stricter cybersecurity reporting guidelines, commission co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) said at an event hosted by the Council on Foreign Relations.
The bipartisan commission also will probably push for the return of the White House cybersecurity coordinator position, which then-national security adviser John Bolton axed in 2018.
“There is near unanimity on the need to get a focal point in the White House to do oversight of the cyber community,” Gallagher said.
The Apple logo is shown atop an Apple store at a shopping mall in California. (Mike Blake/Reuters)
The FBI asked Apple to help it access the devices only after checking with government agencies for another way into them, sources familiar with the investigation told the Times. Apple, meanwhile, said that it had turned over all data in its possession.
Apple previously refused to help the FBI crack into an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook in 2015, sparking a lengthy legal battle. The new request comes as law enforcement officials are pushing lawmakers to reconsider mandating police access to encryption -- and making Apple a prime target.
Apple’s top global privacy official Jane Horvath defended Apple's position during a panel discussion at the Consumer Electronics Show in Las Vegas yesterday, saying granting police special access to encryption would not make Americans safer, CNBC reported.
PUBLIC KEY— The nonprofit group MITRE, which runs numerous federal research programs, released a game plan yesterday for how energy plants, transportation hubs and other critical infrastructure can protect themselves against cyberattacks. Check it out here.
— The Aspen Tech Policy Hub is partnering with another nonprofit, the Cybercrime Support Network, to develop an online tool that will make it easier for victims to report online fraud to state, local and federal law enforcement. CSN, which has received $1 million in funding from the Department of Homeland Security, will build off a prototype reporting tool developed by Aspen Tech Policy fellows this summer. They say the tool will be easier to use for elderly people who are often victims of online scams.
— More cybersecurity news from the public sector: